Closed Bug 1457503 Opened 7 years ago Closed 6 years ago

Remove <meta http-equiv=set-cookie> support

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla68

Tracking Flags:

Tracking

Status

firefox68

---

fixed

People

(Reporter: annevk, Assigned: jkt)

References

Details

(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1457503 - Removal of http-equiv cookies. 7 years ago Jonathan Kingston [:jkt] he/him 59 bytes, text/x-review-board-request		Details
Bug 1457503 - Removal of http-equiv cookies. draft, r?jkt 6 years ago Andrea Marchesini [:baku] 47 bytes, text/x-phabricator-request		Details \| Review

Anne (:annevk)

Reporter

Description

•

7 years ago

See cookies/meta-blocked.html in web-platform-tests and https://github.com/whatwg/html/pull/3649 Chrome has succeeded with this.

Jonathan Kingston [:jkt] he/him

Assignee

Comment 1

•

7 years ago

Seems ok yeah, will see what try says with removing this.

Assignee: nobody → jkt

Comment hidden (mozreview-request)

Jonathan Kingston [:jkt] he/him

Assignee

Comment 4

•

7 years ago

Hey :dveditz, Are there any blockers on publishing an intent to remove with this default disabled via a preference? The patch is small and we could allow for enterprise to keep this enabled perhaps. I'm happy also to do a phased rollout too or work on our own telemetry too. Chrome removed this in 65 which was the previous stable release. Thanks

Flags: needinfo?(dveditz)

Anne (:annevk)

Reporter

Comment 5

•

7 years ago

Per https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17255938/ it seems Edge has removed this too.

Comment hidden (mozreview-request)

Christoph Kerschbaumer [:ckerschb]

Updated

•

7 years ago

Status: NEW → ASSIGNED

Priority: -- → P2

Whiteboard: [domsecurity-active]

Daniel Veditz [:dveditz]

Comment 8

•

7 years ago

jkt: sounds good, do it! This missed ESR-60 and hopefully by the next ESR the world will have adjusted to stop using these, but the pref is still a good idea in the short term so we can easily recover if things go unexpectedly badly on release.

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Flags: needinfo?(dveditz)

Comment hidden (mozreview-request)

Jonathan Kingston [:jkt] he/him

Assignee

Updated

•

7 years ago

Attachment #8971743 - Flags: review?(dveditz)

Attachment #8971743 - Flags: review?(bzbarsky)

Kohei

Updated

•

7 years ago

Keywords: site-compat

Boris Zbarsky [:bzbarsky]

Comment 12

•

7 years ago

mozreview-review

Comment on attachment 8971743 [details] Bug 1457503 - Removal of http-equiv cookies. https://reviewboard.mozilla.org/r/240514/#review249044 ::: dom/base/nsContentSink.cpp:193 (Diff revision 7) > Preferences::AddIntVarCache(&sInitialPerfTime, > "content.sink.initial_perf_time", 2000000); > Preferences::AddIntVarCache(&sEnablePerfMode, > "content.sink.enable_perf_mode", 0); > + > + Preferences::AddBoolVarCache(&sDisableMetaCookie, I think you may want a StaticPrefList.h entry here instead of this member and call, depending on the response to bug 1436655 comment 42. ::: dom/base/nsContentSink.cpp:843 (Diff revision 7) > return NS_OK; > } > > // Don't allow setting cookies in <meta http-equiv> in cookie averse > // documents. > - if (nsGkAtoms::setcookie->Equals(header) && mDocument->IsCookieAverse()) { > + if (nsGkAtoms::setcookie->Equals(header) && mDocument->IsCookieAverse() && !sDisableMetaCookie) { This check doesn't make sense to me. Yes, we'll skip doing most of the work in ProcessHeaderData, but we'll still call mDocument->SetHeaderData(). Is that really what we want? If it is, then shouldn't the cookie-averse check also just happen in ProcessHeaderData after mDocument->SetHeaderData()? ::: testing/web-platform/meta/cookies/meta-blocked.html.ini:2 (Diff revision 7) > [meta-blocked.html] > - [Cookie is not set from `<meta>`.] > + prefs: [content.cookie.meta.disabled:false] This doesn't make sense to me. If the pref is forced to false as here, wouldn't the test fail? Shouldn't you just remove this .ini file altogether?

Attachment #8971743 - Flags: review?(bzbarsky)

Daniel Veditz [:dveditz]

Comment 13

•

7 years ago

mozreview-review

Comment on attachment 8971743 [details] Bug 1457503 - Removal of http-equiv cookies. https://reviewboard.mozilla.org/r/240514/#review251200 I assume we're getting another patch so clearing review.

Attachment #8971743 - Flags: review?(dveditz)

Chris Mills [:cmills]

Updated

•

7 years ago

Keywords: dev-doc-needed

Valentin Gosu [:valentin] (he/him)

Comment 14

•

7 years ago

Has this stalled? This was an issue in bug 1487085. It would be nice if we removed it.

Andrea Marchesini [:baku]

Comment 15

•

6 years ago

Attached file Bug 1457503 - Removal of http-equiv cookies. draft, r?jkt — Details

Pulsebot

Comment 16

•

6 years ago

Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/af207309bcf5 Removal of http-equiv cookies. draft, r=jkt

Oana Pop-Rus

Comment 17

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/af207309bcf5

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

status-firefox68: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla68

Valentin Gosu [:valentin] (he/him)

Updated

•

6 years ago

Depends on: 1550050

Cristina Coroiu [:ccoroiu]

Updated

•

6 years ago

Regressions: 1550050

Kohei

Comment 18

•

6 years ago

Posted site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2019/setting-cookies-with-meta-http-equiv-is-no-longer-allowed/

Eric Shepherd [:sheppy]

Comment 19

•

6 years ago

Content updates already done; I have submitted BCD PR 4341 to list set-cookie as being gone in Firefox 68.

Keywords: dev-doc-needed → dev-doc-complete

You need to log in before you can comment on or make changes to this bug.