I believe that Netcsape may have had to break their own spec here. Consider a valid domain such as "tdbank.ca" (a Financial Institution in Canada). They have a top level domain that is not in the list allowing 2 periods. If Netscape enforced the spec, web sites in this domain (e.g. www.tdbank.ca) would never be able to set cookies to all hosts in that domain (e.g. www.tdbank.ca, secure.tdbank.ca). I suspect Netscape will probably allow any domain with 2 dots in it (.anydomain.tld) So, as a result, in areas where the domain hierarchy runs a bit deeper (.com.uk, .com.au) it would be possible for a site to set a cookie that then was sent to every other site in that same hierarchy. There is no easy patch to this problem. The only solution I can think of, which is not an easy one, would be to have browsers have intimate knowledge of what constitutes an organization's "domain of influence", and limit cookies accordingly. This is essentially impossible to implement. (Consider domain.city.state.country - where is the allowable domain of influence here? Probably 4 levels deep, but how to indicate this to the browser). I don't think that this makes data collection any easier - but it DOES make data dissemination easier. It's a no-win for the marketing folks, because they want to collect as much data as possible, and give out as little as possible except to those who pay for it. In this case, this capability simply makes it easier for a marketing company to set a cookie that gets sent to all web sites. Big deal - either they end up giving away their information for free (don't bet on it), or they put very little into the cookie that is of any value to begin with. Unless someone can think of some sinister twist to which this capability can be put to use? Cheers, Thomas Iain Wade wrote: > > Hello, > > I have an evil cookie observation I'd like to share: > > While developing some CGI stuff, I noticed that my browser was sending a > cookie which didn't make sense since I had control of that domain and I > hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill > me with confidence either. > > After refreshing my knowledge of cookies at netscapes developer site > below I noticed something strange: > http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm > > In the section "Determining a valid domain" is this little gem: > > <quote> > If the domain attribute matches the end of the fully qualified domain > name of the host, then path matching is performed to determine if > the cookie should be sent. For example, a domain attribute of > royalairways.com matches hostnames anvil.royalairways.com and > ship.crate.royalairways.com. > > Only hosts within the specified domain can set a cookie for a domain. In > addition, domain names must use at least two or three periods. > Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories > requires only two periods; all other domains require at least three > periods. > </quote> > > So my questions are these: > > a) Why would Netscape Communicator 4.7 accept a cookie like this > (invalid -- only two periods): > > .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous > NMN000CDCF833FA08963E9BDBC6CAA59301 > > b) How can this be used by some mass marketing company to turn me into a > number in their systems for sale to the highest bidder? > > Just because you're paranoid doesn't mean they're not all out to get > you. > > -- > Iain Wade -- ------------------------------------------------------------ Thomas Reinke Tel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:37 PDT