On Jun 11, 2008, at 3:30 PM, Florian Weimer wrote: > Failure to do this > does not grant read access to arbitrary cookies in itself. But as I > wrote, it might expose session fixation problems.
Right, the point is that the mozilla guys can't force web site implementors to do the right thing, but they still get dinged for a security flaw if the web site implementors do the wrong thing. The only knob they can turn is this one. So it makes a great deal of sense for them to try to turn it. Also, you discounted the privacy issue in your previous message, but the point is that in some countries privacy is actually a legal requirement, one which the Mozilla folks, I think rightly, feel some obligation to honor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop