Florian Weimer wrote:
* Jamie Lokier:
(By the way, although we're talking about administrative divides in
the DNS tree, a little thought might be given to administrative
divides in URL trees. There are a fair number of sites containing
http://domain.com/user1/* and http://domain.com/user2/*,
Jelte Jansen wrote:
won't they run into the very same problem if only tld's (and their
sld's) are marked as don't-set-cookies-here? Or is livejournal.com also
supposed to get on the list of public suffixes?
No. They can set cookies for www.livejournal.com or
admin.livejournal.com (as opposed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gervase Markham wrote:
Florian Weimer wrote:
* Jamie Lokier:
Yes. I think Ebay suffers from these issues.
Indeed. This is one of the reasons that livejournal switched from
www.livejournal.com/name to name.livejournal.com. It prevented rogue
On Wed, Jun 11, 2008 at 10:15:19AM +0100,
Gervase Markham [EMAIL PROTECTED] wrote
a message of 53 lines which said:
Why should TLDs think they have an automatic right to have Firefox
display domains they have issued which allow our users to be fooled
or defrauded?
Interesting. It reminds
Henrik Nordstrom wrote:
I seriously question this will break part. Sure, they will get
annoyed, but in nearly all possible solutions layering ontop of the
existing cookie system there will be easy ways for the owners of such
sites to make them behave well, and a transition period giving them
Paul Hoffman wrote:
For your IDN display technology, Mozilla decides which TLDs have a
responsible attitude. Mozilla enforces these rules as a powerful
incentive for TLDs to do as Mozilla wishes.
As are Microsoft's rules - which, sadly, are both different and IMO much
more likely to retard
Dean Anderson wrote:
That's unfortunate; but I must say this upset was not communicated to me.
Probably that's because you are using SORBS to filter your email. SORBS
has an unusually high number of false positives, and for example,
falsely claims that that 130.105/16 and 198.3.136/21 are
Florian Weimer wrote:
Have a look at this file:
/usr/share/apps/khtml/domain_info
Indeed. It looks like they do the same thing as us, but in a far more
approximate and erroneous fashion.
Persuading them to use the public suffix list would be an improvement.
Gerv
On Tue, Jun 10, 2008 at 11:31:00PM +0200,
Stephane Bortzmeyer [EMAIL PROTECTED] wrote
a message of 16 lines which said:
I assume it is a list of TLD which register at the third level. If so,
it is questionable (.af, .dz, .fr register at the second and the
third level and I do not know how
On ons, 2008-06-11 at 10:10 +0100, Gervase Markham wrote:
Other list participants were warning about the possibility of people
abandoning Firefox in droves if there were cookie-related problems
caused by its use of public suffix list.
If you do this wronly yes.
You, on the other hand, are
On Tue, Jun 10, 2008 at 09:22:27PM +0200,
Florian Weimer [EMAIL PROTECTED] wrote
a message of 10 lines which said:
In other words, Internet Explorer has got it's own list (and the
operating system, too, for use in DNS devolution).
According to this blog post, IE does it the other direction
Wes Hardaker wrote:
* We, mozilla, obviously can't do this ourselves
On the contrary. We have done it for ourselves.
so you must do it for
us or else negative things will happen (and you'll be at fault, not
us, mozilla). Please continue to do this work for us till the end of
time.
Wes Hardaker wrote:
* We, mozilla, obviously can't do this ourselves
On the contrary. We have done it for ourselves.
so you must do it for
us or else negative things will happen (and you'll be at fault, not
us, mozilla). Please continue to do this work for us till the end of
time.
Jeroen Massar wrote:
If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then
indeed that cookie gets sent to mybank.co.uk too. What harm does/can
this do? (Except that they might set a cookie identical of type to the
bank one and maybe auto-login to their bank account!?)
sigh
Say
Gervase Markham wrote:
Jeroen Massar wrote:
If adserver.co.uk (as they are 'evil') sets a cookie for co.uk then
indeed that cookie gets sent to mybank.co.uk too. What harm does/can
this do? (Except that they might set a cookie identical of type to the
bank one and maybe auto-login to their bank
While this thread isn't necessarily off-topic for ietf-http-wg list,
it's more relevant IMO to dnsop, and cross-posted high-volume
discussions tend to be distracting.
So, please try to move discussion onto the dnsop list (I've set Reply-
To accordingly).
