hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35225] - CookieSpecBase.domainMatch() leaks cookies to 3rd party domains
Date Mon, 06 Jun 2005 07:50:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35225>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35225





------- Additional Comments From rolweber@de.ibm.com  2005-06-06 09:50 -------
I just read across RFC 2965 (Cookie 2). Section 3.2.2, Page 5:

>   Domain=value
>      OPTIONAL.  The value of the Domain attribute specifies the domain
>      for which the cookie is valid.  If an explicitly specified value
>      does not start with a dot, the user agent supplies a leading dot.

So the IE6 behavior for old cookies has become standard for cookie2. Or
else IE6 applies the standard behavior for cookie2 also to old cookies.

Since we don't support RFC 2965 yet, we don't have to tolerate the missing
dot. On the other hand, the error seems to be so commonplace that it has
been deemed acceptable in a followup specification. So we could make
HttpClient more tolerant without sacrificing spec compliance by implementing
the IE6 behavior.

cheers,
  Roland


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message