How do cookies work? Mozilla claims to follow RFC 6265 [1], which seems to prohibit domains starting with a dot.
Yet, when I go to icabanken.se using the proposed ICA Banken ruleset [2], using Firefox or Iceweasel, I get cookies that say “Domain: .icabanken.se”. I also have an issue with securing cookies with the <securecookie> tag. Continuing with the ICA Banken example, here is what I observe generally. The cookies that say “Host: www.icabanken.se” have the Secure flag set. The cookies that say “Domain: .icabanken.se” do not have the Secure flag set. I found one exception, where even a cookie limited to www.icabanken.se failed to be secured. I observed all this in Firefox 25.0/HTTPS Everywhere 3.4.5 and Iceweasel 17.0.5/HTTPS Everywhere 3.1.4. [1] https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies [2] https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001819.html -- Brian Drake All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
