User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3 It is possible for a site to set a cookie with domain ".co.uk" and this cookie is sent to any other .co.uk website regardless of the cookie option 'for the originating website only'. Reproducible: Always Steps to Reproduce: To reproduce this you will need the Live HTTP Headers extension (or your own website which will show you the cookies submitted). 1. Tick the Tools->Options->Privacy->Cookies->for the originating website only. 2. Visit http://www.kelkoo.co.uk 3. View your cookies Tools->Options->Privacy->Cookies->Stored Cookies. You will have one set for "co.uk" with the name "kelkooId". 4. Turn on your live http headers view. Tools->Live http headers. 5. Visit. http://www.google.co.uk 6. Look at the Cookie header sent to google, kelkooID is there. Actual Results: A cookie set by www.kelkoo.co.uk has been sent to www.google.co.uk Expected Results: The kelkooID cookie should not be sent to www.google.co.uk when the 'originating website only' option is ticked.

This is a misunderstanding of the "originating website" cookie option. That option is supposed to prevent setting and transmitting ad (usually) cookies, say doubleclick.net, while surfing an unrelated site that happens to host ads from that host. We make an http connection to get the ad and normally would send cookies as part of the http spec. If the originating website only option is on we only send cookies for top-level documents. The cookie super-domain issue is something else. *** This bug has been marked as a duplicate of 252342 ***

sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs, filter on "beltznerLovesGoats" to get rid of this mass change