bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted


From: Karol Hosiawa
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 20:44:28 +0000

2008/12/2 Glenn Morris <address@hidden>:
>
> (Please keep address@hidden in the Cc:)
>
>
> Karol Hosiawa wrote (on Tue, 2 Dec 2008 at 17:03 +0000):
>
>> api.blip.pl tried to set a cookie for domain .blip.pl - rejected
>
>
> Interesting - your problems arise through being in Poland. :)
>
> It seems to be an instance of this issue:
>
> http://crisp.tweakblogs.net/blog/ie-and-2-letter-domain-names.html
>
> I'm not sure what the right solution is. Adding pl (and gr, and ?) to
> url-cookie-two-dot-domains will fix it.
>
> Can anyone with experience in this area say how other browsers handle
> this?
>

I don't think it's connected to 2 character polish and greek TLDs,
that article describes a bit different IE specific problem, this
problem lies in the following function (some examples):

(url-cookie-host-can-set-p "api.blip.pl" ".blip.pl")
nil

(url-cookie-host-can-set-p "api.hosteurope.de" ".hosteurope.de")
nil

(url-cookie-host-can-set-p "images.google.nl" ".google.nl")
nil

These are all valid domains and this function should not return nil in
these cases.

It does work however if it's a subdomain, eg:

(url-cookie-host-can-set-p "api.del.icio.us" ".del.icio.us")
4

It also works for a simple case like this:
(url-cookie-host-can-set-p "api.blip.pl" "api.blip.pl")
t

(when the path is exactly the same as the host setting the cookie).

To see what I mean exactly by this being a bug you can:

1. Disallow third party cookies in FF
2. Go to http://api.blip.pl
3. View FF cookies - there will be a session cookie set by api.blip.pl
for .blip.pl path - allowed by FF

--
Karol Hosiawa






reply via email to

[Prev in Thread] Current Thread [Next in Thread]