browser.cookies.remove does not remove cookies with ../ in path, or any Path values that are not canonical
Categories
(WebExtensions :: General, defect, P3)
Tracking
(Not tracked)
People
(Reporter: core, Unassigned)
References
Details
Comment 1•7 years ago
|
||
Comment 3•7 years ago
|
||
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Comment 9•7 years ago
|
||
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
Reporter | ||
Comment 12•7 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•2 years ago
|
Comment 13•2 years ago
|
||
In order to support proper removal of cookies with special paths, the cookies.remove
API needs a path
property (and domain, as pointed out in comment 9). I have also suggested that in crbug.com/834699 as part of bug 1387957.
The current API defaults to taking the pathname
component of the input URL (source), but the Path
can be set to an arbitrary value, including ../
and ?
.
RFC 6265, section 4.1.2.4 states:
The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user
agent will use the "directory" of the request-uri's path component as
the default value. (See Section 5.1.4 for more details.)
Comment 15•8 months ago
|
||
This also affects paths with .
components, e.g. /./
as seen in the navigation-20200227455
cookie set by https://visiblemerch.com/. This bug makes the Cookie-AutoDelete addon unable to remove that cookie.
Description
•