bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted


From: Karol Hosiawa
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 17:03:42 +0000

I'm writing a client for a webservice in Emacs.

The webservice is trying to set a cookie and here's what I get:

api.blip.pl tried to set a cookie for domain .blip.pl - rejected

Setting:

(setq url-cookie-trusted-urls "api.blip.pl")

doesn't have any effect. A similar client written in JS for Firefox
exists and works fine with the same webservice.

Is this a bug ? I think so, it's either that or a bug in
url-cookie-host-can-set-p function.


2008/12/2 Glenn Morris <address@hidden>:
> "Karol Hosiawa" wrote:
>
>> The function url-cookie-handle-set-cookie in url-cookie.el
>> doesn't check if url-cookie-trusted-urls is set. It does some
>> preliminary checks but doesn't apply this info in the end.
>
> I'm not sure if this is a bug or not. The function _does_ check the
> value of url-cookie-trusted-urls. It seems to control whether or not
> you get asked for confirmation about accepting cookies (assuming
> url-cookie-confirmation is non-nil, which by default it is not). You
> will never get asked to confirm accpeting cookies from trusted URLs.
>
> What your proposed patch would seem to do is allow trusted urls to set
> any cookies they like, even outside their own domain. I presume this
> corresponds to "third-party cookies". Firefox, for example, has a
> separate option to control this. Currently, url will always reject
> third-party cookies, even from trusted sites. Perhaps there should be
> an option for this (nil, t, 'trusted?).
>

--
Karol Hosiawa






reply via email to

[Prev in Thread] Current Thread [Next in Thread]