PATCH: Cookies for fully-qualified subdomains
Waldo Bastian
bastian at kde.org
Tue Dec 2 09:58:24 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue December 02 2003 07:51, Dawit A. wrote:
> On Tuesday 02 December 2003 01:25, John Firebaugh wrote:
> > This patch fixes the following:
> >
> > dcop kcookiejar kcookiejar addCookies 'http://www.foo.com/' \
> > 'Set-Cookie: FOO=bar; domain=.www.foo.com' 100
>
> This is illegal. 'www.foo.com' is not allowed to set a cookie for any of
> its sub domains! Even subdomains are only allowed to set cookie for their
> immediate top-level domain, i.e. 'subdomain.www.foo.com' can set cookie for
> '.www.foo.com', but not for '.foo.com'. So as not to completely discard
> such invalid cookies, the cookiejar will accept the above cookie, but it
> will compeltely ignore the "domain=" parameter. This means the cookie will
> only be sent to the actual host (www.foo.com) that set it in the first
> place.
I see why subdomain.www.foo.com shouldn't be able to set a cookie for .foo.com
but I don't see what www.foo.com shouldn't be able to set a cookie for
subdomain.www.foo.com. Patch looks good as far as I'm concerned.
Cheers,
Waldo
- --
bastian at kde.org -=|[ SUSE, The Linux Desktop Experts ]|=- bastian at suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/zGJAN4pvrENfboIRAulpAJ9yLyQgZvhK29YY7BPW4NKLdcBMvwCgk9lr
vs7IbeXWxCOdYt9o3qot8UI=
=pnzA
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list