hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35225] - CookieSpecBase.domainMatch() leaks cookies to 3rd party domains
Date Mon, 06 Jun 2005 00:37:16 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35225>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35225





------- Additional Comments From gojomo@archive.org  2005-06-06 02:37 -------
I don't have enough info to have a strong opinion. In favor of (what appears to
be ) the Firefox approach, RFC2109 plus send ".domain.com" cookies to exact host
"domain.com", the arguments would be:

 - I trust the Mozilla/Firefox project in general to have converged on
reasonable tradeoffs over time
 - In my daily use of FF, I've never noticed a cookie problem with their policy
 - It's a smaller deviation from written specs.

In favor of (what appears to be) the IE6 approach, of the Firefox policy plus
send "domain.com" cookies to "sub.domain.com", the argument would be:

 - It's still by far the most-used browser, and if the rationale of
CookieSpecBase/compatibility mode is (as suggested by the method comment) to
match "common browsers", there's no more "common" browser than IE

I could go either way. Either would be an improvement over current bug. Without
time for more extensive testing, perhaps try the Firefox approach and see who
complains, with examples of real sites (if any) that break without the IE
behavior?  

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message