W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: [DNSOP] Public Suffix List

From: Gervase Markham <gerv@mozilla.org>
Date: Wed, 11 Jun 2008 13:45:28 +0100
Message-ID: <484FC8E8.4090501@mozilla.org>
To: Jeroen Massar <jeroen@unfix.org>
CC: dnsop@ietf.org, Jelte Jansen <jelte@NLnetLabs.nl>, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org

Jeroen Massar wrote:
> If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then
> indeed that cookie gets sent to mybank.co.uk too. What harm does/can
> this do? (Except that they might set a cookie identical of type to the
> bank one and maybe auto-login to their bank account!?)

<sigh>

Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
ad-tracking cookie for .co.uk and build up a cross-site profile of a
particular user, perhaps augmented by information passed to them by one
or more of the sites concerned. This is a privacy issue. Therefore, they
should not be permitted to set such cookies. The only way to do that,
while continuing to allow foo.com to set cookies, is for the browser to
know the difference between co.uk and foo.com.

Gerv
Received on Wednesday, 11 June 2008 12:46:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT