Cookies: security

John-Mark Bell jmb202 at ecs.soton.ac.uk
Fri Jun 30 00:33:47 BST 2006


On Thu, 29 Jun 2006, Daniel Silverstone wrote:

> On Wed, 2006-06-28 at 19:01 +0100, John-Mark Bell wrote:
>> Sourceforge,
>> otoh, tries to set a domain cookie for .sourceforge.net from a host
>> sourceforge.net. By my reading of the spec, this contradicts the 3rd item
>> of the list.
>
> I strongly believe that while strictly speaking foo.com does not
> domain-match .foo.com -- It was the intention of the authors that it
> would. It seems quite reasonable for sourceforge.net to set a cookie for
> 'all sites from sourceforge.net down' as it were. Thus I'd suggest that
> BAR domain-matches .BAR is reasonable.

This seems reasonable to me. It's the other case (Yahoo) I'm more 
concerned about. I think Michael's suggestion is probably the way to go 
here (although I'm inclined to be draconian and not allow users to turn 
off warnings about dodgy cookies ;)


John.




More information about the netsurf-dev mailing list