W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: [DNSOP] Public Suffix List

From: Jamie Lokier <jamie@shareable.org>
Date: Wed, 11 Jun 2008 15:28:53 +0100
To: Gervase Markham <gerv@mozilla.org>
Cc: Jelte Jansen <jelte@NLnetLabs.nl>, Florian Weimer <fw@deneb.enyo.de>, dnsop@ietf.org, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org
Message-ID: <20080611142853.GA30686@shareable.org>

Gervase Markham wrote:
> > Oh?  How is this reconciled with earlier comments that
> > login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
> > is the Public Suffix List only for history grouping in browsers, not
> > for cookie sharing?
>
> under the current code ... www.mybank.co.uk can set cookies for
> ... co.uk (shared with adserver.co.uk but not with myorg.org.uk).
>
> It is this latter use we want to prevent. We can do so by stopping
> cookies being set for any domain which is a public suffix.

I'm not seeing how this is different from mybank.livejournal.com
setting cookies on livejournal.com which can be read by
adserver.livejournal.com.  livejournal.com needs to be on your Public
Suffix List to prevent that - if the content from subdomains can set
their own cookies.  Maybe not on Livejournal, but there are sites
where it's possible.

Even in mybank.co.uk, it's typical that login.mybank.co.uk and
thirdpartyinformation.mybank.co.uk will be somewhat independent.  The
latter should not be setting arbitrary cookies affecting the former,
imho - security, rather than privacy.

Regarding the "break the contract with adserver" argument, there are
plenty of ways for mybank.co.uk to pass tracking info to
adserver.co.uk by contract.  Banning cross-domain cookies in this case
just forces them to use another method.

> (Again, I comment that cookies are not the only way we are using this
> information.)

I don't think anybody minds how you use the information to present
History dialogs and such.  Just whether it breaks applications that
come to depend on the structure of the list, and whether it adds
another barrier for site publishers who serve public content in a way
which resembles NICs.

-- Jamie
Received on Wednesday, 11 June 2008 14:29:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT