Shibboleth Developers

[Paul Hethmon <>]

On 12/7/09 1:44 PM, "Scott Cantor" 
<>
 wrote:

> I suspect it is (and I'm working on a test case), but by the same logic so
> should a frame inside a page. I'm not talking about a frame trying to do
> anything with the frameset or another frame, simply a frame that wants to
> access its own cookies.

This is one area where I like IE better since you can set the P3P header and
get around this. I have a filter to set that header in my standard Tomcat
build now.
 
> By definition, if we're saying that we can loophole the cookie limitations
> in frames using Javascript, then any of the client justifications for
> blocking the cookies with the frame would apply to Javascript.

Agreed. Though its tempting to try and exploit this loophole. Right now, I
know that if my login servlet can't figure out which SP the request came
from, either the user bookmarked or I'm being framed. I've resorted to
checking for frames and redirecting the user the main SP resource if I'm
framed since by that time, I've lost any AuthnRequest info.

-----
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
865.824.1350 - office
865.250.3517 - mobile
www.clareitysecurity.com
-----

God does not play dice with the universe; He plays an ineffable game of his
own devising, which might be compared, from the perspective of any of the
other players, to being involved in an obscure and complex version of poker
in a pitch dark room, with blank cards, for infinite stakes, with a dealer
who won't tell you the rules, and who smiles all the time.

 -- Terry Pratchett, Good Omens