More on the topic of Navigator cookie security, You may recall the discovery in December of a cookie bug affecting virtually all browsers (including Netscape), relating to the cookie domain restriction. (http://homepages.paradise.net.nz/~glineham/cookiemonster.html) Two points with regards to Netscape/Mozilla: 1) The bug report page on netscape.com claims that the bug is fixed from v4.51 (http://help.netscape.com/kb/client/981231-1.html). This is a lie (see for yourself) 2) Netscape/Mozilla decided against fixing this security hole, because it would break Yahoo Mail - who uses sloppy cookie code. Rather than notifying Yahoo, the fix was simply dropped. Summary: All Netscape browsers, past, present, and future, have the bug. You can read the (lengthy) discussion amongst Netscape engineers on this issue, on http://bugzilla.mozilla.org/show_bug.cgi?id=8743 (contains both Bugzilla and Bugsplat comments) As an aside, versions of IE released since Microsoft was notified, do not exhibit this bug. >As Netscape has not acknowledged my email or bug report from last week, When I contacted them, they never did respond. At all. The only way I knew they got the message was when my friend stumbled over the bug report page on netscape.com, a few weeks later. Regards, Oliver Lineham ___________________________________________________ v i b e m e d i a http://www.vibe.co.nz/ wellington, new zealand oliverat_private phone +64 4 566-0627 facsimile +64 4 570-1900
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:54 PDT