可以针对.com之类的顶级域设置cookie吗
Can cookie be set against top level domain like .com
我有一个与 Share cookie between subdomain and domain 有关的问题 - 如果我在将 cookie 设置为 .com 的同时设置域,会发生什么情况?所有 .com 网站都可以使用该 cookie 吗?
配置良好的用户代理应该拒绝此类 cookie,如 RFC 6265 section 5.3 中所述:
- If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
If the domain-attribute is identical to the canonicalized request-host:
- Let the domain-attribute be the empty string.
Otherwise:
- Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a
public registry, such as "com", "co.uk", and "pvt.k12.wy.us".
This step is essential for preventing attacker.com from
disrupting the integrity of example.com by setting a cookie
with a Domain attribute of "com". Unfortunately, the set of
public suffixes (also known as "registry controlled domains")
changes over time. If feasible, user agents SHOULD use an
up-to-date public suffix list, such as the one maintained by
the Mozilla project at http://publicsuffix.org/.
我有一个与 Share cookie between subdomain and domain 有关的问题 - 如果我在将 cookie 设置为 .com 的同时设置域,会发生什么情况?所有 .com 网站都可以使用该 cookie 吗?
配置良好的用户代理应该拒绝此类 cookie,如 RFC 6265 section 5.3 中所述:
- If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
If the domain-attribute is identical to the canonicalized request-host:
- Let the domain-attribute be the empty string.
Otherwise:
- Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at http://publicsuffix.org/.