The other day I discovered that iexplorer is not accepting cookies from an iframe unless the iframe provides P3P authorization. At first, I was like "WTF?", but today I was wondering about the bad things that could happen.
For example, I have a website named herp.com, where you can delete a product with http://herp.com/product/111/delete (I know this is a bad practice, GET should be indepotent). Then a malicious webmaster creat开发者_如何学编程es a web in http://derp.com with an iframe to http://herp.com/product/111/delete, so... if I, as logged user in herp.com, open derp.com with my browser... will I delete the product 111?
Which more issues should I be afraid of?
Thanks in advance.
You should be more afraid of your http GET causing a delete. The scenario you are describing is not much different than throwing a redirect on a page from derp.com to herp.com/product/111/delete. In either scenario, the user will unknowingly load herp.com, and the browser will automatically supply any cookies for that site.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论