Open Bug 1337774 Opened 4 years ago Updated 2 years ago

history.pushState does not read cookies from same origin

Categories

(Core :: DOM: Core & HTML, defect, P3)

51 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: christos.alewa, Unassigned)

Details

Attachments

(3 files, 1 obsolete file)

688 bytes, application/x-7z-compressed
Details
787 bytes, text/html
Details
732 bytes, text/html
Details
Attached file pushState_bug.7z (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

We have a testing environment, in which we try to read a cookie from same origin (domain,sub domain,etc) but different path.
Test case is attached as zip folder.






Actual results:

It does not read the cookie at all.


Expected results:

When pushing the button on site2, the cookies of site1 should be displayed on the console.
Component: Untriaged → DOM
Product: Firefox → Core
Anne, can you take a quick look and see if we're not confirming to the spec here? Thank you.
Flags: needinfo?(annevk)
I can't open this resource, but I know from https://github.com/whatwg/html/issues/332 that Gecko uses an "origin URL" concept for cookies, that likely isn't affected by pushState() and can't be.

Christos, does this work in other browsers?
Flags: needinfo?(annevk)
(Needinfo for comment 2) And Christos, if you could host your example somewhere it'd make it easier for people to investigate (instead of the .7z attachment). Thank you!
Flags: needinfo?(christos.alewa)
Attached file pushState_failure.7z
It is only working on Internet Explorer, Chrome, Firefox and Safari apparently do not implement pushState correctly.

Unfortunately i cannot host it anywhere, nevertheless, in order for anyone to investigate the issue, just upload the 2 directories to a webserver and navigate to the sites and check the console output.

I hope this is helpful.
Thanks and greetings,
Christos
Attachment #8834891 - Attachment is obsolete: true
Flags: needinfo?(christos.alewa)
Attachment #8852887 - Attachment is patch: false
Attachment #8852887 - Attachment mime type: text/plain → application/x-7z-compressed
Attached file site1.html
Attached file site2.html
It seems to work for me with FF52.

site1:
1) create cookie
--> cookie set
2) print own cookies
--> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895"
--> all cookies on this site: name1=value1

site2:
1) print own cookies
--> all cookies on this site: name1=value1
2) print site1 cookies
--> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895"
--> all cookies on site1: name1=value1

Could you confirm? If it's wrong, which expected result should be displayed?
Flags: needinfo?(christos.alewa)
The problem here is that you are in the same directory and you can always read cookies from the same directory.
On site2, printing own cookies should not display anything (since site2 has no cookies set).
Flags: needinfo?(christos.alewa)
Ok, I see, when using different directories (paths), there is a security error message on site2.
The domain must be the same like for example:

http://foo.com/bugreport/path1/site1.html
http://foo.com/bugreport/path2/site2.html

The pushState command then just needs the /bugreport/path1/site1.html in order for it to work.
Priority: -- → P3
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.