[HTTPS-E Rulesets] Cookies

Drake, Brian brian at drakefamily.tk
Mon Jan 27 00:51:50 PST 2014 

I tested with the ICA Banken ruleset referred to before and the eCoin Talk
ruleset [1], by changing www to * in <target>. In both cases, there are
still domains beginning with dots, but they now have the Secure flag set.

[1]
https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001838.html

--
Brian Drake

All content created by me:
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2014 Brian Drake. All rights reserved.

On Sat, Jan 18, 2014 at 1:41 PM, Drake, Brian <brian at drakefamily.tk> wrote:

> After looking at the code again, I think that is indeed the problem:
> cookies with domains of the form .example.com (with a leading dot) will
> only be secured by rulesets with target hosts of the form *.example.com (
> example.com and www.example.com are not enough). I’ll need to test this.
>
> I’m no closer to explaining why such cookies exist in the first place.
>
> --
> Brian Drake
>
> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>
> On Fri, Jan 17, 2014 at 0326 (UTC), Drake, Brian <brian at drakefamily.tk>wrote:
>
>> HTTPS Everywhere only secures cookies if it looks like the domain is
>> available over HTTPS. I don’t remember seeing any code to deal specially
>> with dots at the start. Maybe that’s giving it trouble. I’d have to look at
>> the code again.
>>
>> --
>> Brian Drake
>>
>> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>>
>> On Wed, Jan 15, 2014 at 1001 (UTC), Drake, Brian <brian at drakefamily.tk>wrote:
>>
>>> How do cookies work? Mozilla claims to follow RFC 6265 [1], which seems
>>> to prohibit domains starting with a dot.
>>>
>>> Yet, when I go to icabanken.se using the proposed ICA Banken ruleset
>>> [2], using Firefox or Iceweasel, I get cookies that say “Domain: .
>>> icabanken.se”.
>>>
>>> I also have an issue with securing cookies with the <securecookie> tag.
>>>
>>> Continuing with the ICA Banken example, here is what I observe
>>> generally. The cookies that say “Host: www.icabanken.se” have the
>>> Secure flag set. The cookies that say “Domain: .icabanken.se” do not
>>> have the Secure flag set. I found one exception, where even a cookie
>>> limited to www.icabanken.se failed to be secured.
>>>
>>> I observed all this in Firefox 25.0/HTTPS Everywhere 3.4.5 and Iceweasel
>>> 17.0.5/HTTPS Everywhere 3.1.4.
>>>
>>> [1]
>>> https://developer.mozilla.org/en-US/docs/Web_Development/HTTP_cookies
>>> [2]
>>> https://lists.eff.org/pipermail/https-everywhere-rules/2014-January/001819.html
>>>
>>>  --
>>> Brian Drake
>>>
>>> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140127/f24a8d89/attachment-0001.html>

More information about the HTTPS-Everywhere-Rules mailing list