Cookies: security

Daniel Silverstone dsilvers at digital-scurf.org
Fri Jun 30 10:29:24 BST 2006


On Fri, 2006-06-30 at 00:33 +0100, John-Mark Bell wrote:
> >> Sourceforge,
> >> otoh, tries to set a domain cookie for .sourceforge.net from a host
> >> sourceforge.net. By my reading of the spec, this contradicts the 3rd item
> >> of the list.
> > I strongly believe that while strictly speaking foo.com does not
> > domain-match .foo.com -- It was the intention of the authors that it
> > would. It seems quite reasonable for sourceforge.net to set a cookie for
> > 'all sites from sourceforge.net down' as it were. Thus I'd suggest that
> > BAR domain-matches .BAR is reasonable.
> This seems reasonable to me. It's the other case (Yahoo) I'm more 
> concerned about. I think Michael's suggestion is probably the way to go 
> here (although I'm inclined to be draconian and not allow users to turn 
> off warnings about dodgy cookies ;)

Yes, the yahoo case is more concerning. Perhaps, as you say, the choices
should be as Michael suggested with a minor alteration...


1) disable all cookie functionality
2) Always prompt (modulo some kind of 'accept from this site'?)
3) Prompt for dubious or normal on http, accept https regardless
4) Prompt only for dubious cookies

D.

-- 
Daniel Silverstone                     http://www.digital-scurf.org/
PGP mail accepted and encouraged         Key ID: 2BC8 4016 2068 7895





More information about the netsurf-dev mailing list