lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Accepting invalid cookies - was: cookie bug (not in lynx)

From: Klaus Weide
Subject: Re: lynx-dev Accepting invalid cookies - was: cookie bug (not in lynx)
Date: Tue, 29 Dec 1998 13:24:20 -0600 (CST) 
On Mon, 28 Dec 1998, brian j. pardy wrote:
> On 27 Dec 1998, Klaus Weide wrote:
> > These are conceptuallt two different things, they should be controllable
> > by separate options.  Either an additional flag/option is needed, or
> > even a way to allow (some) invalid cookies on a per-domain basis.
> 
> Perhaps a new option similar to COOKIE_ACCEPT_DOMAINS to specify
> servers that are specifically allowed to set invalid domains?

I'm all for giving the user fine-grained control over cookies, but
there are some difficulties with this.  Part of the checks is
comparing two domain names (the one from the cookie and the actual
server hostname).  Should that hypothetical new option set a property
of (1) the domain given in the set-cookie or (2) of the hostname?  You
seem to have (2) in mind, but (1) would be more equivalent to what
COOKIE_ACCEPT_DOMAINS does.

> I can't
> think of any way to allow such things without violating the
> specification, but it's pretty obvious that some people want such
> things to be allowed.

(depends on which specification, of course.)

> There seem to be problems with the spec as it now exists.  A few posts
> on BUGTRAQ have pointed out some of the problems -- it seems like a
> browser following the spec will still be open to problems.
> 
> See:
> 
> <URL:http://www.geek-girl.com/bugtraq/1998_4/0741.html>

There have been huge problems with the Netscape spec ever since it existed.
That's why a better spec was and is needed.

And then the work on the "better spec" was basically ignored by Netscape and
nearly everyone else.  AFAIK that is still the case up to today.  It's a
sad story.

> > The behavior of ACCEPT_ALL_COOKIES is also not consistently documented:
> > The Users Guide says that "... Lynx will accept all cookies."  The
> > comment in lynx.cfg says that "... Lynx will accept cookies from all
> > domains with no user interaction."  Nothing is said about the effect on
> > checking or validity.
> 
> I'm not sure which is the best description.  I didn't intend to bypass
> the checking/validity in the first place, so either comment explains
> my original intent -- "Behave as if 'A' were pressed whenever prompted 
> for a cookie".

We should first change the behavior and then document what is implemented. :)

> > [...]
> > To summarize, IMO Lynx should (1) have at least something like an
> > additional flag/option -accept_some_invalid_cookies (or
> > -relaxed_cookie_checking?  or -something_completely_different?), and
> > (2) don't accept all cookies completely unchecked _even if_ that flag
> > is set.
> 
> Agree with (2), possibly agree with (1).  I personally don't think 
> a server should be allowed to violate spec by sending illegal cookies
> (I think the original problem was with my.yahoo.com), but the Big
> Browsers seem to allow this, and at least one person wanted it.

I think (1) would be ok if it defaults to off (even if that means we are now
more restrictive than 2.8.1 for ACCEPT_ALL_COOKIES).


    Klaus
reply via email to
[Prev in Thread] Current Thread [Next in Thread]