Closed
Bug 1303358
Opened 8 years ago
Closed 8 years ago
CORS
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: balafi, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160823121617 Steps to reproduce: I read the documention for CORS at https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and follow the link to this page: http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html which according to the aforementioned documentation is a working example of CORS with credentials Actual results: When I click the "Click to Invoke Another Site" button at http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html I observe in the inspector that the CORS request do no include the cookie which has been set in the response of the previous request Expected results: Based on the specification as well as Firefox Documentation, I would expect to see the cookie which is set in the CORS response to be stored at the browser, and be included in the Request parameter of subsequent requests
Comment 1•8 years ago
|
||
Look at the file name of the URL you provided: http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html It says "NoCredentials". At the bottom of the page is a link to: http://arunranga.com/examples/access-control/credentialedRequest.html I see the cookie sent on the second site and not the first site. I think this is what is expected. Does this work for you?
Flags: needinfo?(balafi)
No, it does not work. Screenshot attached I wanted to refer to http://arunranga.com/examples/access-control/credentialedRequest.html but copied&pasted a wrong URL
let me add another screenshot, this time from a FF48.0.2 on OSX El Capitan (10.11.6) You will notice that the request highlighted in the inspector is the third CORS request, but the pageAccess counter in the set-cookie is still 1. The Request Headers do not include a Cookie header (this is not visible in this screenshot)
Comment 4•8 years ago
|
||
Can you open "about:support" in a new tab, copy to text, and paste here?
Application Basics ------------------ Name: Firefox Version: 48.0.2 Build ID: 20160823121617 Update Channel: release User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0 OS: Darwin 15.6.0 x86-64 Multiprocess Windows: 0/1 (Disabled by add-ons) Safe Mode: false Crash Reports for the Last 3 Days --------------------------------- All Crash Reports Extensions ---------- Name: All Tabs Helper Version: 0.2.31 Enabled: true ID: alltabshelper@alltabshelper.org Name: Firefox Hello Beta Version: 1.4.4 Enabled: true ID: loop@mozilla.org Name: HostAdmin Version: 1.4.9.2.1-signed.1-signed Enabled: true ID: {bd54afa8-b14a-4d7a-aecf-37e34e882796} Name: Multi-process staged rollout Version: 1.2 Enabled: true ID: e10srollout@mozilla.org Name: Pocket Version: 1.0.4 Enabled: true ID: firefox@getpocket.com Name: React Devtools Version: 0.15.3 Enabled: true ID: @react-devtools Name: RESTClient Version: 2.0.5 Enabled: true ID: {ad0d925d-88f8-47f1-85ea-8463569e756e} Name: Selenium IDE Version: 2.9.1.1-signed Enabled: true ID: {a6fd85ed-e919-4a43-a5af-8da18bda539f} Name: uBlock Origin Version: 1.9.6 Enabled: true ID: uBlock0@raymondhill.net Name: Video DownloadHelper Version: 6.0.0 Enabled: true ID: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} Graphics -------- Features Compositing: OpenGL Asynchronous Pan/Zoom: none WebGL Renderer: Intel Inc. -- Intel(R) Iris(TM) Graphics 6100 Hardware H264 Decoding: Yes GPU #1 Active: Yes Vendor ID: 0x8086 Device ID: 0x162b Diagnostics AzureCanvasAccelerated: 1 AzureCanvasBackend: skia AzureContentBackend: skia AzureFallbackCanvasBackend: none Important Modified Preferences ------------------------------ accessibility.typeaheadfind.flashBar: 0 browser.cache.disk.capacity: 358400 browser.cache.disk.filesystem_reported: 1 browser.cache.disk.hashstats_reported: 1 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size.use_old_max: false browser.cache.frecency_experiment: 4 browser.download.importedFromSqlite: true browser.places.smartBookmarksVersion: 8 browser.sessionstore.upgradeBackup.latestBuildID: 20160823121617 browser.startup.homepage: https://confluence.atypon.com/spacedirectory/view.action browser.startup.homepage_override.buildID: 20160823121617 browser.startup.homepage_override.mstone: 48.0.2 browser.tabs.remote.autostart.2: true browser.urlbar.maxRichResults: 12 browser.urlbar.suggest.searches: true browser.urlbar.userMadeSearchSuggestionsChoice: true dom.apps.reset-permissions: true dom.disable_open_during_load: false dom.mozApps.used: true dom.push.userAgentID: c09b43f9d05840e9a8035abb3a545efb extensions.lastAppVersion: 48.0.2 font.internaluseonly.changed: true font.language.group: x-western gfx.blacklist.direct2d: 3 gfx.blacklist.direct2d.failureid: FEATURE_FAILURE_DL_BLACKLIST_g984 gfx.crash-guard.glcontext.appVersion: 45.0.2 gfx.crash-guard.glcontext.deviceID: 0x162b gfx.crash-guard.status.glcontext: 2 media.benchmark.vp9.fps: 124 media.benchmark.vp9.versioncheck: 1 media.gmp-gmpopenh264.abi: x86_64-gcc3-u-i386-x86_64 media.gmp-gmpopenh264.lastUpdate: 1471519341 media.gmp-gmpopenh264.version: 1.6 media.gmp-manager.buildID: 20160823121617 media.gmp-manager.lastCheck: 1474025389 media.gmp-widevinecdm.abi: x86_64-gcc3-u-i386-x86_64 media.gmp-widevinecdm.lastUpdate: 1465885844 media.gmp-widevinecdm.version: 1.4.8.866 media.gmp.storage.version.observed: 1 media.webrtc.debug.aec_log_dir: /tmp/ media.webrtc.debug.log_file: /tmp/WebRTC.log media.youtube-ua.override.to: 43 network.cookie.cookieBehavior: 1 network.cookie.prefsMigrated: true network.cookie.thirdparty.sessionOnly: true network.dns.disablePrefetch: true network.dnsCacheEntries: 0 network.dnsCacheExpiration: 0 network.http.speculative-parallel-limit: 0 network.predictor.cleaned-up: true network.prefetch-next: false places.database.lastMaintenance: 1473757723 places.history.expiration.transient_current_max_pages: 104858 plugin.disable_full_page_plugin_for_types: application/pdf plugin.importedState: true print.print_bgcolor: false print.print_bgimages: false print.print_duplex: -437918235 print.print_evenpages: true print.print_in_color: true print.print_margin_bottom: 0.5 print.print_margin_left: 0.5 print.print_margin_right: 0.5 print.print_margin_top: 0.5 print.print_oddpages: true print.print_orientation: 0 print.print_page_delay: 50 print.print_paper_data: 0 print.print_paper_height: 11.00 print.print_paper_name: print.print_paper_size_type: 1 print.print_paper_size_unit: 0 print.print_paper_width: 8.50 print.print_resolution: -437918235 print.print_reversed: false print.print_scaling: 1.00 print.print_shrink_to_fit: true print.print_to_file: false print.print_unwriteable_margin_bottom: 17 print.print_unwriteable_margin_left: 17 print.print_unwriteable_margin_right: 17 print.print_unwriteable_margin_top: 17 privacy.clearOnShutdown.passwords: false privacy.cpd.cookies: false privacy.cpd.downloads: false privacy.cpd.formdata: false privacy.cpd.history: false privacy.cpd.sessions: false privacy.donottrackheader.enabled: true privacy.sanitize.migrateClearSavedPwdsOnExit: true privacy.sanitize.migrateFx3Prefs: true privacy.sanitize.timeSpan: 0 services.sync.declinedEngines: services.sync.engine.addons: false services.sync.engine.prefs.modified: false services.sync.lastPing: 1474015915 services.sync.lastSync: Sat Sep 17 2016 02:59:47 GMT+0300 (EEST) services.sync.numClients: 5 storage.vacuum.last.index: 1 storage.vacuum.last.places.sqlite: 1473669051 Important Locked Preferences ---------------------------- JavaScript ---------- Incremental GC: true Accessibility ------------- Activated: false Prevent Accessibility: 0 Library Versions ---------------- NSPR Expected minimum version: 4.12 Version in use: 4.12 NSS Expected minimum version: 3.24 Basic ECC Version in use: 3.24 Basic ECC NSSSMIME Expected minimum version: 3.24 Basic ECC Version in use: 3.24 Basic ECC NSSSSL Expected minimum version: 3.24 Basic ECC Version in use: 3.24 Basic ECC NSSUTIL Expected minimum version: 3.24 Version in use: 3.24 Experimental Features ---------------------
Comment 6•8 years ago
|
||
You have this pref: network.cookie.cookieBehavior: 1 Which means to reject foreign cookies: https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/all.js#1971 Can you test with a new profile with default settings and no addons?
I restarted on safe mode from about:support cookieBehavior was again set to 1 looking at about:config, the pref status was 'user set' I did a reset and everything works fine now I don't remember when/where was this set to 1 many thanks for your fantastic support.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(balafi)
Resolution: --- → WORKSFORME
Comment 8•8 years ago
|
||
No problem. I think this can be set via something in options->privacy. We allow users to disable 3rd party cookies to reduce tracking.
You need to log in
before you can comment on or make changes to this bug.
Description
•