- From: Dave Kristol <dmk@allegra.att.com>
- Date: Fri, 14 Jun 96 10:03:10 EDT
- To: marc@ckm.ucsf.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
"Marc Salomon" <marc@ckm.ucsf.edu> wrote on Thu, 13 Jun 1996 16:07:47 -0700: > |4.2.2 Set-Cookie Syntax The syntax for the Set-Cookie response header is > [...] > |cookie-av = "Domain" "=" value > [...] > > |If an attribute appears more than once in a cookie, the behavior is undefined. > > Is there any reason to include grammar that didn't preclude sharing a cookie > across multiple domains, but specify its behavior explicitly as undefined? Yes. In several places we made a point to prevent a cookie from being shared across multiple domains. For example, a client rejects a cookie if the request-host (the server just contacted) does not domain-match the Domain attribute. (Section 4.3.2. Also see section 8.2) The issue was privacy, and the intent was to avoid leaking cookies away from the intended domain. When the state management subgroup discussed domains, we couldn't think of applications where a single domain was too restrictive. Dave Kristol
Received on Friday, 14 June 1996 07:16:05 UTC