Almost since the beginning of the Mozilla project, there have been various bugs open on the browser about cookies, domain names and privacy, caused by the differing models of delegation in use around the world. Essentially, Firefox does not know that you should be allowed to set a cookie for “amazon.com”, but not for “co.uk” at the same level of the DNS. This allows unscrupulous advertisers to track people across multiple otherwise-independent sites.
In one sense, this is by design. The DNS system is not supposed to impose any rules about how subdomains can be delegated. However, this flexibility clearly causes a problem in this case. The original cookie spec rather glossed over the problem, by suggesting a “one dot rule” – don’t allow the cookie if the domain attribute has no dots. This is fine for .com, but doesn’t help for .co.uk. The second attempt had another go at defining a rule which worked in practice, but there were still loopholes.
Various solutions have been proposed for this problem – from making the information available as a web service, to doing DNS lookups to see if the name resolves, to writing a new cookie spec, to making an enormous list encoding the delegation structure of every one of the 200+ TLDs on the planet.
This last has always seemed like a Sisyphean task. One person worked out what the rules were for Japan; they seemed so complicated that no-one wanted to take on the job of doing the same thing 199 more times. However, spurred by the need for Places to also know this information in order to present your history and bookmarks to you in a sensible fashion, the indefatigable Jo Hermans took up the challenge. Attached to bug 342314, you can see the first version of a document which attempts to record all of this information.
Although in the past, Japan was used to justify the “this is too complex; it’ll never work” argument, it turns out that the Norwegians take the prize for the most complicated delegation system. Encoding it correctly requires 760 rules. TLDs like .net, on the other hand, have just one – or none, if you rely on the fact that single-part domain names are implied members of the list.
So, thanks to Jo’s hard work, Firefox 3 will have a more secure cookie implementation. We will be sharing this information with Opera, and any other browser maker who may find it useful. It’s important to note that this information changes over time; applications should only ship this file if they have some way to update it.