Open
Bug 1473012
Opened 6 years ago
Updated 2 years ago
Remove "force sending cookies" flag
Categories
(Core :: Networking: Cookies, enhancement, P3)
Core
Networking: Cookies
Tracking
()
NEW
People
(Reporter: Gijs, Unassigned)
References
Details
(Whiteboard: [necko-triaged])
In bug 437174 we added a flag to force sending cookies we wouldn't normally send to accommodate "background requests", where we tried to find a principal from the docshell and failed because there wasn't a docshell to do that with. These days we have no more xpcom add-ons so we don't need to worry about that, and we have direct ways of passing principals to channel creation primitives, so we can just use those. The flag should be removed because it's a giant hammer for a small nail, and as a result it does the wrong thing in some cases (ie what the consumers want is *some* cookies to be sent, and what they get is that *all* the cookies are sent). I'm already removing the nsIWebBrowserPersist variant of the flag in bug 1469916. I'm filing this bug to remove INTERNAL_LOAD_FLAGS_FORCE_ALLOW_COOKIES and INTERNAL_LOAD_FLAGS_FORCE_ALLOW_COOKIES from nsIDocShell and nsIWebNavigation, respectively. There are a handful of consumers left in the tree. They will need to pass a better loading/triggering principal in order for cookies not to go AWOL on the request. This is a Good Thing anyway, because they currently pass system principal, which is overkill and a potential security risk.
|
Reporter | |
Comment 1•6 years ago
|
||
(In reply to :Gijs (he/him) from comment #0) > I'm already removing the nsIWebBrowserPersist variant of the flag in bug > 1469916. I'm filing this bug to remove > INTERNAL_LOAD_FLAGS_FORCE_ALLOW_COOKIES and > INTERNAL_LOAD_FLAGS_FORCE_ALLOW_COOKIES from nsIDocShell and > nsIWebNavigation, respectively. Err, the second one is LOAD_FLAGS_FORCE_ALLOW_COOKIES, of course. And I forgot about nsIHttpChannelInternal::THIRD_PARTY_FORCE_ALLOW, which is the third flag involved, and gets reflected into a boolean property/attribute on the channel, which is set in a few places in the tree. > There are a handful of consumers left in the tree. They will need to pass a > better loading/triggering principal in order for cookies not to go AWOL on > the request. This is a Good Thing anyway, because they currently pass system > principal, which is overkill and a potential security risk. Specifically, there's a bunch of pass-through uses of the docshell/webnav flags, but the real uses are in: https://searchfox.org/mozilla-central/search?q=forceAllowThirdPartyCookie
|
||
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [necko-triaged]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•