- From: Gervase Markham <gerv@mozilla.org>
- Date: Wed, 11 Jun 2008 13:13:18 +0100
- To: Jamie Lokier <jamie@shareable.org>
- CC: Jelte Jansen <jelte@NLnetLabs.nl>, Florian Weimer <fw@deneb.enyo.de>, dnsop@ietf.org, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org
Jamie Lokier wrote: > Oh? How is this reconciled with earlier comments that > login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or > is the Public Suffix List only for history grouping in browsers, not > for cookie sharing? I'm not sure that either dnsop or ietf-http-wg are interested in a discussion about the inner workings of cookies and Firefox's use of the list. But briefly: login.mybank.co.uk and accounts.mybank.co.uk can be grouped together because we group by "public suffix + 1" - in this case, mybank.co.uk, with the public suffix being .co.uk and so +1 being mybank.co.uk. (Without the list, all .co.uk sites would be grouped together.) Cookies are set for a particular domain or domain suffix, and are sent to all sites with that domain suffix. So (under the current code) www.mybank.co.uk can set cookies for either www.mybank.co.uk (shared with foo.www.mybank.co.uk but not login.mybank.co.uk), mybank.co.uk (shared with login.mybank.co.uk but not adserver.co.uk) or co.uk (shared with adserver.co.uk but not with myorg.org.uk). It is this latter use we want to prevent. We can do so by stopping cookies being set for any domain which is a public suffix. (Again, I comment that cookies are not the only way we are using this information.) Gerv
Received on Wednesday, 11 June 2008 12:14:07 UTC