- From: Gervase Markham <gerv@mozilla.org>
- Date: Wed, 11 Jun 2008 13:45:28 +0100
- To: Jeroen Massar <jeroen@unfix.org>
- CC: dnsop@ietf.org, Jelte Jansen <jelte@NLnetLabs.nl>, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org
Jeroen Massar wrote: > If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then > indeed that cookie gets sent to mybank.co.uk too. What harm does/can > this do? (Except that they might set a cookie identical of type to the > bank one and maybe auto-login to their bank account!?) <sigh> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk, mypetstore.co.uk to supply them with ads. adserver.co.uk can set the ad-tracking cookie for .co.uk and build up a cross-site profile of a particular user, perhaps augmented by information passed to them by one or more of the sites concerned. This is a privacy issue. Therefore, they should not be permitted to set such cookies. The only way to do that, while continuing to allow foo.com to set cookies, is for the browser to know the difference between co.uk and foo.com. Gerv
Received on Wednesday, 11 June 2008 12:46:37 UTC