Cookies can be set for a top-level domain

2013-04-04T00:00:00
ID OPERA:1047
Type opera
Reporter Opera
Modified 2013-04-04T00:00:00

Description

Browsers should only allow cookies to be set for the website that created them. In some specific cases, Opera does not apply this restriction correctly, and allows a website to set a cookie for its entire top-level domain (such as .com or .co.uk). A malicious site could then redirect the user to another website in the same top-level domain, causing that site to receive the cookie. In some cases, this may confuse a site's cookie handling, causing it to mistake that cookie for one of its own, and reusing it for authentication without modification. This could lead to the user's accounts being compromised on that site.