Jeroen Massar wrote: > If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then > indeed that cookie gets sent to mybank.co.uk too. What harm does/can > this do? (Except that they might set a cookie identical of type to the > bank one and maybe auto-login to their bank account!?)
<sigh> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk, mypetstore.co.uk to supply them with ads. adserver.co.uk can set the ad-tracking cookie for .co.uk and build up a cross-site profile of a particular user, perhaps augmented by information passed to them by one or more of the sites concerned. This is a privacy issue. Therefore, they should not be permitted to set such cookies. The only way to do that, while continuing to allow foo.com to set cookies, is for the browser to know the difference between co.uk and foo.com. Gerv _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
