Closed Bug 253974 Opened 18 years ago Closed 15 years ago
implement strict domain checks per rfc2109
currently a.b.co.nz can set cookies for the .co.nz domain, while rfc2109 would only allow it to set cookies for .b.co.nz. if we enforced the strict domain stuff in rfc2109, by disallowing sites from setting cookies more than one domain level superior, it might somewhat mitigate the problem of sites being able to set cookies for entire TLD's (bug 252342). with the new cookie code, the reason for not being able to implement strict domain checks is now gone, so we could try implementing it again. see bug 8743 comment 2.
how strict is IE?
Dan, this looks like a dupe of bug 252342
Close, but it's not a dupe. I filed this separately to consider reimplementing the exact method RFC2109 describes. As I said in comment 0, this might mitigate the problem in bug 252342 but won't solve it.
if bug 385299 lands, this will be wontfix. marking dependency so i don't lose track of this.
Depends on: 385299
wontfix per landing of bug 385299.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.