[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNSOP] Public Suffix List

To: "Wes Hardaker" <wjhns1 at hardakers.net>, "Gervase Markham" <gerv at mozilla.org>
Subject: Re: [DNSOP] Public Suffix List
From: "Yngve Nysaeter Pettersen" <yngve at opera.com>
Date: Mon, 09 Jun 2008 16:38:05 +0200
Cc: dnsop at ietf.org, ietf-http-wg at w3.org
Delivered-to: ietfarch-dnsop-web-archive at core3.amsl.com
Delivered-to: dnsop at core3.amsl.com
In-reply-to: <sdej76og6p.fsf@wes.hardakers.net>
List-archive: <http://www.ietf.org/pipermail/dnsop>
List-help: <mailto:dnsop-request@ietf.org?subject=help>
List-id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-post: <mailto:dnsop@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
Organization: Opera Software
References: <484CFF47.1050106@mozilla.org> <484D1533.4060300@spaghetti.zurich.ibm.com> <484D1883.4060002@mozilla.org> <sdej76og6p.fsf@wes.hardakers.net>
Reply-to: yngve at opera.com
Sender: dnsop-bounces at ietf.org
User-agent: Opera Mail/9.27 (Win32)

On Mon, 09 Jun 2008 16:07:10 +0200, Wes Hardaker <wjhns1 at hardakers.net>  
wrote:

> EG, if I had "www.example.com" and I received cookies in a request from
> "example.com", "images.example.com" and "hacker.com" I could determine

Not sure if you mean that www.example.com is sending cookies for  
example.com, images.example.com and hacker.com, of which only the first is  
legal, or that www.example.com includes resource that sets cookies for  
those destinations, which can be controlled by third-party cookie filters.

> based on the source which ones I wanted to accept.  The current issue
> with cookie usage is that sites don't have the ability to not accept
> data from external sources.  Fix that problem instead and you'll have a
> much better and more scalable solution.  It'll require work on both the
> server side and the browser side but in the end is a better solution.

RFC 2965 requires the client to send the domain along with the cookie  
under some conditions. My suggested update of RFC 2965 <URL:  
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-02.txt > ,  
which changes the domain semantics, also suggest sending the domain for  
_all_ cookies, also those set using old versions of the specification, and  
the name of the host setting the cookie (if known) for cookies set using  
the older versions.

For cookies, the primary problem here is limiting what the client can set,  
so that malicious.co.uk cannot set a cookie that will be seen by  
mybank.co.uk, or that can be used to track users across several domains  
(without advertising that they do share the information).

Requesting permission from the server (or individual resources) to send  
cookies will require an extra turnaround, thus reducing performance.

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve at opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
_______________________________________________
DNSOP mailing list
DNSOP at ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

References:
- [DNSOP] Public Suffix List
  - From: Gervase Markham
- Re: [DNSOP] Public Suffix List
  - From: Jeroen Massar
- Re: [DNSOP] Public Suffix List
  - From: Gervase Markham
- Re: [DNSOP] Public Suffix List
  - From: Wes Hardaker

Prev by Date: Re: [DNSOP] Public Suffix List
Next by Date: Re: [DNSOP] Public Suffix List
Previous by thread: Re: [DNSOP] Public Suffix List
Next by thread: Re: [DNSOP] Public Suffix List
Index(es):
- Date
- Thread