Cookies: security

Daniel Silverstone dsilvers at
Fri Jun 30 10:29:24 BST 2006

On Fri, 2006-06-30 at 00:33 +0100, John-Mark Bell wrote:
> >> Sourceforge,
> >> otoh, tries to set a domain cookie for from a host
> >> By my reading of the spec, this contradicts the 3rd item
> >> of the list.
> > I strongly believe that while strictly speaking does not
> > domain-match -- It was the intention of the authors that it
> > would. It seems quite reasonable for to set a cookie for
> > 'all sites from down' as it were. Thus I'd suggest that
> > BAR domain-matches .BAR is reasonable.
> This seems reasonable to me. It's the other case (Yahoo) I'm more 
> concerned about. I think Michael's suggestion is probably the way to go 
> here (although I'm inclined to be draconian and not allow users to turn 
> off warnings about dodgy cookies ;)

Yes, the yahoo case is more concerning. Perhaps, as you say, the choices
should be as Michael suggested with a minor alteration...

1) disable all cookie functionality
2) Always prompt (modulo some kind of 'accept from this site'?)
3) Prompt for dubious or normal on http, accept https regardless
4) Prompt only for dubious cookies


Daniel Silverstone           
PGP mail accepted and encouraged         Key ID: 2BC8 4016 2068 7895

More information about the netsurf-dev mailing list