Review Videos for Lecture 13: Intro to Web + Cookies

Intro to Web


Where are the arguments for a GET request placed? What about the arguments for a POST request?

Webpage Elements

(True/False) The web server sends HTML, CSS, and Javascript to the browser using HTTP.

Webpage Rendering


(True/False) Javascript code is executed on the web server.


Is there an example of a frame anywhere on this webpage? What does frame isolation mean for the frame(s) on this webpage?

Intro to Web Security

Does TLS/HTTPS guarantee confidentiality and integrity of your computer or your information on other websites?

Same-Origin Policy

(True/False) Suppose loads a child frame Under the same-origin policy, the parent frame can modify the contents of the child frame.

Intro to Cookies

Why do we need cookies to maintain state across multiple HTTP requests?

Viewing Cookies

What stateful information might the cookies on be storing in cookies?

Why do we need to define domain and path scopes for each cookie, instead of sending every cookie in the browser on every request?

Note: These videos cover cookie scope/cookie policy in more detail than you need to know for this semester.

Why might we want to let set a cookie for

Scope for Sending Cookies

If Cookie 1’s path was changed to /user, which of the three domains would it be sent to?

Examples of Setting and Sending Cookies

Modifying Cookies in Browser

Bypassing Same-Origin Policy with Cookies

What difference between the same-origin policy and cookie policy causes this vulnerability?

(Fill in the blanks: Same-origin policy thinks that and are controlled by ___ (the same/different) organization(s) because ___, but cookie policy thinks they are controlled by ___ (the same/different) organization(s) because ___.)

Session Management with HTTP Auth

Session Token Analogy

Session Tokens

Storing Session Tokens

When could a man-in-the-middle attacker on the network steal a user’s session token?