Closed Bug 256699 Opened 20 years ago Closed 20 years ago

Cookies for the originating website option ignored.

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252342

People

(Reporter: philip.shore, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

It is possible for a site to set a cookie with domain ".co.uk" and this cookie
is sent to any other .co.uk website regardless of the cookie option 'for the
originating website only'.





Reproducible: Always
Steps to Reproduce:
To reproduce this you will need the Live HTTP Headers extension (or your own
website which will show you the cookies submitted).

1. Tick the Tools->Options->Privacy->Cookies->for the originating website only.
2. Visit http://www.kelkoo.co.uk
3. View your cookies Tools->Options->Privacy->Cookies->Stored Cookies. You will
have one set for "co.uk" with the name "kelkooId".
4. Turn on your live http headers view. Tools->Live http headers.
5. Visit. http://www.google.co.uk 
6. Look at the Cookie header sent to google, kelkooID is there.

Actual Results:  
A cookie set by www.kelkoo.co.uk has been sent to www.google.co.uk

Expected Results:  
The kelkooID cookie should not be sent to www.google.co.uk when the 'originating
website only' option is ticked.
This is a misunderstanding of the "originating website" cookie option. That
option is supposed to prevent setting and transmitting ad (usually) cookies, say
doubleclick.net, while surfing an unrelated site that happens to host ads from
that host.  We make an http connection to get the ad and normally would send
cookies as part of the http spec. If the originating website only option is on
we only send cookies for top-level documents.

The cookie super-domain issue is something else.

*** This bug has been marked as a duplicate of 252342 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs,
filter on "beltznerLovesGoats" to get rid of this mass change
QA Contact: mconnor → preferences
You need to log in before you can comment on or make changes to this bug.