> > >To quote from there: > > [...] Only hosts within the specified domain can set a cookie for > a domain and domains must have at least two (2) or three (3) > periods in them to prevent domains of the form: ".com", ".edu", > and "va.us". Any domain that fails within one of the seven special > top level domains listed below only require two periods. Any other > domain requires at least three. The seven special top level > domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT". > NO only on the first view. Because the OFFICIAL Domain system begin with DOT
that mean suche.org -> suche.org. BUT there are many domains of the form FIRM.com.tw or www.buy.co.uk if you do not resect this than you can set cookies for an hole country and read them. Like co.uk. etc. So i would prever to handle it like mozilla. do not allow cookie generalization !!! Because cookies are often used for tracking. Or poor prgramming. Good sites use session handlingindependent of cookies and cookies only for remember login. And if we look at LOGIN then think above one real scenario: UNI / Provider use only the general domain like "suche.org" and store cookies with password and account. and under USER.suche.org there are private webseites. So no one should be allowed to read the provider cookie. Like "home.t-online.de" and "user.home.t-online.de". So i realy preffer not to allow cookies manipulation outside the exact domain. !!! Cu Thomas > > >This is amazingly stupid. It means that `www.arsdigita.de' cannot set >the cookie for `arsdigita.de'. To make *that* work, you'd have to >maintain a database of domains that use ".co.xxx" convention, as >opposed to those that use just ".xxx". That kind of thing is >obviously error-prone, given how top-level domains are being added >these days. > >A friend suggested to only allow one level of domain generality. For >example, allow `sharenet.icn.siemens.de' to set the cookies for that >host, and for `icn.siemens.de', but not for `siemens.de' because that >would be two levels apart. The problem with that is that it would be >hard to distinguish between `www.cnn.com' (obviously allowed to set >the cookie for "cnn.com") and `cnn.co.uk' (which should obviously >*not* be allowed to set the cookie for `co.uk') without employing a >list of domains such as mentioned above. > >`Links' seems to be implementing the same bogus algorithm. Lynx seems >to be doing something smarter, but it's unclear which (expired) spec >that's based on. > >Any thoughts on this? >
smime.p7s
Description: S/MIME Cryptographic Signature
