After looking at the code again, I think that is indeed the problem: cookies with domains of the form .example.com (with a leading dot) will only be secured by rulesets with target hosts of the form *.example.com ( example.com and www.example.com are not enough). I’ll need to test this.
I’m no closer to explaining why such cookies exist in the first place. -- Brian Drake All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved. On Fri, Jan 17, 2014 at 0326 (UTC), Drake, Brian <[email protected]>wrote: > HTTPS Everywhere only secures cookies if it looks like the domain is > available over HTTPS. I don’t remember seeing any code to deal specially > with dots at the start. Maybe that’s giving it trouble. I’d have to look at > the code again. > > -- > Brian Drake > > All content created by me: > Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 > Brian Drake. All rights reserved. > > On Wed, Jan 15, 2014 at 1001 (UTC), Drake, Brian <[email protected]>wrote: > >> How do cookies work? Mozilla claims to follow RFC 6265 [1], which seems >> to prohibit domains starting with a dot. >> >> Yet, when I go to icabanken.se using the proposed ICA Banken ruleset >> [2], using Firefox or Iceweasel, I get cookies that say “Domain: . >> icabanken.se”. >> >> I also have an issue with securing cookies with the <securecookie> tag. >> >> Continuing with the ICA Banken example, here is what I observe generally. >> The cookies that say “Host: www.icabanken.se” have the Secure flag set. >> The cookies that say “Domain: .icabanken.se” do not have the Secure flag >> set. I found one exception, where even a cookie limited to >> www.icabanken.se failed to be secured. >> >> I observed all this in Firefox 25.0/HTTPS Everywhere 3.4.5 and Iceweasel >> 17.0.5/HTTPS Everywhere 3.1.4. >> >> [1] https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies >> [2] >> https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001819.html >> >> -- >> Brian Drake >> >> All content created by me: >> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 >> Brian Drake. All rights reserved. >> >
