Closed Bug 209689 Opened 21 years ago Closed 21 years ago

document.cookie from hostless file: URL bypasses "ask me before storing"

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: benc, Assigned: mvl)

References

(
URL
)

Details

(Whiteboard: checkwin checklinux)

Attachments

(1 file, 2 obsolete files)

patch v3
4.99 KB, patch
Details | Diff | Splinter Review 
Mach-O + Win98, Mozilla 1.4b.
(probably has happened for a long time).

STEPS:
Turn on "ask me before storing" cookies.
Open any file URL (to set the URL bar conext)
Type the provided URL in to the URL bar and hit return.

OBSERVED:
cookie is set (check cookie manager)

EXEPCTED:
"ask me" dialog should interupt.

I'm working on a js script that will progamatically determin if the DOM
permissions for cookies are on or off.

I noticed while developing this that the "ask me" dialog is never showing up.

This coupled with the fact that Cookie Manager seems to update every cookie in
the display EXCEPT the selected cookie, has actually made this script a pain to
develop.

But I'm more concerned about the problems w/ cookie security, because bug 109982
is won't fix. I'm going to look at that some more, finish writing the script,
and post it here.

I've also done a dupe check, and found now relevant, pre-existing bugs.
hmm. 10 bucks says the check at
http://lxr.mozilla.org/seamonkey/source/extensions/cookie/nsCookiePermission.cpp#90
is going through, and we're just returning kDefaultPolicy (which allows the
cookie and skips the prompt):

 88   nsCAutoString hostPort;
 89   aURI->GetHostPort(hostPort);
 90   if (hostPort.IsEmpty())
 91     return NS_OK;

mvl... we need to fix this :)
feel free to take this bug (or any other) off my plate :)
Target Milestone: --- → Future
Summary: document.cookie from file: URL bypasses "ask me before storing" → document.cookie from hostless file: URL bypasses "ask me before storing"
Attached patch patch v1 (obsolete) — Splinter Review 
This is a quick fix. It makes it so that when you have a hostless url, it uses
the prePath to identify the "site", and uses that in the prompt. It also uses
that to ask the permission manager.
The dialog now reads: "The site file:// wants to set a cookie". It is a bit
strange, but the best I can think of now.

You could add file:// to cookperm.txt, but there is no UI for that. The menu's
don't do that yet, but that is another bug.
Attachment #129123 - Flags: superreview?(darin)
Attachment #129123 - Flags: review?(dwitte)
Forget the comments on the permission manager, they are bogus. The patch only
affects the dialog, nothing else.

So, let me state it as a question: would using the prepath for the permission
list be ok when there is no host? That way, you could put file:// in cookperm.txt.
i think it'd be better to use the URI scheme instead of the prePath.  the reason
is that if the hostPort is empty, then that does not mean that the prePath
wouldn't possibly include a username and password.  we probably don't want to
include the username and password in key, so probably it makes most sense to
just compare schemes.  or perhaps you could just have a special entry for "empty
host"?
mvl: are you going to roll a new patch to address darin's comments, or would you
like review on your current one?
i agree with darin here... maybe using the scheme would be better?

r=dwitte with both that, and the spelling mistakes, fixed :)
(nuke that trailing newline too please. you could also kill that !aCookie test
if you want, since the only intended consumer is cookieservice, and it's quite
sane wrt errors)
Attached patch patch v2 (obsolete) — Splinter Review 
I changed it to hardcode :// after the scheme in the prompt. Just using the
scheme didn't work ("A site from file wants to set a cookie").

While testing, i noticed the checkbox didn't work. I fixed that to. It add an
entry "scheme:file" to cookperm.txt. I added scheme: to make sure it isn't a
host.
Now that i think of it, it might be a bit confusing. scheme:http will only
block hostless http cookies, not all http cookies.

I left the !aCookie check in, just to be sure :) I added another check, because
I was seeing assertions while testing. They occured because I hand-edited my
cookperm.txt, and messed up, but they were irritating enough to fix :)
Attachment #129123 - Attachment is obsolete: true
Comment on attachment 132433 [details] [diff] [review]
patch v2

seems ok to me...
Attachment #132433 - Flags: review+
Attachment #129123 - Flags: superreview?(darin)
Attachment #129123 - Flags: review?(dwitte)
Attachment #132433 - Flags: superreview?(darin)
Comment on attachment 132433 [details] [diff] [review]
patch v2

so, won't this break any permissions prefs for file:// URLs?  guess they were
already kind of horked.

please remove the printf!  maybe the GetSpec can go too?

seems like it might be good to write a helper function to get the "right"
hostport, no?

sr=darin
Attachment #132433 - Flags: superreview?(darin) → superreview+
Attached patch patch v3Splinter Review 
Updated to darins comments.
Attachment #132433 - Attachment is obsolete: true
checked in.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
VERIFIED: Mozilla 1.6f, Mac OS X.

file: URLs w/o a host now trigger accept dialog in proper conditions (if accept
is turned on in prefs, and if "Cookie Sites" does not contain entry for scheme:file)

NOTE:
the null host (file:///) is still stored as blank in "stored cookies" (bug
file:///Users/benc/Public/mozilla-org/html/quality/networking/testing/cookies/jscookietest.html)

Also, because of bug file://<hostname>/ can still write to any cookie (bug
109982), file  URL's can stomp on the "scheme:file" entry. I've filed bug 235170
on this.
Status: RESOLVED → VERIFIED
QA Contact: cookieqa → benc
Whiteboard: checkwin checklinux
Blocks: 161636
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: