That could be also implemented in my proposed fix by example.com setting the aut... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		hrjet on Jan 18, 2014 \| parent \| context \| favorite \| on: Cookie Bomb or Let's Break the Internet That could be also implemented in my proposed fix by example.com setting the auth cookies. They will continue to be readable by store.example.com. Sure, it will require a change on the server side, which is a pain. But I can't think of a practical scenario which will be impossible to implement with the proposed fix.

gfodor on Jan 18, 2014 | [–]

Your idea would likely break any site on the internet that uses authentication and subdomins, isn't it clear why this isn't being considered?

zaroth on Jan 19, 2014 | | [–]

Or sites could opt-in to this with a header?

EDIT: homakov says the same thing down thread.

hrjet on Jan 19, 2014 | | [–]

Yes, it is backwards incompatible. Perhaps it could be enforced in HTTP 2?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact