[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    [Bug 72811] Don't ask users to accept cookies without domain
From:       Dawit Alemayehu <adawit () kde ! org>
Date:       2004-03-05 17:27:27
Message-ID: 20040305172727.25245.qmail () ktown ! kde ! org
[Download RAW message or body]

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
      
http://bugs.kde.org/show_bug.cgi?id=72811      




------- Additional Comments From adawit kde org  2004-03-05 18:27 -------
> a cookie is only a security (/privacy) risk if it is ever returned to the
> remote host, agree? 

Correct

> A cookie that has no domain= info and comes from something like file://
> (i.e. no http) _can_ not be returned to any remote host because we strictly
> disallow cross-site cookie exploits. Right? 

Yes and no. Yes, we do not allow cookies from file to be sent to any site, but it has \
nothing to do with cross-site cookie exploits. It is simply because the file:// URLs \
hostname will not match that of any other remote site...

> If it is not a security risk, kcookiejar should not ask the user to set the
> thing; it should just set it. Isn't that the problem in kcookiejer? 

You mean it should simply ignore it since the cookie is useless, no ? Anyways, the \
cookiejar should reject all cookies if the protocol is file:// or the hostname is \
empty since hostname information is a requirement for dealing with cookies. Already \
put in the check for this in kio_http_experimental branch. Will see about backporting \
it...


[prev in list] [next in list] [prev in thread] [next in thread]