On Thu, 2009-10-15 at 21:19 +0100, Dave Higton wrote: > In message <1255628822.25071.29.ca...@duiker> > John-Mark Bell <j...@netsurf-browser.org> wrote: > > > On Thu, 2009-10-15 at 17:41 +0100, Dave Symes wrote: > > > > > FWIW. I'm using the latest NetSurf and it works perfectly okay with LTSB, > > > and I do have a number of .co.uk cookies. > > > > You should have no .co.uk cookies at all. I strongly recommend that you > > delete them. By rights, NetSurf should never have accepted them in the > > first place. Unfortunately, this is yet another case where following any > > of the published specifications doesn't actually get you anywhere near > > reality. > > I have no doubt that you're right, but can you please explain why > the above is so?
All the specifications say that user agents should refuse to accept domain cookies that do not have a '.' in their domain. The intention of this is to avoid accepting cookies for top-level domains such as ".com". Unfortunately, this falls over when the tld registrar issues top-level domains of the form ".foo.bar" (e.g. ".co.uk"). The upshot of this is that any domain cookies for ".co.uk" will be sent to any site under the .co.uk hierarchy. Obviously, this is completely incorrect. The solution is for the user agent to consult appropriate DNS records to ensure that the domain referenced by a domain cookie actually exists. NetSurf currently does not do this, which is the bug. I hope that clarifies things somewhat. John.
