Closed Bug 239933 Opened 20 years ago Closed 20 years ago

[P3P] Accept based on privacy settings appears to be broken

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: hjtoi-bugzilla, Assigned: mkaply)

Details

(Keywords: fixed1.7.5, regression)

Attachments

(1 file)

Fix for problem
713 bytes, patch
dwitte
: review+
darin.moz
: superreview+
mkaply
: approval-aviary+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review 
Path: secnews.netscape.com!not-for-mail
From: "Toli" <bla@bla.bla>
Newsgroups: netscape.public.mozilla.browser
Subject: Broken cookie-handling in Mozilla 1.7b
Date: Wed, 24 Mar 2004 14:59:29 +0100
Organization: Another Netscape Collabra Server User
Lines: 48
Message-ID: <c3s487$q0r1@ripley.netscape.com>
NNTP-Posting-Host: mal-bounty.malmo.kicore.net
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Xref: secnews.netscape.com netscape.public.mozilla.browser:11587

Hi!
I just tried out the Mozilla 1.7beta together with one of our products for
web content management, and it does not work with Moz 1.7b.
The product uses an Java-applet which makes http-calls back to the
webserver, and the problem is that the session-cookies does not seem to get
included in these calls. (it has always worked without a flaw in all
versions of IE, Netscape, Opera and Mozilla up until now)

It DOES work if I set the "Cookie Acceptance Policy" to "Allow cookies for
the originating web sites only" or "Allow all cookies", but if I keept it at
"Allow cookies based on privacy settings" it never works no matter what
privacy settings i use.
I tried setting level of privacy to "low" - no go.
I also tried "custom" and set EVERYTHING to "Accept" - still no go.

From this I draw the conclusion that the "Allow cookies based on privacy
settings"-setting is broken in Moz 1.7b for cookies in http-calls from a
java-applet... Btw I use Sun's Java-plugin v1.4.2_03.

When I check stored cookies in the "Cookie Manager" i Mozilla, I find the
session-cookies for our site:
Name: SiteshaperId1
Content: 0200221412333303
Host: mal-bounty.malmo.kicore.net
Path: /
Send for: Any type of connection
Expires: at end of session
Policy: no policy about storing identifiable information

And:
Name: JSESSIONID
Content: 00DA9E8D459D1B27F28405EBAF28B661
Host: mal-bounty.malmo.kicore.net
Path: /
Send for: Any type of connection
Expires: at end of session
Policy: no policy about storing identifiable information

...nothing strange here...

Does anyone know anything about this? Where do I post a proper bug-report?
...we'd sure like to see this issue fixed as some of our customers may want
to use Mozilla...

Regards,
Tobias Lind
This is the place for bug reports :)
Please try to create a cookie log as described at
http://www.mozilla.org/projects/netlib/cookies/cookie-log.html
mvl, note the reporter vs. the report :)  Heikki, did any reply/link to this 
bug get posted to the newsgroup?  Can someone do that if not already? :)
I posted a follow up to the news with a ref to this bug.
I noticed the same problem with Mozilla 1.6. The setting "cookies based on
privacy settings" doesn't seem to change the behaviour even if I set the radio
button to "Custom" and change all values to "Accept". 
if this is really broken, this raises the question of "so now what?" wrt the
future of P3P.
Summary: Cookies based on privacy settings don't work in 1.7b → [P3P] Accept based on privacy settings appears to be broken
If ti is broken in general, that question must be answered.
If it is broken for java plugins, that alone doesn't justify removing p3p. I
think that in that case we don't pass a right channel or whatever to p3p to get
the p3p info from. So it bails out, and denies all cookies.
I can also verify that this is broken in 1.6. 
what is 'it'? p3p when java applets make network calls? p3p in general?
I have Moz.1.7 configured to go by privacy settings when accepting cookies. It
is set to flag cookies from sites with no policy, and accept or sessionize
cookies from sites without one.

I've just set up a privacy policy on my site. http://www.virginiaquilter.com/ .
The P3P Validor says it's all set up properly. It's not linked from any pages,
but rather in the http headers. My cookies are still being flagged, and the
cookie manager indicates that there is no policy set.
Can someone help me with how to test/debug this?
a testcase and a cookie log would help.
not putting all kinds of p3p problems in this bug would also help. This seems to
be about a java applet and cookies not working, not about other sites or flagged
cookies.
Confirming.

This broke between 1.5a and 1.5b - most likely culprit is blake's checkin for
rewriting cookies.

Easiest way to test this, is make sure you have no virginiaquilter.com cookies,
then set your P3P preferences to reject everything using Custom.

Then go to virginiaquilter.com and click on "Enter Fabric Store"

If you go to the cookie manager, you'll see you have cookies set when you should
have none.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
blake rewrote cookies?
Blake checked it in :)

We think we have more info.

It appears that the cookie code is not properly listening to changes in the P3P
preferences.

Scenario looks like this:

New profile
Start Mozilla - you MUST load a web page that does cookies right off the bat -
NOT about:blank!

Go to preferences

Set P3P options to reject everything.

Go to www.virginiaquilter.com

Enter the store.

Go to cookie manager - you got cookies when you shouldn't have.

If you start with about:blank, you don't see the problem.
http://lxr.mozilla.org/mozilla/source/extensions/p3p/src/nsP3PService.cpp#73

that is the function that observes pref changes for p3p... you could throw a
printf in there, to ensure everything is well after you change the pref.

also, see if aHttpChannel at
http://lxr.mozilla.org/mozilla/source/extensions/p3p/src/nsP3PService.cpp#141 is
nonnull.

(you're using trunk - not some crazy 1.5 branch, right?)
> http://lxr.mozilla.org/mozilla/source/extensions/p3p/src/nsP3PService.cpp#73

though that code is pretty ugly, i'm not spotting any obvious mistakes in it.


> (you're using trunk - not some crazy 1.5 branch, right?)

right, reproducible cross-platform on the trunk.  it seems that the problem only
occurs if the P3P preference is changed after the P3P service has already been
initialized.  so, that seems to suggest that Observe is not getting called properly.
This is pref observer related. The PrefChanged observer function isn't getting
called when you change the preferences after the service is started.
Actually I've got it.

Patch coming.

The AddObserver is failing because of the weak reference. We should be passing
PR_FALSE on AddObserver.
Attached patch Fix for problemSplinter Review 
Should be passing PR_FALSE not PR_TRUE to the AddObserver because P3P doesn't
support weak references.
Assignee: darin → mkaply
Status: NEW → ASSIGNED
Attachment #155193 - Flags: superreview?(darin)
Attachment #155193 - Flags: review?(dwitte)
Attachment #155193 - Flags: superreview?(darin) → superreview+
Attachment #155193 - Flags: review?(dwitte) → review+
Comment on attachment 155193 [details] [diff] [review]
Fix for problem

a=me for aviary and 1.73 - regression
Attachment #155193 - Flags: approval1.7.3+
Attachment #155193 - Flags: approval-aviary+
fix in everywhere
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed1.7.3
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: