Closed
Bug 180983
Opened 22 years ago
Closed 22 years ago
Mail send cookies while opening TAG elements (LINK/CSS)
Categories
(Core :: Networking: Cookies, defect)
Core
Networking: Cookies
Tracking
()
mozilla1.4beta
People
(Reporter: afucs, Assigned: darin.moz)
References
Details
(Whiteboard: [need info])
Attachments
(1 file)
|
1.48 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021016
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021016
I was testing some HTML Mail features and I did notice that Mozilla Mail does
send Cookies even if Disable cookies in Mail & News is selected:
My Mozilla settings are:
- Enable cookies for the originating web site only
- Disable cookies in Mail & Newsgroups
I'm not sure if this bug should be seen as a duplicate bug of any of the
following bugs:
- 22994
- 63525
- 146122
- 160315
Also note that I'm submiting this bug as a bug because I was not able to
reproduce a similar result with Outlook and Outlook Express. Using theses
products I was able to open the <LINK HREF> document but not to "see" the cookie
stored in Internet Explorer.
Reproducible: Always
Steps to Reproduce:
1. Visit URL to set the cookie
2. Open email with <LINK> or <IMG> tags.
Actual Results:
The logfile registered the cookie set on the browser as being sent by the mail &
news program.
I'm sending the sources of every file involved on this "bug"
--start info.php---
<?
$notid = "aaaaaa";
setcookie('sgi', $notid, time()+(7700));
?>
bla bla bla
--end info.php---
--start mail_source.html---
To: afucs@cfsec.com.br
Subject: test
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: do-not-cross <dnc@cfsec.com.br>
<html>
<head>
<link href=http://10.0.0.1/~afucs/teste/1234 rel="stylesheet" type="text/css">
</head>
<body>
<p class="padrao">teste com trace no link teste teste teste</p>
</body>
</html>
--end mail_source.html---
--start logfile---
200.165.217.65 - - [19/Nov/2002:20:30:21 -0200] "GET /~afucs/teste/1234
HTTP/1.1" 302 316 sgi=aaaaaa
--end logfile---
|
||
Comment 1•22 years ago
|
||
To cookies. Darin, any idea what's up here?
Assignee: ben → morse
Status: UNCONFIRMED → NEW
Component: Preferences → Cookies
Ever confirmed: true
QA Contact: sairuh → tever
|
Assignee | |
Comment 2•22 years ago
|
||
this happens because there is no documentURI associated with the channel created
by the CSS loader. see nsIHttpChannelInternal. cookies depends on the
documentURI in order to implement third party cookie blocking as well as cookie
blocking from mailnews. if the documentURI is NULL, i think the cookie module
defaults to allowing cookies.
basically, the documentURI solution is a real hack, and will continuously result
in similar problems. we really need a better solution for determining the
original document URI (the toplevel URI the user loaded).
upping severity to major.
Severity: normal → major
OS: MacOS X → All
Hardware: Macintosh → All
|
|
||
Comment 3•22 years ago
|
||
Note that I could try to fix this for CSS by getting the document the CSS is
loading for and using its uri. But this would not be the toplevel uri; it would
be the uri of the document. So:
<iframe src="data:text/html,<link rel='stylesheet' href='something'>">
would still be a problem....
|
Reporter | |
Comment 4•22 years ago
|
||
Please ignore reference to the IMG tag on the original post. Seems to be a
netscape 4.? exclusivity.
Summary: Mail send cookies while opening TAG elements (LINK/CSS and IMG) → Mail send cookies while opening TAG elements (LINK/CSS)
|
|
||
Comment 5•22 years ago
|
||
Hmm.. Images seem to pass along the URI of the document the imageframe's content
node is in, which is not what the documentURI is really supposed to be... or is it?
|
|
Assignee | |
Comment 6•22 years ago
|
||
the documentURI should be the imap:// URL (or whatever toplevel mailnews URL)
... sounds like cookie blocking for images in mailnews is also broken then. i
mean, it works fine if the image is embedded in the toplevel document, but as
soon as it is part of a frame, cookies won't be blocked.
we SO need a better way of determining the topmost document URI. perhaps now is
time to think about walking the docshell heirarchy instead?!?
|
|
||
Comment 7•22 years ago
|
||
That may be the way to go... keep going up till we hit a chrome docshell, then
return the one right below that....
