Below is an excerpt from https://policies.google.com/technologies/cookies#security
The ‘pm_sess’, ‘YSC’ and ‘AEC’ cookies ensure that requests within a
browsing session are made by the user, and not by other sites. These
cookies prevent malicious sites from acting on behalf of a user
without that user’s knowledge.
Can you please explain how (technically) the use case described by the above excerpt is implemented? For example, when a hostile JS makes an API call (1- from within a google domain webpage and 2- from other domains) to google on behalf of the logged in user, the session cookies are not sent to google along with the api call (not made by the user) in the context of the above excerpt?
http://dlvr.it/ShyVyZ
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment