29 Dec
2009
29 Dec
'09
4:08 p.m.
I realized that there's an asymmetry in the dillo code with it accepting but not sending .example.com for a host example.com, when this asymmetry is not in the spec, AFAICT. Cookies are to be rejected if the "value for the request-host does not domain-match the Domain attribute", and "Host A's name domain-matches host B's if * both host names are IP addresses and their host name strings match exactly; or * both host names are FQDN strings and their host name strings match exactly; or * A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.)" So it seems that we "shouldn't" accept them in the first place.