[HTTPS-Everywhere] New ruleset and securecookie strangeness
https-everywhere at lists.grepular.com
https-everywhere at lists.grepular.com
Sat Dec 25 10:30:34 PST 2010
Hi,
I created a new ruleset for national-lottery.co.uk:
https://github.com/mikecardwell/https-everywhere/commit/34dfd42ed82d41a02cbc290f96326caac932739a
Please pull it.
However, I noticed one strange thing... The ruleset contains:
<securecookie host="^(.+\.)?national-lottery\.co\.uk$" name=".*"/>
I viewed the cookies after logging in and noticed that while most were
secure, a couple weren't (according to the "Web Developer" Firefox
addon). The ones which were secure all had the "Host" value set to
"www.national-lottery.co.uk", but the two which weren't had slightly
different Host headers both starting with a ".", ie:
.www.national-lottery.co.uk
.national-lottery.co.uk
Is something broken?
Actually, it's just occurred to me. Does the securecookie tag work for
cookies that are created using JavaScript or does it merely affect those
set via HTTP headers?
--
Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101225/7eeda80b/attachment.sig>
More information about the HTTPS-everywhere
mailing list