Closed Bug 431517 Opened 16 years ago Closed 16 years ago

blocking cookies from "co.uk" blocks all cookies from "anydomain.co.uk"

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Platform:
PowerPC
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252342

People

(Reporter: chris.bugzilla, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

In attempting to block a generic cookie for "co.uk" it appears that I blocked all cookies from domains which ended in "co.uk".

Reproducible: Always

Steps to Reproduce:
1.  Ensure preferences are set to accept cookies, with an exception to block "co.uk"
2.  Visit a site which is a subdomain of ".co.uk" and uses cookies
3.  
Actual Results:  
Cookie for subdomain.co.uk is refused


There needs to be a mechanism for blocking generic second level domains for ccTLDs without blocking cookies from more specific domains.

say "=co.uk" to block only co.uk domains, "co.uk" to block co.uk and subdomains
or "co.uk" to block only co.uk domains and "*.co.uk" to block co.uk and subdomains

Note, the help documentation makes no mention that blocking a domain blocks all subdomains of that domain.
This was supposed to be fixed by bug 252342 (in a way) - you can't place cookies anymore on co.uk, so there's anymore no reason to block these cookies.

It's actually normal that blocking a cookie would also block the subdomains, since those subdomains would also receive the cookie anyway, if it weren't blocked.
You can't.  I beg to differ.  This all came about after I discovered two cookies on ".co.uk" domain in my Firefox cookies.

Try this script, it will attempt to set a cookie on "co.uk" domain.

http://wiki.jalakai.co.uk/tester499.php
in Firefox 2, yes it will. In Firefox 3 the cookie is not set.

Regardless of whether we do or don't block .co.uk, the subdomain blocking is intentional. If you block a higher-level domain you must individually allow the subdomains within that domain for which you want cookies. This applies to all our facilities that use the "permission manager", such as image blocking and popup blocking/allowing.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.