Dylan Griffiths wrote: > Thomas Reinke wrote: > > There is no easy patch to this problem. The only solution I > > can think of, which is not an easy one, would be to have browsers > > have intimate knowledge of what constitutes an organization's > > "domain of influence", and limit cookies accordingly. This > > is essentially impossible to implement. > > > (Consider domain.city.state.country - where is the allowable > > domain of influence here? Probably 4 levels deep, but how > > to indicate this to the browser). > > Perhaps this would be an exercise best left up to the user, as there is > currently no way to indicate the scope of the authority (harmless TLD, > country, normal domain, etc) in the DNS system. A similar problem existed in WPAD (Web Proxy Auto-Discovery) for IE 5.0: see MS Security Bulletin MS99-054 at http://www.microsoft.com/technet/security/bulletin/ms99-054.asp The browser was walking up the DNS hierarchy looking for the name wpad, in some cases making queries outside the organization's trust boundary. Tim. -- Tim Adam Tim.Adamat_private http://www.osa.com Software Development Engineer Phone: +61 3 9895 2199 Open Software Associates Ltd. Box Hill VIC Australia Proven Solution Deployment for the Global Enterprise
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:50 PDT