Gervase Markham wrote: [..]
Cookies are set for a particular domain or domain suffix, and are sent to all sites with that domain suffix. So (under the current code) www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared with foo.www.mybank.co.uk but not login.mybank.co.uk), mybank.co.uk (shared with login.mybank.co.uk but not adserver.co.uk) or co.uk (shared with adserver.co.uk but not with myorg.org.uk).
With the real fix here simply being that mybank.co.uk only sets a cookie for mybank.co.uk and not for co.uk. The is thus a problem of the bank being stupid to set a cookie for co.uk.
If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then indeed that cookie gets sent to mybank.co.uk too. What harm does/can this do? (Except that they might set a cookie identical of type to the bank one and maybe auto-login to their bank account!?)
Do you have an example where you actually need that Public Suffix List? Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
