Return-Path: Delivered-To: apmail-jakarta-httpclient-dev-archive@www.apache.org Received: (qmail 41353 invoked from network); 6 Jun 2005 07:50:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 6 Jun 2005 07:50:15 -0000 Received: (qmail 22277 invoked by uid 500); 6 Jun 2005 07:50:14 -0000 Delivered-To: apmail-jakarta-httpclient-dev-archive@jakarta.apache.org Received: (qmail 22235 invoked by uid 500); 6 Jun 2005 07:50:13 -0000 Mailing-List: contact httpclient-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "HttpClient Project" Reply-To: "HttpClient Project" Delivered-To: mailing list httpclient-dev@jakarta.apache.org Received: (qmail 22211 invoked by uid 99); 6 Jun 2005 07:50:13 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 06 Jun 2005 00:50:11 -0700 Received: by ajax.apache.org (Postfix, from userid 99) id 852CD17F; Mon, 6 Jun 2005 09:50:01 +0200 (CEST) From: bugzilla@apache.org To: httpclient-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 35225] - CookieSpecBase.domainMatch() leaks cookies to 3rd party domains X-Bugzilla-Reason: AssignedTo Message-Id: <20050606075001.852CD17F@ajax.apache.org> Date: Mon, 6 Jun 2005 09:50:01 +0200 (CEST) X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=35225 ------- Additional Comments From rolweber@de.ibm.com 2005-06-06 09:50 ------- I just read across RFC 2965 (Cookie 2). Section 3.2.2, Page 5: > Domain=value > OPTIONAL. The value of the Domain attribute specifies the domain > for which the cookie is valid. If an explicitly specified value > does not start with a dot, the user agent supplies a leading dot. So the IE6 behavior for old cookies has become standard for cookie2. Or else IE6 applies the standard behavior for cookie2 also to old cookies. Since we don't support RFC 2965 yet, we don't have to tolerate the missing dot. On the other hand, the error seems to be so commonplace that it has been deemed acceptable in a followup specification. So we could make HttpClient more tolerant without sacrificing spec compliance by implementing the IE6 behavior. cheers, Roland -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org