mailing list archives
Re: Evil Cookies.
From: tma () OSA COM AU (Tim Adam)
Date: Wed, 9 Feb 2000 10:11:40 +1100
Dylan Griffiths wrote:
Thomas Reinke wrote:
There is no easy patch to this problem. The only solution I
can think of, which is not an easy one, would be to have browsers
have intimate knowledge of what constitutes an organization's
"domain of influence", and limit cookies accordingly. This
is essentially impossible to implement.
(Consider domain.city.state.country - where is the allowable
domain of influence here? Probably 4 levels deep, but how
to indicate this to the browser).
Perhaps this would be an exercise best left up to the user, as there is
currently no way to indicate the scope of the authority (harmless TLD,
country, normal domain, etc) in the DNS system.
A similar problem existed in WPAD (Web Proxy Auto-Discovery)
for IE 5.0: see MS Security Bulletin MS99-054 at
The browser was walking up the DNS hierarchy looking for the name wpad,
in some cases making queries outside the organization's trust boundary.
Tim Adam Tim.Adam () osa com au http://www.osa.com
Software Development Engineer Phone: +61 3 9895 2199
Open Software Associates Ltd. Box Hill VIC Australia
Proven Solution Deployment for the Global Enterprise
- Re: Evil Cookies. Tim Adam (Feb 08)