Re: [DNSOP] Public Suffix List from Yngve Nysaeter Pettersen on 2008-06-09 (ietf-http-wg@w3.org from April to June 2008)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Mon, 09 Jun 2008 16:38:05 +0200
To: "Wes Hardaker" <wjhns1@hardakers.net>, "Gervase Markham" <gerv@mozilla.org>
Cc: dnsop@ietf.org, ietf-http-wg@w3.org
Message-ID: <op.uchj9rfuvqd7e2@killashandra.oslo.opera.com>

On Mon, 09 Jun 2008 16:07:10 +0200, Wes Hardaker <wjhns1@hardakers.net>  
wrote:

> EG, if I had "www.example.com" and I received cookies in a request from
> "example.com", "images.example.com" and "hacker.com" I could determine

Not sure if you mean that www.example.com is sending cookies for  
example.com, images.example.com and hacker.com, of which only the first is  
legal, or that www.example.com includes resource that sets cookies for  
those destinations, which can be controlled by third-party cookie filters.

> based on the source which ones I wanted to accept.  The current issue
> with cookie usage is that sites don't have the ability to not accept
> data from external sources.  Fix that problem instead and you'll have a
> much better and more scalable solution.  It'll require work on both the
> server side and the browser side but in the end is a better solution.

RFC 2965 requires the client to send the domain along with the cookie  
under some conditions. My suggested update of RFC 2965 <URL:  
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-02.txt > ,  
which changes the domain semantics, also suggest sending the domain for  
_all_ cookies, also those set using old versions of the specification, and  
the name of the host setting the cookie (if known) for cookies set using  
the older versions.

For cookies, the primary problem here is limiting what the client can set,  
so that malicious.co.uk cannot set a cookie that will be seen by  
mybank.co.uk, or that can be used to track users across several domains  
(without advertising that they do share the information).

Requesting permission from the server (or individual resources) to send  
cookies will require an extra turnaround, thus reducing performance.

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Monday, 9 June 2008 14:39:17 UTC