There is a complication that is neither addressed in the RFC nor in
Jeff's document:
- it's possible that the parent of a public suffix is not a public
suffix itself.
For example:
compute.amazonAws.com is a public suffix; but its
parent, amazonAws.com, is not a public suffix.
Obviously, we cannot allow `
foo.compute.amazonAws.com` to set
cookie.domain=amazonAws.com, even though `amazonAws.com` is not a
public suffix.
To be fair, this situation should not have existed; it's bad enough
that companies spam the public suffix list with no discipline and
consideration; it's unconscionable that they introduce unnecessary
complications like this. /rant
Anyways, how do we handle this situation? The simplest solution is to
declare that all parents of a public suffix are public suffixes too.
However this might break existing deployments where a parent is a
"normal" website.
If we accept the reality that a parent of a public suffix may not be a
public suffix, the cookie domain algorithm needs to be a little more
sophisticated. We want to achieve the following effect:
1.
foo.compute.amazonAws.com cannot set a cookie for
compute.amazonAws.com or higher domains
2.
w1.amazonAws.com can set a cookie for amazonAws.com, which affects
w2.amazonAws.com.
however the cookie must not affect
compute.amazonAws.com and its subdomains.
Zhong Yu
bayou.io
_______________________________________________
http-state mailing list
http-...@ietf.org
https://www.ietf.org/mailman/listinfo/http-state