Sorry, no test case. if I goto www.foo.com which sets the following cookie: set-cookie: foo=bar; domain=foo.com That cookie will be rejected because mozilla's cookie impl enforces the 2-dot rule (correctly) for domain checking. However this seems pretty silly considering that the vast majority of web content is only 2 levels deep, and "foo.com" and ".foo.com" are ultimately the same.
Is this cookie accepted in 4.x?
no, but IE accepts it.
And I believe that IE had other problems because of this. I'm out of context on all the details now so I can't be more specific. If you read the whole discussion in bug 8743, you'll probably find what I'm referring to. Let me know if you want me to get back up to speed on this and give you a more intelligent answer.
Netscape Nav triage team: this is not a Netscape beta stopper.
I have just found a cookie for the "domain" co.uk in my Moz 1.0 cookie list. This is clearly not a good thing, and related to this bug and the referenced previous discussion. On selecting "don't allow removed cookies to be reaccepted later" of course co.uk appears on the list on the denied tab (after restarting). So a kind of patch would be to preinstall all the country-specific extensions, co.uk, org.uk .... etc etc as denied "domains".
observed on Mozilla 1.3a (build 20021126) on IRIX 6.5.17: meine.deutsche-bank.de can't set a cookie needed for login to online banking Preferences/.../Enable all cookies is set Mozilla 1.2b works well on this point.
The deutche-bank problem is covered in bug 171235. It's not a mozilla problem but rather an error on the deutche-bank website.
Cookieset to Mozilla: Set-Cookie: Login=1; domain=foo.de; path=/ set a Cookie with Domain ".foo.de" First Char is a DOT if you send Set-Cookie: Login=1; path=/ from the same Server the Domain is correct set as "foo.de" 1.2 works correct, 1.3 until 1.4 Gecko/20030529 have this error
this was fixed during the cookie rewrite in 1.4.
VERIFIED: per dwitte. I'll add a testcase. I'm behind, so I'll ask here... domain=foo.com is okay. domain=.com or domain=com is not. right?
correct - the domain must have > one embedded dot (irrelevant of leading/trailing dots). thx benc!