> From: Warren Kumari <[email protected]> > I'm assuming you agree this this is acceptable? http://www.foo.com > should be able to set a cookie for .foo.com?
No, I do not agree. One cannot presume to know that www.example.com and example.com are run by the same organization so that a cookie set by one is not a third party cookie for the other. There is nothing special about the prefix label "www" that lets you infer anything about the administration of www.example.com and example.com. Without inside knowledge, you cannot know whether www.example.com and example.com have any relationship besides the obvious DNS delegation. You surely know of millions of cases where DNS delegations do not imply common administration (the gTLDs) and so you know how little DNS delegation implies. An honest, other than stupid definition of "third party cookie" can only involve the simple string comparison between all of the domain name in the cookie with all of domain name in the URL. This strict definition does not inconvenience legitimate HTTP server operators, because they can do things like issuing HTTP redirects from example.com to www.example.com to ensure a single domain for their cookies. Vernon Schryver [email protected] In general, what is presuming or professing to know that which one cannot know other than stupid or dishonest? _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
