PATCH: BR#66090 Cross-domain cookies [Final]

Waldo Bastian bastian at
Fri Dec 12 07:59:45 GMT 2003

Hash: SHA1

On Fri December 12 2003 02:21, Dawit A. wrote:
> On Thursday 11 December 2003 18:10, Waldo Bastian wrote:
> > > The only exception is the redirection case I mentioned before. I am not
> > > sure what should be done in that case, i.e. user types
> > > and get redirected to What
> > > should happen to the cookies from the redirected location if the "only
> > > accept cookies from originating server" option is checked ?
> >
> > They should be accepted. I would argue that after the redirection, the
> > main document URL is
> That was my original thinking as well until I sat down and thought about it
> for a while. Accepting cookies in such cases would make us victim to the
> immediate redirection scheme. Say the user typed or clicked on
> "". All a site has to do to get around our checks is:
> We would then endup accepting the cookie(s) from "". 


> I guess 
> there is nothing we can do about this since there might be legitimate
> reasons for doing the above.

Yes, I think so too.

> > I have solved that by not setting any URL for cross-domain when a link is
> > clicked manually. As a result the browserrun patch was no longer needed.
> Meaning all user initiated actions, such as clicking on links and entering
> urls will not send the meta-data, right ?


> > I think it works nicely now, but please test.
> I would if you only commited it. At least I did not see the cvs commit
> messages...

Oops... the commit aborted due to an error. Now it's there.

- -- 
bastian at -=|[ KDE: K Desktop for the Enterprise ]|=- bastian at
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the kde-core-devel mailing list