Hacker News new | past | comments | ask | show | jobs | submit login

The only hole I can see here is that chrome extensions can read HTTP-only cookies. What are your thoughts on this?



First, some chrome extensions might legitimately need this. But even if they were disallowed -

The guy had physical access to a running chrome capable of sending those cookies, and the ability to install an extension. This basically means no software policy was going to stop him.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: