Closed
Bug 149115
Opened 22 years ago
Closed 19 years ago
Enable cookies for the originating web site only accept foreign cookies
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 299160
People
(Reporter: qiupingtang, Assigned: morse)
Details
Attachments
(3 files)
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461) BuildID: 2002052306 Select Cookie Pref to Enable cookies for originating web site only; Open some web sites, foreign cookies are also be accepted and set. E.g.: open www.aol.com, go to Stored Cookie, cookie ru4 from ru4.com domain is accepted. Open cookies.txt, notice ru4 cookie is saved. Reproducible: Always Steps to Reproduce: 1.Select Cookie Pref to “Enable cookies for originating web site only” 2.Open www.aol.com 3.go to Stored Cookie, cookie ru4 from ru4.com domain is accepted. Open cookies.txt, notice ru4 cookie is saved Expected Results: Foreign cookie should not be accepted at this setting.
Assignee | ||
Comment 1•22 years ago
|
||
How do you now that ru4.com was a foreign cookie at the time it was set? Redirected sites are not considered as foreigh sites -- i.e., if the site you visit does a redirect to a host in another domain, that host sets a cookie, and redirects back to the original site, that cookie is not considered to be foreign. Marking invalid. If you can demonstrate that no redirect took place, then please reopen.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•22 years ago
|
||
we did not observe a redirection in the url field when visiting and accepting a cooking from the site below. http://www.blox.com after clearing all cookies we were served four cookies from the site above: blox.com - JSESSIONID - blox.com blox.com - CP - blox.com hitbox.com - WSS_GW - .hitbox.com phg.hitbox.com - WR510713GDBCV6 - phg.hitbox.com no redirection took place. -mkg ____________________ michael k. golay aol time warner
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Assignee | ||
Comment 3•22 years ago
|
||
Can you attach the network traffic showing exactly how the accesses were made. Thanks.
Reporter | ||
Comment 4•22 years ago
|
||
Attached file is the selected network packets related to cookie setting when browse to www.blox.com
Assignee | ||
Comment 5•22 years ago
|
||
The attached packet trace leaves a lot to be desired. After reformatting the long lines, all I see in the file is the following: Á25.. Accept-Encoding: gzip, deflate, compress;q=0.9.. Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive.. Referer: http://blox.com/......aY øuA Packet #85 HTTP/1.1 200 OK.. Date: Thu, 06 Jun 2002 14:04:17 GMT.. P3P: policyref="http://hitbox.com/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM".. Set-Cookie: WSS_GW=V1A^Cz%rBXX@BBQ@; path=/; expires=Fri, 06-Jun-2003 14:04:17 GMT; domain=.hitbox.com.. Set-Cookie: WR510713GDBCV6=V1^C(#Xz%rBXX@BBQ@BereBrz%zrzrz%rBXX@BBQ@"%rBXX@BBQ@"%rBXX@BBQ@Be reBr"rzA#akvO:ma; path=/; expires=Fri, 06-Jun-2003 14:04:17 GMT; domain=phg.hitbox.com.. Connection: close.. Vary: *.. Pragma: no-cache.. Cache-Control: no-cache, private, must-revalidate.. Expires: Thu, 06 Jun 2002 14:04:17 GMT.. Content-Type: image/vnd.wap.wbmp.. Content-Length: 5...... Packet #122 GET /images/spacer.gif HTTP/1.1.. Host: blox.com.. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1.. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1.. Accept-Language: en, zh-CN;q=0.75, zh;q=0.50, zh-TW;q=0.25.. Accept-Encoding: gzip, deflate, compress;q=0.9.. Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive.. Referer: http://blox.com/.. Cookie: JSESSIONID=www.alphablox.com-afb9%253A3cff6bdb%253A154d46bf1420b8fa; CP=null*...... Packet #125 GET /images/message.jpg HTTP/1.1.. Host: blox.com.. User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1.. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1.. Accept-Language: en, zh-CN;q=0.75, zh;q=0.50, zh-TW;q=0.25.. Accept-Encoding: gzip, deflate, compress;q=0.9.. Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive.. Referer: http://blox.com/.. Cookie: JSESSIONID=www.alphablox.com-afb9%253A3cff6bdb%253A154d46bf1420b8fa; CP=null*...... So I see some intial packet that has its beginning missing, packet 85 which is an http response that sets some cookies, and then packets 122 and 125 that are both http requests for images from blox.com Specifically I don't see any http request for www.aol.com (which is where the reporter said he was going to) nor do I see any requests or responses from ru4.com which is supposedly setting the cookie. And, most important, I see no indication of why ru4.com is being accessed. If it is being accessed because of a redirect, then this cookie behavior is correct and the bug report is invalid.
Reporter | ||
Comment 6•22 years ago
|
||
Don’t know why attached file missed some packets. Here are some related packets before #85. Note: These packets reflects the example in Mike Golay’s commect: www.blox.com, not the original one www.aol.com. Packet #6 GET / HTTP/1.1..Host: blox.com..User-Agent: Mozilla/5.0 (Windows; U; Win98; en- US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1.. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1.. Accept-Language: en, zh-CN;q=0.75, zh;q=0.50, zh-TW;q=0.25.. Accept-Encoding: gzip, deflate, compress;q=0.9..Accept-Charset: ISO-8859-1, utf- 8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive...... Packet #7 HTTP/1.1 200 OK..Server: Netscape-Enterprise/6.0..Date: Thu, 06 Jun 2002 14:04:11 GMT..Content-type: text/html;charset=ISO-8859-1.. Set-cookie: JSESSIONID=www.alphablox.com-afb9%253A3cff6bdb% 253A154d46bf1420b8fa;path=/.. Transfer-Encoding: chunked...... Packet #81 GET /HG? hc=wp169&hb=WR510713GDBC94EN3&cd=1&hv=6&n=New_home&vcon=/NONE&bn=Netscape&bv=500 &ce=y&ss=1024*768&sc=16&dt=10&sv=13&con=&epg=n&seg=undefined&zo=240&cmp=&gp=&lm= 0&cy=u&hp=u&ja=y&ln=en-US&cp=null&rf=bookmark&pl=CDT%20Plug-in%3AMozilla% 20Default%20Plug-in%3AJava%20Plug-in%3AJava%20Plug-in%3AJava%20Plug-in%3AJava% 20Plug-in%3AJava%20Plug-in%3AJava%20Plug-in%3AShockwave%20Flash%3APulsePlayer% 3AHP%20Peripheral%20Interrogator%3AAdobe%20Acrobat%3AQuickTime%20Plug-in% 205.0.2%3AQuickTime%20Plug-in%205.0.2%3AQuickTime%20Plug-in%205.0.2%3AQuickTime% 20Plug-in%205.0.2%3AQuickTime%20Plug-in%205.0.2%3AMicrosoft%20%28R%29%20DRM% 3AMicrosoft%AE%20Windows%20Media%20Services%3ARealPlayer%28tm%29%20G2% 20LiveConnect-Enabled%20Plug-In%20%2832-bit%29%20%3A HTTP/1.1.. Host: phg.hitbox.com..User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1.. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1..Accept- Language: en, zh-CN;q=0.75, zh;q=0.50, zh-TW;q=0.25.. Accept-Encoding: gzip, deflate, compress;q=0.9.. Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive.. Referer: http://blox.com/...... Packet #83 GET /images/ablx_topnav_on_support2.gif HTTP/1.1.. Host: blox.com..User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1.. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8, video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1.. Accept-Language: en, zh-CN;q=0.75, zh;q=0.50, zh-TW;q=0.25.. Accept-Encoding: gzip, deflate, compress;q=0.9.. Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66.. Keep-Alive: 300.. Connection: keep-alive.. Referer: http://blox.com/......aY øuA
Assignee | ||
Comment 7•22 years ago
|
||
I repeat my statement from comment 85. Namely: Specifically I don't see any http request for www.aol.com (which is where the reporter said he was going to) nor do I see any requests or responses from ru4.com which is supposedly setting the cookie. And, most important, I see no indication of why ru4.com is being accessed. If it is being accessed because of a redirect, then this cookie behavior is correct and the bug report is invalid. I still don't see those items, even with the additional packets that you posted. Most important, please include a packet which shows why ru4.com is being accessed. That is, is it because of an image on the aol page, a frame on the aol page, a redirect issued by js on the aol page, ... ? Unless you can show my why ru4.com is being accessed, I have no way of knowing if this bug report is valid or not.
Reporter | ||
Comment 8•22 years ago
|
||
There are two cases here: 1.www.blox.com, for description: please see comment 2, network packets: attachment 1 [details] [diff] [review] and comment 6. Accessing phg.hitbox.com occurs in Packet 81 when running <img src=~{!1!-!1~}> wrote by JS code. (by check the Page Source> 2.www.aol.com, for description: please see original bug report, network packets: attachment 2 [details] [diff] [review]. Accessing ru4.com occurs in Packet 448 when running <script language=~{!-~} src=~{!1!-!1~}> in a pup up. Does Netscape consider third party cookie the same as IE? In IE 6.0, cookies from hitbox.com and ru4.com are considered as 3rd party cookies.
sounds like a legitimate bug. marking CONFIRMED.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 10•21 years ago
|
||
Reply to comment 9 (and 8): (I did not try to read the network activity comments.) There may be two parts in this bug: *Does "Enable ... originating ..." let a Http answer set a cookie for a different domain than the one of its corresponding request ? I hope not, or that would be a (first) BUG ! *Do we want to block "third party" cookies also, like the ones from ad servers which get set by "links" inside a page ? I don't know, but I would consider it a (second) RFE; then, in that case, I would suggest to add another preference (UI), possibly depending on the existing one. Depending on the case, Severity should be changed from 'Normal' to 'Major' or to 'Enhancement' !?
Comment 11•21 years ago
|
||
It WFM all the time until 1.4a. Now nothing works as aspected. See bug 199883 comment 6 and comment 8.
Comment 12•21 years ago
|
||
http://www.washingtonpost.com/wp-dyn/articles/A15034-2003Jun4.html?nav=hptop_ts leaves persistent Doubleclick cookies in 1.2.1 cookie store, due to a Doubleclick image apparently written to the page through javascript. I haven't examined the html source carefully enough to see if it's in an internal frame or anything like that. I think "enable cookies from originating site only" is supposed to suppress exactly this type of cookie. If not, I'd be curious as to what cookies it IS supposed to suppress.
Comment 13•21 years ago
|
||
Re comment 12: Please check with a recent build, like v1.4rc1. (v1.2.1 is outdated now; and v1.4.x is going to replace v1.0.x.)
Comment 15•21 years ago
|
||
i'm going to have to repeat morse's statement here: it'd be a great help to have a sane http transaction log for the site. for a trivial way to do this, get the 'livehttpheaders' extension (from mozdev.org), it plugs into mozilla and will log the stuff you need.
Comment 16•21 years ago
|
||
Answering Comment 13 and Comment 15: I tested this on Mozilla 1.4 released this week - useragent Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 - and I get similar results to what is described in the original bug report. If I go to OSNews.com with "Originating site cookies only", a cookie for valueclick.com is set on my computer. If I remove that cookie, and refresh the page (to make sure it was not set at another site) The cookie reappears. I have attached the LiveHTTPHeaders for my transaction with OSNews. What is curious is that three other third party websites also tried to set cookies in that same request but those were not accepted by my browser - see attachement OSNEWS_LIVEHTTPHEADERS. (a.tribalfusion.com, s0b.bluestreak.com and bilbo.counted.com)
Comment 17•19 years ago
|
||
*** This bug has been marked as a duplicate of 299160 ***
Status: NEW → RESOLVED
Closed: 22 years ago → 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•