Created attachment 8834891 [details] pushState_bug.7z User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: We have a testing environment, in which we try to read a cookie from same origin (domain,sub domain,etc) but different path. Test case is attached as zip folder. Actual results: It does not read the cookie at all. Expected results: When pushing the button on site2, the cookies of site1 should be displayed on the console.
Anne, can you take a quick look and see if we're not confirming to the spec here? Thank you.
I can't open this resource, but I know from https://github.com/whatwg/html/issues/332 that Gecko uses an "origin URL" concept for cookies, that likely isn't affected by pushState() and can't be. Christos, does this work in other browsers?
(Needinfo for comment 2) And Christos, if you could host your example somewhere it'd make it easier for people to investigate (instead of the .7z attachment). Thank you!
Created attachment 8852887 [details] pushState_failure.7z It is only working on Internet Explorer, Chrome, Firefox and Safari apparently do not implement pushState correctly. Unfortunately i cannot host it anywhere, nevertheless, in order for anyone to investigate the issue, just upload the 2 directories to a webserver and navigate to the sites and check the console output. I hope this is helpful. Thanks and greetings, Christos
Attachment #8834891 - Attachment is obsolete: true
It seems to work for me with FF52. site1: 1) create cookie --> cookie set 2) print own cookies --> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895" --> all cookies on this site: name1=value1 site2: 1) print own cookies --> all cookies on this site: name1=value1 2) print site1 cookies --> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895" --> all cookies on site1: name1=value1 Could you confirm? If it's wrong, which expected result should be displayed?
The problem here is that you are in the same directory and you can always read cookies from the same directory. On site2, printing own cookies should not display anything (since site2 has no cookies set).
Ok, I see, when using different directories (paths), there is a security error message on site2.
The domain must be the same like for example: http://foo.com/bugreport/path1/site1.html http://foo.com/bugreport/path2/site2.html The pushState command then just needs the /bugreport/path1/site1.html in order for it to work.
You need to log in before you can comment on or make changes to this bug.