Almost since the beginning of the Mozilla project, there have been various bugs open on the browser about cookies, domain names and privacy, caused by the differing models of delegation in use around the world. Essentially, Firefox does not know that you should be allowed to set a cookie for “amazon.com”, but not for “co.uk” at the same level of the DNS. This allows unscrupulous advertisers to track people across multiple otherwise-independent sites.
In one sense, this is by design. The DNS system is not supposed to impose any rules about how subdomains can be delegated. However, this flexibility clearly causes a problem in this case. The original cookie spec rather glossed over the problem, by suggesting a “one dot rule” – don’t allow the cookie if the domain attribute has no dots. This is fine for .com, but doesn’t help for .co.uk. The second attempt had another go at defining a rule which worked in practice, but there were still loopholes.
Various solutions have been proposed for this problem – from making the information available as a web service, to doing DNS lookups to see if the name resolves, to writing a new cookie spec, to making an enormous list encoding the delegation structure of every one of the 200+ TLDs on the planet.
This last has always seemed like a Sisyphean task. One person worked out what the rules were for Japan; they seemed so complicated that no-one wanted to take on the job of doing the same thing 199 more times. However, spurred by the need for Places to also know this information in order to present your history and bookmarks to you in a sensible fashion, the indefatigable Jo Hermans took up the challenge. Attached to bug 342314, you can see the first version of a document which attempts to record all of this information.
Although in the past, Japan was used to justify the “this is too complex; it’ll never work” argument, it turns out that the Norwegians take the prize for the most complicated delegation system. Encoding it correctly requires 760 rules. TLDs like .net, on the other hand, have just one – or none, if you rely on the fact that single-part domain names are implied members of the list.
So, thanks to Jo’s hard work, Firefox 3 will have a more secure cookie implementation. We will be sharing this information with Opera, and any other browser maker who may find it useful. It’s important to note that this information changes over time; applications should only ship this file if they have some way to update it.
ok, I get your point :-) I’ll have to start working on it.
Have you considered the various .com pseudo TLDs, where someone has carved out a structure in a 2nd level domain.
I’m thinking in particular of
Many of these seem to be “administered” via http://www.centralnic.com/domains
I still think that this is only a partial solution, as this doesn’t work for commercial sub-TLDs. I really think someone should start persuading people for a DNS-level solution (the authority section, already present in my DNS for some reason).
Frederik: Not necessarily. There’s no reason why e.g. uk.com can’t ask us to be added to the list.
As of Israel, and my guess it suitable for most other countries – expand the “one dot rule” to “two dot rule” for those countries, and you’ve solved the problem.
How the current code fit with intranet-based domains with no prefix at all? Can I set cookies for “www.example” domain of my own?
Tomer: you’d be surprised at how many countries have exceptions. Check the file…
Tomer: you are right if there are only “one dot rule” countries (like Germany) and “two dot rule” countries (like Israel). Unfortunately, most countries are a mix between the two, and we have no choice but to list the exceptions. Even Great Britain, which everybody points to as a “two dot rule” country. It isn’t.
I’d consider this an unsolveable problem, if attacked from this direction. What’s really bad isn’t that there are one-dot and two-dot zones, but that there are zones where it’s mixed and, in particular, which directly contain both individual server names and subdomains. demon.co.uk is like that — it contains the ISP’s servers’ names (such as www) as well as the subdomains that are let out to the customers (such as gnelson). (Of course, the sheer number of zones is also a problem.)
Fundamentally, counting dots is the wrong approach.
Long term, probably the right approach to deciding whether foo.bar.baz is allowed to set a cookie for bar.baz is to ask bar.baz if that’s okay (the default being no if it doesn’t answer, or if there’s no DNS record for bar.baz). But this would need to go through a standardization process, and then you’d have to give site authors six months or more to implement it. Nobody will be very happy about it. But they’ll do it, if enough of the right browsers insist, because webmasters love to be able to set cookies.
Why aren’t these listed under .uk?