Hacker News new | past | comments | ask | show | jobs | submit login

Same goes for session cookies and the 'good thing' about session cookies is that an XSS attack should work anywhere on the domain, rather than just the login page (assuming it's not a website with a login form on each page).



michaelmior is completely right.

You don't need xss on login page. You can have xss on any page and open an iframe/window with login and then steal via same origin


Ok, fair point, but even so - it's still not as much of a concern as other XSS and auto-complete vulnerabilities.


XSS is ok. CSRF is ok. Losing my real password is the worst thing to happen




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: