+---------- On Dec 27, Dossy said: > Netscape has the option of "allow all cookies" or "allow cookies > that get sent back to the originating server." So, if you just > set "allow all cookies" then send your browser a set-cookie where > domain= the domain you want to attack, setting cookies becomes > pretty trivial.
That's not what accept-all-cookies means. If an HTML page from server X contains an IMG tag with an SRC pointing at server Y, and server Y's response includes Set-Cookie, then Netscape will honor Y's Set-Cookie if accept-all-cookies is set and will not honor it if accept-only-cookies- that-get-sent-back-to-originating-server is set.
