What algorithm is recommending for validating cookie domains? I
originally tried to implement a check compliant with rfc2109, but that
proved not to work with a bunch of web sites. So I implemented the
recommendation from the bogosity under
http://www.netscape.com/newsref/std/cookie_spec.html
To quote from there:
[...] Only hosts within the specified domain can set a cookie for
a domain and domains must have at least two (2) or three (3)
periods in them to prevent domains of the form: ".com", ".edu",
and "va.us". Any domain that fails within one of the seven special
top level domains listed below only require two periods. Any other
domain requires at least three. The seven special top level
domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
This is amazingly stupid. It means that `www.arsdigita.de' cannot set
the cookie for `arsdigita.de'. To make *that* work, you'd have to
maintain a database of domains that use ".co.xxx" convention, as
opposed to those that use just ".xxx". That kind of thing is
obviously error-prone, given how top-level domains are being added
these days.
A friend suggested to only allow one level of domain generality. For
example, allow `sharenet.icn.siemens.de' to set the cookies for that
host, and for `icn.siemens.de', but not for `siemens.de' because that
would be two levels apart. The problem with that is that it would be
hard to distinguish between `www.cnn.com' (obviously allowed to set
the cookie for "cnn.com") and `cnn.co.uk' (which should obviously
*not* be allowed to set the cookie for `co.uk') without employing a
list of domains such as mentioned above.
`Links' seems to be implementing the same bogus algorithm. Lynx seems
to be doing something smarter, but it's unclear which (expired) spec
that's based on.
Any thoughts on this?
