On Jan 21, 2013, at 4:24 PM, Vernon Schryver <[email protected]> wrote:
>> From: Warren Kumari <[email protected]> > >>> Continuing the sarcasm is too much effort, so I'll simply ask why not >>> do DNS MX and A requests? (both because of the fall-back-to-A-if-no-MX > >> Please sir, if I run www.images.example.co.uk, can I set a cookie >> at images.example.co.uk? How about example.co.uk? Fine Now .co.uk? > > If you are running www.images.example.co.uk, then you should know > all there is to know about cookies at www.images.example.co.uk any > other domains at which you might legitimate want to set a cookie. > > If you are an HTTP client implementor, then I think you should implement > "disable third party cookies" with the single obvious, fast, simple, > and--if you like--simplistic comparision without needing to check any > PSL lists. You should also make "disable third party cookies" on by > default. > Ok, so we seem to be talking past each other / I am doing a crappy job of explaining my point… The PSL helps prevent the use of third party cookies, by allowing you to tell what a third party is… Given (RFC 2109): * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted. I'm assuming you agree this this is acceptable? http://www.foo.com should be able to set a cookie for .foo.com? I'm also assuming that you agree that http://foo.com should NOT be able to set a cookie for .com? Lots of folk have domains in .com, it would (to me) be silly for foo.com to be able to set a cookie for .com… Luckily 2109 protects against this: * A Set-Cookie with Domain=.com or Domain=.com., will always be rejected, because there is no embedded dot. Great, all makes sense… however…. I'm assuming you agree that x.foo.co.uk should be able to set a cookie for foo.co.uk? No point in discriminating against folk simply because they didn't register in .com (or .net or .coop). I'm assuming you also agree that http://foo.co.uk should NOT be able to set a cookie for .co.uk? Lots of folk register in .co.uk, it would be (to me) be silly for foo.co.uk to be able to set a cookie for all of .co.uk..… But, .co.uk has a dot, so the "no embedded dots" rule doesn't prevent this… What you actually want to know is where in a domain label you have the bit that is specific to a registrant / entity. In x.y.z.com it is everything up to the .com, in john.fred.mary.co.uk it is everything up to the .co.uk, in foo.tv.bo it is everything before the .tv.bo…. How did I know the rule of where in the .bo namespace entities may register? PSL… W > > Yes, I am among the many who consider third party cookies at best > undesirable and generally willful and knowing attempts to sell or > otherwise violate our privacy. > > Yes, I've occassionally encountered web pages that apparently > legitimately use third party cookies (i.e. without obviously trying > to violate my privacy). I cannot recall any cases where those web > pages could not and should not have used other tactics. > > Yes, I know all HTTP server operators "values my privacy." However, > the values that spammers, advertisers, governments, and other snoops > place on my privacy differ from mine. > > > Vernon Schryver [email protected] > -- Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
