Bug#212734: cookie support in http method (Progeny)

To: Adam Heath <doogie@debian.org>
Cc: 212734@bugs.debian.org
Subject: Bug#212734: cookie support in http method (Progeny)
From: Jeff Licquia <licquia@progeny.com>
Date: 26 Sep 2003 16:12:55 -0500
Message-id: <[🔎] 1064610774.827.21.camel@laptop2.internal.licquia.org>
Reply-to: Jeff Licquia <licquia@progeny.com>, 212734@bugs.debian.org
In-reply-to: <[🔎] Pine.LNX.4.44.0309261351400.26334-100000@gradall.private.brainfood.com>
References: <[🔎] Pine.LNX.4.44.0309261351400.26334-100000@gradall.private.brainfood.com>

On Fri, 2003-09-26 at 13:53, Adam Heath wrote:
> I haven't read this fully, but blindly accepting cookies(either new or
> modifications) is bad.  

The patch does disallow cross-site cookies in the usual way.

> Some kind of prompting is needed.

I have no objection to that in principle, though I wonder how practical
that would be.  We'd need another message and callback for cookie
interaction, and configurable "quiet mode" operation.

What might work better would be a whitelist in the configuration.  Or
perhaps just a list, with another configuration item specifying whether
it's a whitelist or blacklist (defaulting to whitelist, of course). 
Or...

> Something like mozilla's rules would be useful.

...a cookie security config file, with Allow and Deny.  (I'm not sure
the regular apt config file would do that well.)

I'm inclined towards the whitelist, myself.  Do you think this would be
sufficient?

Reply to:

References:
- Bug#212734: cookie support in http method (Progeny)
  - From: Adam Heath <doogie@debian.org>

Prev by Date: Bug#212734: cookie support in http method (Progeny)
Next by Date: Processed: Re: Bug#212702: APT Segmentation fault
Previous by thread: Bug#212734: cookie support in http method (Progeny)
Next by thread: Bug#115953: You have a nice smile.
Index(es):
- Date
- Thread