[Fwd: Doubleclick]

[Yanni]

> There's a very obvious way to get their cookie put in your cookies
> file without you explicitly going to their site.

This is my favorite example...

You work at a company.

Evil co-worker there says...check out this webpage I just setup.

You goto that page, the server gives you a cookie with
confidential information.
( 4k can store a lot of data..:) )...

Boss comes around and looks at your cookie file, notices
confidential information.

You get fired, sued, whatever....

> The server can send whatever it wants to you in the Set-Cookie:
> header.  Read the spec.

Yes, but you know the server that sent it. A Set-Cookie header can't
set the domain to be other than the domain that the cookie came from.
The message that was copied to the list implied that one domain could set
a cookie for another domain. That isn't true unless you have access the
the persons cookie file. ( as you implied in your response, but which
is beyond the scope of the original letter ).

Regards,

-jon

Jon (no h) S. Stevens        yanni at clearink.com
ClearInk WebMagus      http://www.clearink.com/
finger pgp at sparc.clearink.com for pgp pub key
We are hiring! Check out...
http://www.clearink.com/clearink/home/job.html