Open Bug 389002 Opened 17 years ago Updated 2 years ago

Browsing to CNN.com with blocked cnn.com cookies result in Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: cbook, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase)

Attachments

(1 file)

testcase
1.51 KB, text/html
Details 
Steps to Reproduce:

- Set Cookies from cnn.com to the cookie blocklist
- Go to Cnn.com 
- Check the Error Console:

Error: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://i.l.cnn.net/cnn/.element/js/2.0/StorageManager.js Line: 167"]
Source File: http://i.l.cnn.net/cnn/.element/js/2.0/StorageManager.js
Line: 167
Attached file testcase 
Bug 365772 is a bit related.
When cookies are denied, then storage is throwing errors when trying to access it, while document.cookie just returns an empty string.

http://www.whatwg.org/specs/web-apps/current-work/#security5
"
Treating persistent storage as cookies: user agents may present the persistent storage feature to the user in a way that does not distinguish it from HTTP session cookies. [RFC2965]
"
You could read that as "storage functions should not throw security errrors when cookie functions aren't doing it either", I guess. Although I suspect that part is more talking about the UI or something.
Assignee: dveditz → nobody
Component: Security → DOM
Keywords: testcase
QA Contact: toolkit → general
What is the cause of the security exception? Is this because it is trying to access the storage of a different domain? The spec says that doing this "must then raise a security exception." although it doesn't currently define what a "security exception" is.
Sorry, the testcase was made for http://localhost use.
If you then block cookies from localhost, you get the mentioned security errors when trying to access globalStorage['localhost.localDomain'].
This doesn't happen with cookies. You just seem to get an empty string returned when trying to get/set a cookie.
Blocks: 435025
I don't think this is just related to bug 365772, I think this is bug 365772. I've encountered this problem on the cnn video site and when I set my cookie setting to "keep until they expire", cnn's video worked... see bug 442605.
I got this error today when I was testing the tryserver build from https://bugzilla.mozilla.org/show_bug.cgi?id=460346#c4.
Here is the site I tested:
http://legisweb.state.wy.us/statutes/constitution.aspx

Same NS_ERROR_DOM_SECURITY_ERR error with same security code.
I can confirm this on Firefox 3.5.4:
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4) Gecko/20091028 Ubuntu/9.10 (karmic) Firefox/3.5.4
and
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
and r26510
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5pre) Gecko/20091031 Ubuntu/9.10 (karmic) Shiretoko/3.5.5pre 

This seems to be fixed in 3.6 Beta 1 Build 3

Ubuntu Bug:
https://bugs.launchpad.net/bugs/473677
Well, CNN video now plays with my third-party cookies turned off, or with the lifetime set to "Ask every time" and me selecting "For session". However, given that this bug is 3 years old, that could be due to changes on CNN.com

But, I can still get the error if I do something that tries to set a cookie from javascript while the "Ask every time" setting is on (lifetimePolicy = 1).

Couple of examples after clearing out all of my cnn.com cookies and loading http://edition.cnn.com:

Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://i.cdn.turner.com/cnn/.element/js/3.0/StorageManager.js?20100728 Line: 345"]

This is line 345 of that js:
                return (window.localStorage && (window.localStorage!=null));

The page then prompts me if I want it to make the International Edition my default. If I press Yes or No, I get a similar error:

Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://i.cdn.turner.com/cnn/.element/js/3.0/s_code.intl.js Line: 521"]

The cookie that stores the default edition is set, but the prompt to make a selection does not go away. s_code.intl.js (or s_code.js on the US site) is Omniture, and there's no telling from their mangled javascript what that's trying to do, but I don't see a reference to localStorage anywhere in that javascript.

I've tried several times back and forth and have confirmed that the above errors only happen when I have the cookie lifetime policy set to '1' (Ask me every time).

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
(In reply to comment #7)
> 
> But, I can still get the error if I do something that tries to set a cookie
> from javascript while the "Ask every time" setting is on (lifetimePolicy = 1).
> 

Sorry, that was misleading. I was speculating before I looked at the js, but in the one case it's trying to access window.localStorage and in other case (the Omniture js) I can't tell what it's trying to do, though Omniture is known to get invoked (to send a usage data back to their servers via AJAX) in response to clicking a hyperlink.
We are experiencing the same problem in Firebug.
Test case + more details here:
http://code.google.com/p/fbug/issues/detail?id=3805

Honza
This is reproducible on the webtogs website:

http://www.webtogs.co.uk/Icebreaker_Long_Sleeve_Base_Layers__0/

with 3rd party cookies set to "ask me every time".

Setting to "until they expire" results in the site working.

The error reported in the console is:

Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://cdn.webtogs.com/js/mootools-1.2.5-core-yc.js Line: 24"]
This bug was supposedly fixed in 3.6, but it's still there in 4.0. I can reproduce it with the following code:

        if (localStorage) {
            alert("yes")
        } else {
            alert("no")
        }

If cookies are disabled, I get a "security error code 1000", regardless of whether local storage is enabled or not.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: