Closed Bug 1232855 Opened 10 years ago Closed 8 years ago

navigator.cookieEnabled sometimes ignores per-site exceptions

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Version:
SeaMonkey 2.39 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: commander4bugs, Unassigned, NeedInfo)

References

Details

Attachments

(2 files)

Blocked.png
699.93 KB, image/png
Details
Allowed.png
425.76 KB, image/png
Details
Attached image Blocked.png
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 Build ID: 20151103191810 Steps to reproduce: 1. Set the browser to block all cookies 2. Add an exception for stanfordhealthcare.org to set session cookies 3. Go to https://myhealth.stanfordhealthcare.org/ Actual results: The front page complains that cookies are disabled (see Blocked.png). Expected results: The front page should have allowed logging in (see Enabled.png)
Attached image Allowed.png
As far as I understand, all the cookie logic for this site is located in this file: https://prodstaticcdn.stanfordhealthcare.org/resources/js/login.js More specifically, the actual cookie check is done in this function: var cookiesEnabled = function () { var cookieEnabled = (navigator.cookieEnabled) ? true : false; if (typeof navigator.cookieEnabled === "undefined" && !cookieEnabled) { document.cookie = "test"; cookieEnabled = (document.cookie.indexOf("test") !== -1) ? true : false; } return (cookieEnabled); }; This appears to be a standard way to check if cookies are enabled or not. When I debugged this code in Firebug, I do see that navigator.cookieEnabled returns "false", which is wrong. The strange thing is that if I try a very similar code on this page, I see that navigator.cookieEnabled correctly analyzes per-site exceptions. http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_nav_cookieenabled Thus, this appears to dependent on when exactly navigator.cookieEnabled is called during the page loading process.
BTW, forgot to mention, if I set the browser to allow all cookies, then this page works correctly as expected.
The problem is that the new permissions model uses origins instead of hosts so http:// and https:// are different. However the data manager has not been updated to recognise this. Bug 1180871 dealt with this by a workaround. 1. Go to https://myhealth.stanfordhealthcare.org/ 2. Open Page Info View -> Page Info (CTRL-I) 3. Select the permissions tab. 4. Under Cookies choose Allow or Allow for Session. 5. Reload. Bingo! From Bug 1180871 Comment 6 (neil@parkwaycc.co.uk) > We need to implement the nsILoadContextInfo changes first anyway. I think it > would be better to land and uplift this work done so far, and then fix the > other bustage. Perhaps it's time to fix the rest of the bustage?
Status: UNCONFIRMED → NEW
Depends on: 1180871
Ever confirmed: true
Flags: needinfo?(neil)
(In reply to Philip Chee from comment #4) > Bug 1180871 dealt with this by a workaround. > 1. Go to https://myhealth.stanfordhealthcare.org/ > 2. Open Page Info View -> Page Info (CTRL-I) > 3. Select the permissions tab. > 4. Under Cookies choose Allow or Allow for Session. > 5. Reload. Bingo! Yes, that works. > From Bug 1180871 Comment 6 > (neil@parkwaycc.co.uk) > > We need to implement the nsILoadContextInfo changes first anyway. I think it > > would be better to land and uplift this work done so far, and then fix the > > other bustage. > > Perhaps it's time to fix the rest of the bustage? The problem is that this website has several subdomains: https://myhealth.stanfordhealthcare.org/ https://mychart.stanfordhealthcare.org/ With the Data Manager I would set a single permission for the top domain (stanfordhealthcare.org) and be done with it. The workaround described in comment #4 allows me to set a permission only for the actual URL I am looking at, which means myhealth.stanfordhealthcare.org. To get the website to work, I had to open mychart.stanfordhealthcare.org separately and use the workaround to allow cookies for it. It still works, but using the Data Manager would be much simpler and more straightforward. Bottom line - yes, please fix the Data Manager :)
(In reply to Philip Chee from comment #4) > From Bug 1180871 Comment 6 > (neil@parkwaycc.co.uk) > > We need to implement the nsILoadContextInfo changes first anyway. I think it > > would be better to land and uplift this work done so far, and then fix the > > other bustage. > > Perhaps it's time to fix the rest of the bustage? and NEEDINFO NeilZZZ No reply in over two months. I'm tempted to RESOLVE this bug INCOMPLETE. But I won't yet.
It appears that the Data Manager in SeaMonkey 2.46 now supports specifying http:// or https:// when configuring cookie permissions for sites. This resolves the issue reported in this bug, thus I am going to mark it as resolved.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: