Closed Bug 142538 Opened 23 years ago Closed 23 years ago

Enable cookies only from originating site ignored if 'ask before storing cookie' is enabled

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: crispin, Assigned: morse)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020502 BuildID: RC1 If you only allow cookies from the originating site, and check the box to warn you about cookies, then you are warned about all cookies. Reproducible: Always Steps to Reproduce: 1. Only allow cookies from originating server 2. Ask to be warned about cookies 3. go to http://mozilla-bug.flowerday.cx/cookie_bug.html Actual Results: You are warned about a cookie even though it is set by: http://cookie-bug.flowerday.cx/image.cgi Expected Results: The cookie should be rejected, and no warning should be given.
Status: UNCONFIRMED → NEW
Ever confirmed: true
But cookie-bug.flowerday.cx and mozilla-bug.flowerday.cx are both in the same domain, so this is considered to be the original server. This cookie will be accepted whether or not you have the ask-before-storing-cookie feature enabled. Therefore everything is behaving as it is supposed to. Marking this invalid.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
But no where in the documentation is this behaviour mentioned. The UI says: - Enable cookies for the originating site only And the documentation on 'foreign cookies' does not mention the fact that a site in the same domain is not considered foreign. However, there definately is a bug, try the test URL again, this time the cookie is set though a redirect (from a completely different domain).
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Oh, BTW you may have to reload the page to show the problem
> But no where in the documentation is this behaviour mentioned. You are correct -- the meaning of "originating server only" is nowhere documented. But this behavior has existed since day 1 in the netscape browsers and has never changed. I'll admit that the test is quite antiquited and isn't even consistent with the domain-matching test that we make for cookies having a domain attribute. As far as redirects go, there we consider the redirected site as the original server. This allows for bona-fide site moves -- i.e., a site that used to be one place and really moved somewhere else. In that case we still want to consider the new location as the original server. What the originating-server-only wants to block against is the case in which you are sent offsite to fetch an image from a marketing site. Please don't keep reopening this bug report. As stated it is invalid since it implies that the originating-sever-only test is not being done when you have the warning. That is not true -- the test is always done (whether or not warning box is checked) and if the test fails then no warning is given. Your objection now appears to be with the test itself which you apparently disagree with. Therefore open a new bug report and state that the current test for originating-server-only is incorrect and tell what you think it should be.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.