|
|
|
|
|
|
by esailija
4709 days ago
|
|
|
The cookie scenario is not really practical since you can prevent javascript from reading cookies with httponly and I could bet a lot google uses httponly cookies where it matters. The real threats I imagine is social engineering it enables or running code on the users' machines through browser plugin vulnerabilities. Also, running signed Java with a fake certificate is just a dialog confirmation from the user. But I agree on your other point. |
|
|