Recall that the browsers same-origin policy (SOP) for DOM access is based upon the (protocol, host, port) triple, however the SOP for sending cookies to websites includes domain and path. Cookies marked secure are sent over HTTPS only. In modern browsers, reading document. Cookie in an HTTP context does not reveal secure cookies. In Safari before version 3.0, the SOP for DOM access is denied utilizing the host and port only (i.e., it does not include the protocol).
a) Describe how a network attacker (an active attacker that can intercept or forge network packets, etc.) could steal secure google.com cookies.
b) Under the same assumptions, is it possible for the Web attacker in order to steal the secure google.com cookies? Explain an attack or explain why you believe none exists. Recall that the Web attacker may set up the malicious website (at some domain other than google.com) and trick the user into visiting this site, but may not intercept or forge network packets.