I tested with the ICA Banken ruleset referred to before and the eCoin Talk ruleset [1], by changing www to * in <target>. In both cases, there are still domains beginning with dots, but they now have the Secure flag set.
[1] https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001838.html -- Brian Drake All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved. On Sat, Jan 18, 2014 at 1:41 PM, Drake, Brian <[email protected]> wrote: > After looking at the code again, I think that is indeed the problem: > cookies with domains of the form .example.com (with a leading dot) will > only be secured by rulesets with target hosts of the form *.example.com ( > example.com and www.example.com are not enough). I’ll need to test this. > > I’m no closer to explaining why such cookies exist in the first place. > > -- > Brian Drake > > All content created by me: > Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 > Brian Drake. All rights reserved. > > On Fri, Jan 17, 2014 at 0326 (UTC), Drake, Brian <[email protected]>wrote: > >> HTTPS Everywhere only secures cookies if it looks like the domain is >> available over HTTPS. I don’t remember seeing any code to deal specially >> with dots at the start. Maybe that’s giving it trouble. I’d have to look at >> the code again. >> >> -- >> Brian Drake >> >> All content created by me: >> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 >> Brian Drake. All rights reserved. >> >> On Wed, Jan 15, 2014 at 1001 (UTC), Drake, Brian <[email protected]>wrote: >> >>> How do cookies work? Mozilla claims to follow RFC 6265 [1], which seems >>> to prohibit domains starting with a dot. >>> >>> Yet, when I go to icabanken.se using the proposed ICA Banken ruleset >>> [2], using Firefox or Iceweasel, I get cookies that say “Domain: . >>> icabanken.se”. >>> >>> I also have an issue with securing cookies with the <securecookie> tag. >>> >>> Continuing with the ICA Banken example, here is what I observe >>> generally. The cookies that say “Host: www.icabanken.se” have the >>> Secure flag set. The cookies that say “Domain: .icabanken.se” do not >>> have the Secure flag set. I found one exception, where even a cookie >>> limited to www.icabanken.se failed to be secured. >>> >>> I observed all this in Firefox 25.0/HTTPS Everywhere 3.4.5 and Iceweasel >>> 17.0.5/HTTPS Everywhere 3.1.4. >>> >>> [1] >>> https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies >>> [2] >>> https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001819.html >>> >>> -- >>> Brian Drake >>> >>> All content created by me: >>> Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© >>> 2014 Brian Drake. All rights reserved. >>> >>
