Closed
Bug 223782
Opened 21 years ago
Closed 21 years ago
[cookies] remove support for dom.disable_cookie_[get,set] prefs
Categories
(Core :: Networking: Cookies, defect)
Core
Networking: Cookies
Tracking
()
VERIFIED
FIXED
People
(Reporter: dwitte, Assigned: dwitte)
References
Details
(Whiteboard: checklinux)
Attachments
(2 files, 2 obsolete files)
11.51 KB,
patch
|
Details | Diff | Splinter Review | |
5.11 KB,
patch
|
Details | Diff | Splinter Review |
it's nonsensical to have a pref for one specific mode of getting/setting a cookie, and not for the others... i don't think we should have these prefs anymore. in addition, they cause a constant pain to both users and bug triagers because the UI for these is hidden away separately from the main cookie prefs. so, if there are no objections, i'd like to go ahead and nuke them...
Assignee | ||
Comment 1•21 years ago
|
||
this removes the backend + UI for the prefs. (it also removes some unnecessary nsIPrompt fu in nsHTMLDocument, since the cookieservice doesn't do anything with that inparam anymore. we'll rev the interface to remove it soon, but i might as well remove some bloat now, while i'm in there). i'd like to get reviews from caillon and jag/alecf here, if that's agreeable...
Assignee | ||
Updated•21 years ago
|
Attachment #134219 -
Flags: superreview?(alecf)
Attachment #134219 -
Flags: review?(caillon)
Comment 2•21 years ago
|
||
I dunno.. don't look at this from a cookie perspective, look at this from a script perspective. This is just one of many pieces of script granularity in that pref pane. I'm going to theorize that setting a cookie from an HTTP header requires control of the server, whereas using a script allows pages like those on geocities to change cookies. (I could at least be partly wrong in that <meta> tags might allow you to set cookies, though I believe sites like geocities don't allow you to set <meta> tags, you can only edit the body of the document) is there CVS blame for this pref, and justification in whatever bug this was? I would be interested to know if anyone uses this setting for a particular purpose. Anyway, I'm not totally against this, I just want to see better justification than "it's nonsensical..."
Comment 3•21 years ago
|
||
>(I could at least be partly wrong in that <meta> tags might
>allow you to set cookies, though I believe sites like geocities don't allow you
>to set <meta> tags, you can only edit the body of the document)
hmm.. couldn't a page on geocities document.write the <meta> tag? anyways, i
think we parse <meta> tags that appear in the <body> section to account for
authors who forget to put them in the <head> section.
if we disable document.cookies, then it seems like we should also disable
setting cookies via <meta> tags. otherwise, it does seem pretty bogus.
Assignee | ||
Comment 4•21 years ago
|
||
>I could at least be partly wrong in that <meta> tags might allow you to set >cookies yeah, like darin said, you can set cookies from metatags :) >is there CVS blame for this pref it looks like the original bug here was bug 75731, where mpt drew up a spec for the prefpanel which included the cookie prefs: http://bugzilla.mozilla.org/attachment.cgi?id=49497&action=view i grepped around the bug and didn't find any arguments as to why that particular pref should exist. >I just want to see better justification than "it's nonsensical..." fair enough :) in addition to darin's argument (which doesn't alone justify removal), i'd say the best reason for removing it is that it's inconsistent with the other prefs there. the other prefs deal with visual things that shouldn't affect script function - the script doesn't care if moving/resizing a window failed; it just might mess up the layout a bit. cookies are different. blocking cookies from a script or site very often breaks it, and it's up to the user to figure out what caused that breakage (or come here and file a bug). for that reason, i'd argue that blocking cookies for all scripts is not a useful thing to do. we have another mechanism for blocking particular sites from manipulating cookies - the permissionmanager. i think it's more logical to control cookies on a site-by-site basis than on a mechanism basis, and i don't think we need both.
