Cookies: security

John-Mark Bell jmb202 at
Fri Jun 30 00:33:47 BST 2006

On Thu, 29 Jun 2006, Daniel Silverstone wrote:

> On Wed, 2006-06-28 at 19:01 +0100, John-Mark Bell wrote:
>> Sourceforge,
>> otoh, tries to set a domain cookie for from a host
>> By my reading of the spec, this contradicts the 3rd item
>> of the list.
> I strongly believe that while strictly speaking does not
> domain-match -- It was the intention of the authors that it
> would. It seems quite reasonable for to set a cookie for
> 'all sites from down' as it were. Thus I'd suggest that
> BAR domain-matches .BAR is reasonable.

This seems reasonable to me. It's the other case (Yahoo) I'm more 
concerned about. I think Michael's suggestion is probably the way to go 
here (although I'm inclined to be draconian and not allow users to turn 
off warnings about dodgy cookies ;)


More information about the netsurf-dev mailing list