Thanks,
--
Mark Nottingham
At 23:10 +1000 6/11/08, Mark Nottingham wrote:
While this thread isn't necessarily off-topic for ietf-http-wg list,
it's more relevant IMO to dnsop, and cross-posted high-volume
discussions tend to be distracting.
So, please try to move discussion onto the dnsop list (I've set Reply-
To
Gervase Markham wrote:
Oh? How is this reconciled with earlier comments that
login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
is the Public Suffix List only for history grouping in browsers, not
for cookie sharing?
under the current code ... www.mybank.co.uk can
Edward Lewis wrote:
Is the issue that a cookie needs to state for what domains it is
valid?
No.
Are you trying to relate domain names to a registrant?
No.
I must confess it is somewhat frustrating when, having put up a website
explaining what this is all about, and having had a long
http://publicsuffix/learn/ has more info (and I've just checked in
another update, which should be visible in the next day or so. There's a
human in the update loop).
Gerv
___
that URL does not resolve in the way you might
[EMAIL PROTECTED] wrote:
that URL does not resolve in the way you might
expect.
Sorry :-) Cut and pasted from my browser without checking. That's my
local testing copy, of course.
http://www.publicsuffix.org/learn/
Gerv
___
DNSOP mailing
On Jun 11, 2008, at 6:26 AM, Gervase Markham wrote:
It's not true that we won't work on any other solution. This is what
we
have now, and there have been no alternative proposals which (to my
mind) look like producing anything workable in the short term.
Putting the list in the DNS instead
On Jun 11, 2008, at 11:06 AM, Joe Baptista wrote:
Listening would you mind explaining something here. Do we work for
you? I'm pretty sure your being paid to promote your public suffix
idea but we are not. There are many here who are too busy to spend
time reading your stuff, let alone
Joe Baptista wrote:
Listening would you mind explaining something here. Do we work for
you? I'm pretty sure your being paid to promote your public suffix idea
but we are not. There are many here who are too busy to spend time
reading your stuff, let alone go back to the web site for
Joe Baptista wrote:
Listening would you mind explaining something here. Do we work for
you? I'm pretty sure your being paid to promote your public suffix idea
but we are not. There are many here who are too busy to spend time
reading your stuff, let alone go back to the web site for
Gervase Markham wrote:
The difference is that the public suffix list is an (attempt at an)
expression of fact, not policy.
I think is where you are encountering resistance, even though you may
not realize it.
What you are doing is *publishing* something, which alleges to be a
factual list.
On Wed, Jun 11, 2008 at 12:26 PM, Gervase Markham [EMAIL PROTECTED] wrote:
Incidentally - have you answered by question yet - or put it on the web
site? What happens to your web browsers behavior if I try to surf a TLD
not on the list?
I've answered it once to you privately and once to
Gervase,
On Jun 11, 2008, at 4:26 AM, Gervase Markham wrote:
It's not true that we won't work on any other solution. This is what
we
have now, and there have been no alternative proposals which (to my
mind) look like producing anything workable in the short term.
I guess it depends on what
* Gervase Markham:
Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
ad-tracking cookie for .co.uk and build up a cross-site profile of a
particular user, perhaps augmented by information passed to them by
On Jun 11, 2008, at 3:16 PM, Florian Weimer wrote:
I guess the real issue is that by setting a cookie for co.uk, it's
possible to exploit session fixation vulnerabilities in web sites
under
co.uk. Unfortunately, the Public Suffix List web site is a bit
unclear
in this regard. It does
* Ted Lemon:
It's kind of assumed that you would be aware of these issues, I guess.
But hardly anybody seems to be.
Lots of web sites use cookies to associate a session with a
particular user. With cross-site cookie theft, a malicious web site
can gain access to your session cookie even
On Jun 11, 2008, at 3:30 PM, Florian Weimer wrote:
Failure to do this
does not grant read access to arbitrary cookies in itself. But as I
wrote, it might expose session fixation problems.
Right, the point is that the mozilla guys can't force web site
implementors to do the right thing, but
Hi Gervase,
At 02:15 11-06-2008, Gervase Markham wrote:
They don't have to. Why should TLDs think they have an automatic right
to have Firefox display domains they have issued which allow our users
to be fooled or defrauded?
Does that mean that the new Firefox will never display domains that
On Wed, 11 Jun 2008, Gervase Markham wrote:
Dean Anderson wrote:
That's unfortunate; but I must say this upset was not communicated to me.
Probably that's because you are using SORBS to filter your email. SORBS
has an unusually high number of false positives, and for example,
falsely
34 matches
Mail list logo