Hacker News new | ask | show | jobs
by hrjet 4530 days ago
Why isn't the obvious fix discussed: Change browsers to not let subdomains set cookies for parent domains.

Probably this feature is of critical use. If so, would be grateful if someone explains it to me.
1 comments
_delirium 4530 days ago
One common use is to pass session data between subsections of a site. For example, the user logs into www.example.com, and is still logged in when they head over to store.example.com.
link
hrjet 4530 days ago
That could be also implemented in my proposed fix by example.com setting the auth cookies. They will continue to be readable by store.example.com.

Sure, it will require a change on the server side, which is a pain. But I can't think of a practical scenario which will be impossible to implement with the proposed fix.

link
gfodor 4530 days ago
Your idea would likely break any site on the internet that uses authentication and subdomins, isn't it clear why this isn't being considered?
link
zaroth 4529 days ago
Or sites could opt-in to this with a header?

EDIT: homakov says the same thing down thread.

link
hrjet 4529 days ago
Yes, it is backwards incompatible. Perhaps it could be enforced in HTTP 2?
link