© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
(In reply to comment #17)
> One solution that dveditz mentioned was to devise a way to inform the server (or
> script in the page) of the domain for which a cookie is set. That way, sites
> would be able to filter out bogus domain cookies.
This would mean that all sites have to fix their scripts. That is not wrong, but
will take a long time. In the mean time, we can do our part by taking the black
list approach i suggested, so that we will catch most cases. It won't catch
everything (geocities.com comes to mind), but it will help.
> This could be done using a
> new header or by perhaps modifying the Cookie header to expose this information.
set-cookie2 seems to already allow that. No need to invent something new. from
rfc2965:
cookie = "Cookie:" cookie-version 1*((";" | ",") cookie-value)
cookie-value = NAME "=" VALUE [";" path] [";" domain] [";" port]
So you can pass the domain part. (hmm, i now see they re-used the cookie:
header. that seems to make it hard to parse. is is a version1 or version2 cookie?)
I don't know how this interacts with the dom. document.cookie2?