Cookies: security

Daniel Silverstone dsilvers at digital-scurf.org
Thu Jun 29 12:45:01 BST 2006


On Wed, 2006-06-28 at 19:01 +0100, John-Mark Bell wrote:
> Sourceforge, 
> otoh, tries to set a domain cookie for .sourceforge.net from a host 
> sourceforge.net. By my reading of the spec, this contradicts the 3rd item 
> of the list.

I strongly believe that while strictly speaking foo.com does not
domain-match .foo.com -- It was the intention of the authors that it
would. It seems quite reasonable for sourceforge.net to set a cookie for
'all sites from sourceforge.net down' as it were. Thus I'd suggest that
BAR domain-matches .BAR is reasonable.

D.

-- 
Daniel Silverstone                     http://www.digital-scurf.org/
PGP mail accepted and encouraged         Key ID: 2BC8 4016 2068 7895





More information about the netsurf-dev mailing list