- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Tue, 10 Jun 2008 21:05:56 +0200
- To: Gervase Markham <gerv@mozilla.org>
- Cc: Wes Hardaker <wjhns1@hardakers.net>, dnsop@ietf.org, ietf-http-wg@w3.org
* Gervase Markham: > If www.flirble.co.zz and www.widget.co.zz wished to conspire to track > users across the two sites, they would simply both say that they are > happy to accept co.zz cookies. Right now, they're sharing that bit of information through one of Google's web bug services. Cross-domain cookies would at least provide some level of transparency. So this argument is a bit questionable. > I am not particularly interested in a long discussion about whether we > need this data. Please be assured that we need it. I am, on the other > hand, open to suggestions about better ways to obtain it. You need some sort of out-of-band service. The information you are looking for is not encoded in DNS. Whether it's necessary to provide automatic, non-code updates of the out-of-band data is a difficult question. However, this looks somewhat like the IP bogon prefixes list, where hard-coding that ever-changing part into router configurations turned out to be a big mistake. For the DNS folks: The web security model requires that www.example.$TLD and login.example.$TLD (where $TLD may contain multiple labels) can share cookies (and probably HTTP requests, but I don't do that AJAX stuff). This must work by default, without explicit marking by the web site operator, or tons of deployed applications will break. At the same time, it should not be possible to set cross-domain cookies (that is, a cookie for login.example.$TLD by serving a HTTP request for login.otherexample.$TLD). Well-written web applications should be immune to that, but lots of them apparently aren't. This is the status quo. Javascript is constantly enhanced with database and stuff like that. As a result, you aren't just protecting mere cookies, but much more. Obviously, this approach is not sound. But even with those later changes, some means to divine administrative boundaries from DNS names are required for plain cookie management.
Received on Tuesday, 10 June 2008 19:06:41 UTC