I assume the channel creator would be doing the walking, right? Since the
channel does not know about docshells? So we could create a helper function
that takes something like a document or whatever and returns the documentURI to
set on the channel. Then we can fix the callers and improve the helper at our
leisure?
|
|
Assignee | |
Comment 8•22 years ago
|
||
what would be even better is if we could completely eliminate the document URI
and just use some other information to allow cookies to determine the toplevel
docshell (the topmost _active_ docshell that is... link clicks in a frame might
mean that the topmost docshell is not the right "first-party" URL). load groups
could be this state info, but sadly not all channels get assigned load groups.
you see, there's also the problem that not all channels implement
nsIHttpChannelInternal (in fact, only HTTP channels implement this interface).
as a result, <meta HTTP-EQUIV="set-cookie" CONTENT="..."> is not prevented from
setting cookies iirc.
so, actually it is possible for SPAM to set and get cookies irrespective of
cookie blocking prefs :-)
Severity: major → critical
|
|
Assignee | |
Comment 9•22 years ago
|
||
|
|
Assignee | |
Comment 10•22 years ago
|
||
nevermind the
<script>
document.cookie = "ZZZZZX=tired";
</script>
in the message source. that isn't important since javascript is usually
disabled for mailnews. the <meta> tag is what does the magic.
|
||
Comment 11•22 years ago
|
||
Should this be marked security-sensitive?
|
|
||
Comment 12•22 years ago
|
||
It's a privacy issue, not a security one...
So in my opinion, no. We should like fix it or something instead.
|
|
Assignee | |
Comment 13•22 years ago
|
||
-> me
Assignee: morse → darin
Target Milestone: --- → mozilla1.3beta
|
|
Assignee | |
Comment 14•22 years ago
|
||
-> 1.4
Status: NEW → ASSIGNED
Target Milestone: mozilla1.3beta → mozilla1.4alpha
|
||
Comment 15•22 years ago
|
||
Could a note be added to the release notes? This is a fairly big privacy gap in
the Mail/News, imho. :)
|
||
Comment 16•22 years ago
|
||
This sounds like a real testing problem.
I like the sound of #8, especially if the calling module would just say who it
is (chat, im, mail, whatever) explicitly.
So, is it possible that there are other cookie holes in MailNews blocking?
MailNewsQA probably needs to find some way of running a set of cookie validation
tests that use most layout entrypoints.
|
|
Assignee | |
Comment 17•22 years ago
|
||
punting to next milestone. going to require some architectural changes to get
it right.
Severity: critical → major
Flags: blocking1.4a?
Target Milestone: mozilla1.4alpha → mozilla1.4beta
|
||
Comment 18•22 years ago
|
||
adt: darin, is this a regression from Netscape 7.0?
Whiteboard: [need info]
|
||
Updated•22 years ago
|
Flags: blocking1.4b?
|
||
Comment 19•22 years ago
|
||
cavin might own a related bug, or a dup.
|
||
Updated•22 years ago
|
Flags: blocking1.4b? → blocking1.4b+
|
|
Assignee | |
Comment 20•22 years ago
|
||
samir: we've always had this bug.
|
|
||
Comment 21•22 years ago
|
||
blocking1.4b+ on bug 22994 which darin says this is a dupe of.
Flags: blocking1.4b+
|
|
Assignee | |
Comment 22•22 years ago
|
||
marking as duplicate
*** This bug has been marked as a duplicate of 22994 ***
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•