- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Wed, 11 Jun 2008 22:16:03 +0200
- To: Gervase Markham <gerv@mozilla.org>
- Cc: Jeroen Massar <jeroen@unfix.org>, dnsop@ietf.org, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org, Jelte Jansen <jelte@NLnetLabs.nl>
* Gervase Markham: > Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk, > mypetstore.co.uk to supply them with ads. adserver.co.uk can set the > ad-tracking cookie for .co.uk and build up a cross-site profile of a > particular user, perhaps augmented by information passed to them by one > or more of the sites concerned. This is a privacy issue. I'd love to see an official statement from the Mozilla Foundation that cross-domain ad correlation is evil, and should be stopped by technology. Certainly this is not what you're trying to say here. I guess the real issue is that by setting a cookie for co.uk, it's possible to exploit session fixation vulnerabilities in web sites under co.uk. Unfortunately, the Public Suffix List web site is a bit unclear in this regard. It does not list a single protocol spec which requires this sort of data.
Received on Wednesday, 11 June 2008 20:17:14 UTC