Hacker News new | ask | show | jobs
by jffry 4542 days ago
Or serve the untrusted content from a sub-subdomain, e.g. "foo.bar.CDN_HOST.com", so that you could only bomb bar.CND_HOST.com and not the entire domain
1 comments
mavhc 4542 days ago
You'd think a higher level domain should be able to specify whether a subdomain can set cookies for it or not.
link
jffry 4542 days ago
That would be nice, but it would have a lot of ramifications. Before setting the cookie, the browser would need to know if it's allowed, so presumably it would have to load some file. Perhaps this could be done in a manner similar to CORS requests
link
homakov 4542 days ago
Content-Security-Policy: can-set-cookies: no!

BTW if JS is of we can use <meta http-equiv Set Cookie>

link
twic 4541 days ago
It might be better to allow:

Content-Security-Policy: can-set-cookies-for-parent-domain: no!

There's no harm in letting haxx0r.blogspot.com set cookies for haxx0r.blogspot.com. It's only cookies for blogspot.com that should be restricted.

link
jffry 4542 days ago
Well OK then.
link