Gervase Markham wrote:
Jeroen Massar wrote:If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then indeed that cookie gets sent to mybank.co.uk too. What harm does/can this do? (Except that they might set a cookie identical of type to the bank one and maybe auto-login to their bank account!?)<sigh> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk, mypetstore.co.uk to supply them with ads. adserver.co.uk can set the ad-tracking cookie for .co.uk and build up a cross-site profile of a particular user, perhaps augmented by information passed to them by one or more of the sites concerned. This is a privacy issue. Therefore, they should not be permitted to set such cookies. The only way to do that, while continuing to allow foo.com to set cookies, is for the browser to know the difference between co.uk and foo.com.
Thus you are going to break the contract that mybank.co.uk has with adserver.co.uk? wow, now you are really getting into something...
That privacy issue is not a privacy issue, that is an issue with the bank in question which is compromising the privacy of its users. Solve the problem at the bank.
Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
