- From: Gervase Markham <gerv@mozilla.org>
- Date: Mon, 09 Jun 2008 15:43:29 +0100
- To: Andrew Sullivan <ajs@commandprompt.com>
- CC: ietf-http-wg@w3.org, dnsop@ietf.org
Andrew Sullivan wrote: > Is there any way to turn this off in Firefox 3? Not that I know of. > RFC 3696 explains, I think, most of the reasoning that I would offer > for why I think this is a bad idea. I urge you and others who are > planning to ship this kind of feature to go (re)read that RFC. Why do you think that the negative consequences explained in that RFC would apply in this case? Please think carefully about the consequences of possible failure scenarios. > I know that you have a security problem, which is that cookies are > widely used for some purposes in such a way that they can be > subverted. That's a problem with the cookies specification, which was > always broken. This isn't just about cookies. For example, we would like to group together related sites (www.mybank.co.uk, accounts.mybank.co.uk) in history. Grouping together all sites in ".co.uk" does not provide for an optimum user experience. > If you're not going to fix the cookies specification (which is what I > think you ought to do, but I understand why people are reluctant to > take that on), then there should at least be some way to publish data > about the relationship you want to permit. One way to do this would > be to figure out a way to publish lists of domains for which a given > domain publishes cookies, and from which a given domain accepts > cookies. As I noted in an earlier message, this may solve security problems but does not solve privacy ones. > I still run into problems with email addresses in .info domains not > being accepted, because the top level domain label is "too long". Which is why the list is soft-fail - e.g in the cookie case, if a new TLD is added which is not on the list, we simply fall back on the current behaviour. Gerv
Received on Monday, 9 June 2008 14:44:31 UTC