Dylan Griffiths wrote:
> Thomas Reinke wrote:
> > There is no easy patch to this problem. The only solution I
> > can think of, which is not an easy one, would be to have browsers
> > have intimate knowledge of what constitutes an organization's
> > "domain of influence", and limit cookies accordingly. This
> > is essentially impossible to implement.
>
> > (Consider domain.city.state.country - where is the allowable
> > domain of influence here? Probably 4 levels deep, but how
> > to indicate this to the browser).
>
> Perhaps this would be an exercise best left up to the user, as there is
> currently no way to indicate the scope of the authority (harmless TLD,
> country, normal domain, etc) in the DNS system.
A similar problem existed in WPAD (Web Proxy Auto-Discovery)
for IE 5.0: see MS Security Bulletin MS99-054 at
http://www.microsoft.com/technet/security/bulletin/ms99-054.asp
The browser was walking up the DNS hierarchy looking for the name wpad,
in some cases making queries outside the organization's trust boundary.
Tim.
--
Tim Adam [EMAIL PROTECTED] http://www.osa.com
Software Development Engineer Phone: +61 3 9895 2199
Open Software Associates Ltd. Box Hill VIC Australia
Proven Solution Deployment for the Global Enterprise
