So what's magical about Safari?

Richard Clayton ukcrypto at chiark.greenend.org.uk
Thu, 3 Apr 2008 23:53:23 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <Pine.SOC.4.64.0804032304380.22293@spruce.eng.gla.ac.uk>,
Chris Edwards <chris@eng.gla.ac.uk> writes

>On Thu, 3 Apr 2008, Joel Harrison wrote:
>
>| Safari ships with a conservative cookie policy which limits cookie
>| writes to only the pages chosen ("navigated to") by the user. This
>| default conservative policy may confuse frame based sites that attempt
>| to write cookies and fail.
>
>Interesting - I'd wondered what that safari pref really did...
>
>Forgetting about fancy stuff like frames for the moment, if:
>
> I navigate to www.example.com, and phorm intercepts the request and 
> spoofs an HTTP 302 response redirecting me to www.websise.com/whatever
> which then attempts to set a webwise.com cookie
>
>then are you saying safari will refuse this cookie, on the grounds that I 
>hadn't "navigated" there myself ?  But other browsers accept the cookie ?

recall that:

a) browsers only ever return cookies to their owning domain

b) sites can set cookies in their own domain

c) sites can also set cookies in other people's domains

cookies of type (c) are called third-party cookies and there are
separate controls for users to specify their handling in most browsers.
To add to the excitement IE6 (and presumably IE7 as well) looks at P3P
policies before deciding what the default is!

However (and it's hard to find any precise documentation) what Safari
appears to be doing is refusing to accept (and more relevantly) refusing
to send cookies to sites involved in placing extra components into a
page from another site (such as <img src="http://doubleclick.com/...>
banner ads).

This breaks any system that doubleclick.com (or anyone else!) might use
to recognise people by cookies, so they can be served appropriate ads.

What I'm unable to establish from Googling appropriate pages is the
impact of encountering 3xx responses, whether Safari remembers the
original URL the user asked for (and turns down cookies if you go
somewhere else) or whether this is irrelevant [an easy experiment for a
Safari user to try!]

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBR/Vf45oAxkTY1oPiEQJSuACfZqqi2bfPoKte8Q3VPX2E9eFNekEAoJly
4YzmuGCdg2GDGYDST7nh8oca
=lZP1
-----END PGP SIGNATURE-----