PATCH: BR#66090 Cross-domain cookies [Final]
Waldo Bastian
bastian at kde.org
Fri Dec 12 07:59:45 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri December 12 2003 02:21, Dawit A. wrote:
> On Thursday 11 December 2003 18:10, Waldo Bastian wrote:
> > > The only exception is the redirection case I mentioned before. I am not
> > > sure what should be done in that case, i.e. user types
> > > http://www.foo.com and get redirected to http://www.bar.com. What
> > > should happen to the cookies from the redirected location if the "only
> > > accept cookies from originating server" option is checked ?
> >
> > They should be accepted. I would argue that after the redirection, the
> > main document URL is http://www.bar.com
>
> That was my original thinking as well until I sat down and thought about it
> for a while. Accepting cookies in such cases would make us victim to the
> immediate redirection scheme. Say the user typed or clicked on
> "foo.host.com". All a site has to do to get around our checks is:
>
> foo.host.com->ad.bigbucks.com->internal.host.com
>
> We would then endup accepting the cookie(s) from "ad.bigbucks.com".
Yes.
> I guess
> there is nothing we can do about this since there might be legitimate
> reasons for doing the above.
Yes, I think so too.
> > I have solved that by not setting any URL for cross-domain when a link is
> > clicked manually. As a result the browserrun patch was no longer needed.
>
> Meaning all user initiated actions, such as clicking on links and entering
> urls will not send the meta-data, right ?
Correct.
> > I think it works nicely now, but please test.
>
> I would if you only commited it. At least I did not see the cvs commit
> messages...
Oops... the commit aborted due to an error. Now it's there.
Cheers,
Waldo
- --
bastian at kde.org -=|[ KDE: K Desktop for the Enterprise ]|=- bastian at suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/2XVxN4pvrENfboIRAglJAJ0evcOmvbSdaYxGGct7pFIPGYYHjwCgkBes
/ZDeGOCXu5qlMT9OpNuGGlI=
=qmG7
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list