On Thu, Dec 31, 2009 at 11:18:06PM +0000, corvid wrote:
I wrote:
Jorge wrote:
On Mon, Dec 28, 2009 at 01:21:41AM +0000, corvid wrote:
Like the patch says, /* * Technically, cookies set with a domain of .example.com cannot be sent * back to the host example.com, even if example.com set them in the first * place. Do most user agents allow it? Yes. Does a large percentage of the * web require it in order to work at all? Yes. */
The downside might be the scenario of sub.example.com setting a cookie that example.com didn't expect to receive, but if everyone else does it...
AFAIS it would provide a very good way for tracking what pages a user is reading to big hosting sites. e.g. blogspot.com
I believe in that case, subdomains of blogspot.com would already be able to read/write a .blogspot.com cookie.
If you're using a unique IP, it may not add much, but if you're behind a NAT or proxy or similar, this cookie singles out you.
Considering most browsers allow these cookies, chances of finding tracking code using this technique increases! Probably only opaqued by the much bigger privacy hole javascript provides.
:)
Unless someone tells me not to within the next few days, I'll commit something along the lines of this patch.
I'd use a cookiesrc option set to NO by default instead of the #define.
Maybe allowing to set it by site (as the rest of cookiesrc) is not a bad idea too. After all, people would enable it when they need a specific site to work.
Setting it by site sounds like a good idea.
I'm thinking about the exact form of this now. cookiesrc could look something like example.com ACCEPT_SESSION SEND_DOTDOMAIN_COOKIES but that's weird and hard to understand.
Any thoughts on how to make something decent?
Maybe I'm missing the point in the previous discussion, but do we really need this configurable? Why do we need to handle the host example.com differently from e.g. foo.example.com? To me it seems reasonable what other browsers do here, even if the standard states it differently.