Re: lynx-dev lynx-2.8.2 and Cookies

[Klaus Weide]

On Thu, 17 Jun 1999, David Woolley wrote:

> store_cookie: Rejecting domain '.yahoo.com' for host 'edit.my.yahoo.com'.
> 
> It is rejecting a cookie because the server is trying to set a cookie on
> the whole of yahoo.com from a domain two levels down from there.  That's
> equivalent to www.xyz.co.uk setting a cookie on the whole of .co.uk
> and clearly a denial of service threat if not a worse security threat,
> so I can quite believe that it is in breach of the security rules for
> cookies, although I'm not sure of the exact rules in this area - they do
> exist though.
> 
> I believe Netscape deliberately ignores these rules, because it suits
> the operators of commercial sites to do so; remember that persistent
> cookies like this are not primarily for your benefit.

They made their own rules in their original "Preliminary Specification" 
for trying to limit the reach of cookies (remember, cookies were invented
at Netscape).  Those rules have the difference between "COM", "EDU", 
"NET", "ORG", "GOV", "MIL", and "INT" on the one had, and the rest of the
world on the other, hardwired.  (Bad idea since the DNS namespace may
change.  Bad idea since some country top-level-domains are organized
in a similar way as "COM" etc.  Bad idea becouse there is no such
protection at lowe levels in the name hierarchy.)

Netscape never published anything but that "preliminary" spec ("Use with
caution").  Development of a better spec within the IETF process has been
ongoing for years, but the process has been basically ignored by
commercial browser makers as far as products are concerned.

Then it turned out that even the insufficient, unsatisfactory rules of
the "Preliminary Specification" were actually ignored by most of the
world (including Netscape!):

   Linkname: Cookiemonster - Cookie Bug Affecting Non-Generic Domains
        URL: http://homepages.paradise.net.nz/~glineham/cookiemonster.html

Lynx doesn't implement the Netscape "Preliminary Specification".  (As
noted above, not even Netscape did, at least up to very recently.)
Lynx implements (most of) the State Management Mechanism Internet-Drafts,
with heuristic hacks to accomodate most of what's out there (but not if
that would fundamentally disagree with rules meant for protection, at
least by default).

Compared to the mess made by other browsers, I think Lynx users should
appreciate that.

"domain '.yahoo.com' for host 'edit.my.yahoo.com'" is valid according
to the Netscape "Preliminary Specification".  It is invalid according
to the spec that Lynx does implement.  Don't expect that to change.
One can still make Lynx accept that cookie, but it doesn't happen
automatically.  If The Yahoo folks want their cookies to work
automatically with browsers that follow non-flawed (or less-flawed)
specifications, they can damn well change their setup.

> I believe there is an unsafe cookies option in Lynx, but before using it
> I would stronly suggest reading http://www.junkbusters.com, then asking
> yourself whether you want to talk to any site that sets cookies which
> can track you to the year 2010.

Very good advice.

   Klaus