Updates:
Cc: lcamtuf
Comment #10 on issue 3699 by lcamtuf: Cookies not stored when accessing
site by IP (without domain name)
http://code.google.com/p/chromium/issues/detail?id=3699
As with all cookie behavior, this is fuzzy at best, but I think it goes
like this:
1) All browsers, Chrome included, permit cookies to be set for IPs if
domain=
parameter is absent (and the cookie is then scoped to that IP). There are
some corner
cases where it could contribute to web application design errors, but for
most part,
the risks are negligible and it's just the way things are.
2) All browsers except for Chrome permit cookies to be set for IPs if
domain=
parameter matches the IP exactly. This is conceptually equivalent to #1, so
we should
probably implement this as well if we already have #1 logic.
3) Some browsers, such as Safari 3 (and until recently Firefox, I think)
get confused
and treat IPs using the same logic as for proper domain names, allowing e.g.
domain=.3.4 when served from 1.2.3.4, which is obviously bad.
4) One could try to come up with a more appropriate wildcard mechanism for
IPs, for
example allowing wildcards based on the structure of the first octet, but
this does
not seem to be desirable, and does not seem to be done anywhere.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
