On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote:
> Its technically true, however, XSS attacks can get around that
> restriction, which is why you saw so much malware posted on a site
> like googleusercontent.com. Sites that allow users to upload content
> are always being used to host malware for XSS attacks. But you still
> need to be visiting a site with the same domain as the cookie, and
> load a compromised page. Plus, if you use HttpOnly cookies, you
> have to go through even more complex XSS exploits to get at the
> cookie, since they aren't accessible through the DOM model.
I should add that the exploits are constantly being addressed by both
Web Browser developers as well as developers of extensions like
NoScript. Its an arms race.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
