PATCH: BR#66090 Cross-domain cookies [Final]

[Dawit A.]

On Thursday 11 December 2003 18:10, Waldo Bastian wrote:

> > The only exception is the redirection case I mentioned before. I am not
> > sure what should be done in that case, i.e. user types http://www.foo.com
> > and get redirected to http://www.bar.com. What should happen to the
> > cookies from the redirected location if the "only accept cookies from
> > originating server" option is checked ?
>
> They should be accepted. I would argue that after the redirection, the main
> document URL is http://www.bar.com

That was my original thinking as well until I sat down and thought about it 
for a while. Accepting cookies in such cases would make us victim to the 
immediate redirection scheme. Say the user typed or clicked on 
"foo.host.com". All a site has to do to get around our checks is:

foo.host.com->ad.bigbucks.com->internal.host.com

We would then endup accepting the cookie(s) from "ad.bigbucks.com". I guess 
there is nothing we can do about this since there might be legitimate reasons 
for doing the above.

> I have solved that by not setting any URL for cross-domain when a link is
> clicked manually. As a result the browserrun patch was no longer needed.

Meaning all user initiated actions, such as clicking on links and entering 
urls will not send the meta-data, right ? 

> I think it works nicely now, but please test.

I would if you only commited it. At least I did not see the cvs commit 
messages...
-- 
Regards,
Dawit A.
"Preach what you practice, practice what you preach"