Cross Site Cooking

Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking. Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."

Re:No site should trust client-side information.

[zcat_NZ]

God God.

We don't have Trusted Computing, and hopefully we never will. Everything sent by the client can be modified, tampered with, or stuffed with bogus data. Trust no-one. Verify everything. And don't store anything client-side other than a randomly generated number that tells you who to look up in your server-side database.