Comment 5•21 years ago
|
||
Comment on attachment 134219 [details] [diff] [review] nuke'm sounds reasonable to me then! thanks for going into it a bit more. The code removal looks good... and you're sure we don't need that prompter.. sr=alecf
Attachment #134219 -
Flags: superreview?(alecf) → superreview+
Comment 6•21 years ago
|
||
hmm... i know the cookies backend can usually get a prompter from the channel, but what if the channel does not have one? is there value in providing one explicitly? ... because at least in this case, we seem to know that we can get the right one. :-/
Assignee | ||
Comment 7•21 years ago
|
||
yeah mvl and i were just talking about that... currently of course we do nothing with the nsIPrompt that's passed in, so as it stands the removal is fine, but maybe we do want to use a passed-in prompter if the channel's one is fubar. or should the nsHTMLDocument code just set the channel's prompter itself? so i'll forego the removal of the prompter code and just save it for another bug, then. ;)
Comment 8•21 years ago
|
||
Comment on attachment 134219 [details] [diff] [review] nuke'm I think I own the actual cvsblame for this, by way of a patch from doron. Anyway, benc and I have had discussions about this and have come to the conclusion that this pref needs to go. Aside from the afore mentioned reasons, benc notes that it confuses users who read about the scripts prefs one of the many "tips" sites which reference this panel. They see the prefs here and think these prefs are the main cookie get/set prefs. This patch is generally fine, however we need to (properly) address the issue that this got checked in for: we cannot throw exceptions if the cookie service does not exist. The existing route did a lame job of it by making you set the pref. nsHTMLDocument::GetCookie and SetCookie should never fail unless we are propogating an OOM error. Also, I'd like to see jst's input on this patch since he was heavily involved with this going in to the tree.
Attachment #134219 -
Flags: review?(caillon) → review-
Assignee | ||
Comment 9•21 years ago
|
||
thanks for the tight review caillon! this puts the prompt fu back in per darin, and fixes the error propagation for the no-cookieservice case.
Attachment #134219 -
Attachment is obsolete: true
Comment 10•21 years ago
|
||
Comment on attachment 134298 [details] [diff] [review] round 2 Index: content/html/document/src/nsHTMLDocument.cpp >+ // not having a cookie service isn't an error >+ nsCOMPtr<nsICookieService> service = do_GetService(kCookieServiceCID); > if (service) { ... >+ rv = service->GetCookieString(codebaseURI, mChannel, getter_Copies(cookie)); > if (NS_SUCCEEDED(rv) && cookie) > CopyASCIItoUCS2(nsDependentCString(cookie), aCookie); > } > return rv; > } nit: and GetCookieString only fails if there is an out-of-memory condition? that isn't required by the interface is it? doesn't that make this somewhat fragile? sr=darin (but maybe still get jst's approval per caillon)
Attachment #134298 -
Flags: superreview+
Assignee | ||
Comment 11•21 years ago
|
||
Comment on attachment 134298 [details] [diff] [review] round 2 yeah, it would be safer to not propagate rv from GetCookieString() and SetCookieString(). caillon said he's ok with the patch if i make that change. jst, with that in mind, care to do the honors? ;)
Attachment #134298 -
Flags: review?(jst)
Comment 12•21 years ago
|
||
Comment on attachment 134298 [details] [diff] [review] round 2 Yeah, r=jst with that change.
Attachment #134298 -
Flags: review?(jst) → review+
Assignee | ||
Comment 13•21 years ago
|
||
this is what i checked in.
Attachment #134298 -
Attachment is obsolete: true
Assignee | ||
Comment 14•21 years ago
|
||
i missed a bunch of all.js files sprawled around the tree, in my original patch. this covers them.
Assignee | ||
Comment 15•21 years ago
|
||
mkaply, any chance you could check in http://bugzilla.mozilla.org/attachment.cgi?id=134794&action=view (it touches mail/ and browser/) ? thanks!
Comment 16•21 years ago
|
||
*** Bug 143810 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 17•21 years ago
|
||
urgh, i didn't notice that older bug... thanks jesse!
Comment 18•21 years ago
|
||
Fix checked in to composer, browser, mail, calendar
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 19•21 years ago
|
||
Does this mean it's no longer possible to allow server cookies for a domain (e.g. mozillazine.com) and concurrently disable JavaScript access to cookies on that domain? I've had dom.disable_cookie_[get,set] set to false for all sites to prevent the possibility of "cookie-grabber" code from gaining access to my cookies. This is a valid concern on all sites with dynamic user-created content (e.g. forums, gaming sites). Websites rarely use scripting for essential cookies, and I'd like to be able to universally disable that mechanism. If it's possible to achieve this with a CAPS policy, please post that information here for the sake of people who have been relying on dom.disable_cookie_[get,set] up to this point.
Comment 20•21 years ago
|
||
capability.policy.default.HTMLDocument.cookie.get and capability.policy.default.HTMLDocument.cookie.set can be set to noAccess
Comment 21•21 years ago
|
||
Thanks very much, Boris. Good to know there's also a possibility of scripted cookie whitelisting through CAPS policies.
Comment 22•20 years ago
|
||
V/fixed. Mozilla 1.6f, Mac OS X.
Status: RESOLVED → VERIFIED
QA Contact: cookieqa → benc
Whiteboard: checkwin checklinux
You need to log in
before you can comment on or make changes to this bug.
Description
•