mart at degeneration.co.uk
Wed May 18 12:06:23 PDT 2005
Brad Fitzpatrick wrote:
> It's up to the identity server to do the right thing here. It doesn't
> affect the protocol.
> I'm sure we'll build a recommended list of domain suffixes which SHOULDN'T
> be wildcarded.
Netscape's Cookie spec says:
Only hosts within the specified domain can set a cookie for a domain
and domains must have at least two (2) or three (3) periods in them
to prevent domains of the form: ".com", ".edu", and "va.us". Any
domain that fails within one of the seven special top level domains
listed below only require two periods. Any other domain requires at
least three. The seven special top level domains are: "COM", "EDU",
"NET", "ORG", "GOV", "MIL", and "INT".
Limitations of not including "museum" and "coop" aside, this seems like
a reasonable starting point.
More information about the yadis