Closed
Bug 1457503
Opened 7 years ago
Closed 5 years ago
Remove <meta http-equiv=set-cookie> support
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla68
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: annevk, Assigned: jkt)
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [domsecurity-active])
Attachments
(2 files)
See cookies/meta-blocked.html in web-platform-tests and https://github.com/whatwg/html/pull/3649 Chrome has succeeded with this.
Assignee | ||
Comment 1•7 years ago
|
||
Seems ok yeah, will see what try says with removing this.
Assignee: nobody → jkt
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 4•6 years ago
|
||
Hey :dveditz, Are there any blockers on publishing an intent to remove with this default disabled via a preference? The patch is small and we could allow for enterprise to keep this enabled perhaps. I'm happy also to do a phased rollout too or work on our own telemetry too. Chrome removed this in 65 which was the previous stable release. Thanks
Flags: needinfo?(dveditz)
Reporter | ||
Comment 5•6 years ago
|
||
Per https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17255938/ it seems Edge has removed this too.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Updated•6 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Comment 8•6 years ago
|
||
jkt: sounds good, do it! This missed ESR-60 and hopefully by the next ESR the world will have adjusted to stop using these, but the pref is still a good idea in the short term so we can easily recover if things go unexpectedly badly on release.
Updated•6 years ago
|
Flags: needinfo?(dveditz)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•6 years ago
|
Attachment #8971743 -
Flags: review?(dveditz)
Attachment #8971743 -
Flags: review?(bzbarsky)
Updated•6 years ago
|
Keywords: site-compat
Comment 12•6 years ago
|
||
mozreview-review |
Comment on attachment 8971743 [details] Bug 1457503 - Removal of http-equiv cookies. https://reviewboard.mozilla.org/r/240514/#review249044 ::: dom/base/nsContentSink.cpp:193 (Diff revision 7) > Preferences::AddIntVarCache(&sInitialPerfTime, > "content.sink.initial_perf_time", 2000000); > Preferences::AddIntVarCache(&sEnablePerfMode, > "content.sink.enable_perf_mode", 0); > + > + Preferences::AddBoolVarCache(&sDisableMetaCookie, I think you may want a StaticPrefList.h entry here instead of this member and call, depending on the response to bug 1436655 comment 42. ::: dom/base/nsContentSink.cpp:843 (Diff revision 7) > return NS_OK; > } > > // Don't allow setting cookies in <meta http-equiv> in cookie averse > // documents. > - if (nsGkAtoms::setcookie->Equals(header) && mDocument->IsCookieAverse()) { > + if (nsGkAtoms::setcookie->Equals(header) && mDocument->IsCookieAverse() && !sDisableMetaCookie) { This check doesn't make sense to me. Yes, we'll skip doing most of the work in ProcessHeaderData, but we'll still call mDocument->SetHeaderData(). Is that really what we want? If it is, then shouldn't the cookie-averse check also just happen in ProcessHeaderData after mDocument->SetHeaderData()? ::: testing/web-platform/meta/cookies/meta-blocked.html.ini:2 (Diff revision 7) > [meta-blocked.html] > - [Cookie is not set from `<meta>`.] > + prefs: [content.cookie.meta.disabled:false] This doesn't make sense to me. If the pref is forced to false as here, wouldn't the test fail? Shouldn't you just remove this .ini file altogether?
Attachment #8971743 -
Flags: review?(bzbarsky)
Comment 13•6 years ago
|
||
mozreview-review |
Comment on attachment 8971743 [details] Bug 1457503 - Removal of http-equiv cookies. https://reviewboard.mozilla.org/r/240514/#review251200 I assume we're getting another patch so clearing review.
Attachment #8971743 -
Flags: review?(dveditz)
Updated•6 years ago
|
Keywords: dev-doc-needed
Comment 14•6 years ago
|
||
Has this stalled? This was an issue in bug 1487085. It would be nice if we removed it.
Comment 15•5 years ago
|
||
Comment 16•5 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/af207309bcf5 Removal of http-equiv cookies. draft, r=jkt
Comment 17•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Comment 18•5 years ago
|
||
Posted site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2019/setting-cookies-with-meta-http-equiv-is-no-longer-allowed/
Comment 19•5 years ago
|
||
Content updates already done; I have submitted BCD PR 4341 to list set-cookie
as being gone in Firefox 68.
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•