[Dillo-dev] patch: .domain cookies from/to domain
Jorge Arellano Cid
jcid at dillo.org
Tue Dec 29 13:33:18 CET 2009
On Mon, Dec 28, 2009 at 01:21:41AM +0000, corvid wrote:
> Like the patch says,
> /*
> * Technically, cookies set with a domain of .example.com cannot be sent
> * back to the host example.com, even if example.com set them in the first
> * place. Do most user agents allow it? Yes. Does a large percentage of the
> * web require it in order to work at all? Yes.
> */
>
> The downside might be the scenario of sub.example.com setting a cookie
> that example.com didn't expect to receive, but if everyone else does it...
AFAIS it would provide a very good way for tracking what pages
a user is reading to big hosting sites. e.g. blogspot.com
If you're using a unique IP, it may not add much, but if you're
behind a NAT or proxy or similar, this cookie singles out you.
Considering most browsers allow these cookies, chances of
finding tracking code using this technique increases! Probably
only opaqued by the much bigger privacy hole javascript provides.
:)
> Unless someone tells me not to within the next few days, I'll commit
> something along the lines of this patch.
I'd use a cookiesrc option set to NO by default instead of the
#define.
Maybe allowing to set it by site (as the rest of cookiesrc) is
not a bad idea too. After all, people would enable it when they
need a specific site to work.
--
Cheers
Jorge.-
More information about the Dillo-dev
mailing list