IE and 2-letter domain-names
Why is this a problem? Well, basically because Microsoft seems to think that there are different kind of TLD's. Ofcourse there are different kind of TLD's: there are f.i. international TLD's (like .com, .org and .net) and national TLD's based on the 2-digit countrycodes (like .us, .uk and .nl). Microsoft however makes the distinction based upon the number of characters in the TLD-name itself and holds a list of 'special domains' for 2-letter TLD's that should follow the same rules for 'normal domains' when it comes to state-management (aka cookies). According to my registry only .pl (Poland) and .gr (Greece) are considered 'special domains'.
For all other 2-letter TLD's it is impossible to set a cookie in IE if you have registered a domain for that TLD that has also only 2 digits (e.g. xx.nl). The reasoning is simple: some countries do not allow the registration of a domain directly under the national TLD but instead use a system of 'sub-level' domains (e.g. .co.uk and .org.uk). It would be considered unsafe for a browser to allow a cookie to be set on such a 'sub-level' domain (although all browsers except IE do it happily) since that means that such a cookie can be read by a wide variety of websites hosted under that 'sub-level' domain. In fact: I did have a cookie for .co.uk residing in my Firefox...
To my knowledge just a small number of countries have a policy that only allows the registration of domains under a 'sub-level' domain, but instead of listing those TLD's as exceptions Microsoft makes this the rule and treads only Poland and Greece as an exception (as of IE6 SP1)... Clearly a case of Microsoft being too strict and other browser-vendors being too easy.
Update: Opera has been trying to resolve this matter by making some proposals. The first proposal mentions keeping some sort of list of subTLD's on a DNS-level which looks to me like a good solution. Unfortunately the DNS protocol folks are not very willing to accept such a solution...
Also Opera does a lookup on the domain set for the cookie to see if it is a valid domain (has an IP address) before accepting it. That is an acceptable work-around (at least it is less restrictive than Microsoft's approach but still more restrictive than Firefox's) however there are no guarentees that a TLD registrar will never link a subTLD to an IP address.
does this problem still occur of is there a patch in IE6/7 for this?
Comments are closed