[HTTPS-E Rulesets] Cookies
Drake, Brian
brian at drakefamily.tk
Thu Jan 16 19:26:15 PST 2014
HTTPS Everywhere only secures cookies if it looks like the domain is
available over HTTPS. I don’t remember seeing any code to deal specially
with dots at the start. Maybe that’s giving it trouble. I’d have to look at
the code again.
--
Brian Drake
All content created by me:
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2014 Brian Drake. All rights reserved.
On Wed, Jan 15, 2014 at 1001 (UTC), Drake, Brian <brian at drakefamily.tk>wrote:
> How do cookies work? Mozilla claims to follow RFC 6265 [1], which seems to
> prohibit domains starting with a dot.
>
> Yet, when I go to icabanken.se using the proposed ICA Banken ruleset [2],
> using Firefox or Iceweasel, I get cookies that say “Domain: .icabanken.se
> ”.
>
> I also have an issue with securing cookies with the <securecookie> tag.
>
> Continuing with the ICA Banken example, here is what I observe generally.
> The cookies that say “Host: www.icabanken.se” have the Secure flag set.
> The cookies that say “Domain: .icabanken.se” do not have the Secure flag
> set. I found one exception, where even a cookie limited to
> www.icabanken.se failed to be secured.
>
> I observed all this in Firefox 25.0/HTTPS Everywhere 3.4.5 and Iceweasel
> 17.0.5/HTTPS Everywhere 3.1.4.
>
> [1] https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies
> [2]
> https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001819.html
>
> --
> Brian Drake
>
> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140117/b8536669/attachment.html>
More information about the HTTPS-Everywhere-Rules
mailing list