history.pushState does not read cookies from same origin

UNCONFIRMED
Unassigned

Status

()

P3
normal
UNCONFIRMED
2 years ago
2 years ago

People

(Reporter: christos.alewa, Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments, 1 obsolete attachment)

688 bytes, application/x-7z-compressed
Details
787 bytes, text/html
Details
732 bytes, text/html
Details
(Reporter)

Description

2 years ago
Created attachment 8834891 [details]
pushState_bug.7z

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

We have a testing environment, in which we try to read a cookie from same origin (domain,sub domain,etc) but different path.
Test case is attached as zip folder.






Actual results:

It does not read the cookie at all.


Expected results:

When pushing the button on site2, the cookies of site1 should be displayed on the console.

Updated

2 years ago
Component: Untriaged → DOM
Product: Firefox → Core
Anne, can you take a quick look and see if we're not confirming to the spec here? Thank you.
Flags: needinfo?(annevk)

Comment 2

2 years ago
I can't open this resource, but I know from https://github.com/whatwg/html/issues/332 that Gecko uses an "origin URL" concept for cookies, that likely isn't affected by pushState() and can't be.

Christos, does this work in other browsers?
Flags: needinfo?(annevk)
(Needinfo for comment 2) And Christos, if you could host your example somewhere it'd make it easier for people to investigate (instead of the .7z attachment). Thank you!
Flags: needinfo?(christos.alewa)
(Reporter)

Comment 4

2 years ago
Created attachment 8852887 [details]
pushState_failure.7z

It is only working on Internet Explorer, Chrome, Firefox and Safari apparently do not implement pushState correctly.

Unfortunately i cannot host it anywhere, nevertheless, in order for anyone to investigate the issue, just upload the 2 directories to a webserver and navigate to the sites and check the console output.

I hope this is helpful.
Thanks and greetings,
Christos
Attachment #8834891 - Attachment is obsolete: true
Flags: needinfo?(christos.alewa)

Updated

2 years ago
Attachment #8852887 - Attachment is patch: false
Attachment #8852887 - Attachment mime type: text/plain → application/x-7z-compressed

Comment 5

2 years ago
Created attachment 8852895 [details]
site1.html

Comment 6

2 years ago
Created attachment 8852896 [details]
site2.html

Comment 7

2 years ago
It seems to work for me with FF52.

site1:
1) create cookie
--> cookie set
2) print own cookies
--> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895"
--> all cookies on this site: name1=value1

site2:
1) print own cookies
--> all cookies on this site: name1=value1
2) print site1 cookies
--> "cookie.location: https://bug1337774.bmoattachments.org/attachment.cgi?id=8852895"
--> all cookies on site1: name1=value1

Could you confirm? If it's wrong, which expected result should be displayed?
Flags: needinfo?(christos.alewa)
(Reporter)

Comment 8

2 years ago
The problem here is that you are in the same directory and you can always read cookies from the same directory.
On site2, printing own cookies should not display anything (since site2 has no cookies set).
Flags: needinfo?(christos.alewa)

Comment 9

2 years ago
Ok, I see, when using different directories (paths), there is a security error message on site2.
(Reporter)

Comment 10

2 years ago
The domain must be the same like for example:

http://foo.com/bugreport/path1/site1.html
http://foo.com/bugreport/path2/site2.html

The pushState command then just needs the /bugreport/path1/site1.html in order for it to work.

Updated

2 years ago
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.