Closed Bug 253763 Opened 21 years ago Closed 21 years ago

firefox sending cookies to wrong site if the top level domain is a country code.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 252342

People

(Reporter: knk7uyt02, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040712 Firefox/0.9.1+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040712 Firefox/0.9.1+ Apparently, cookies from sites with a 2 letter country code for a top level domain are saved with the wrong domain name (.com.xx not .site.com.xx). When visiting theage.com.au, I got a couple of javascript cookies from advertiser. These were saved with a domain of .com.au . I then went to www.news.com.au and checked my proxy log files. I saw that these cookies recieved from theage.com.au were sent to news.com.au . Reproducible: Always Steps to Reproduce: 1.clear cache & cookies, goto site with a 2 letter country code tld, http://www.theage.com.au/ 2.verify cookies with domain of .com.au received. 3.goto anther site with same tld, http://www.news.com.au/ Actual Results: viewed proxy logs. cookies from theage.com.au were sent to news.com.au Expected Results: No cookie data from theage.com.au should have been sent to news.com.au Cookies from www.theage.com.au should have a domain of .theage.com.au running zip build. posted bug to mozillazine, had it verified by someone running latest nightly. These cookies were set via js. if they change ad server, those cookies might not be received. I'm sure it shouldn't be to hard to find other sites though. I would say this a privacy issue, probably security issue also.
I see this in Firefox 0.9+ (7/30) and Mozilla 1.7 on linux.
OS: Windows XP → All
Sounds like bug 9422
This is exactly bug 9422, which was closed because popular website practice doesn't follow the spec. It's not the first time. However I believe the specific reason given for the "won't fix" in bug 8743 comment 2 is no longer applicable, because we now treat the leading "." problem differently. cc:ing the cookie contingent.
*** This bug has been marked as a duplicate of 252342 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
verified for now, going to check again when bug is opened. since 252342 is security should this be security as well?
Status: RESOLVED → VERIFIED
nah, world+dog knows about this. 252342 shouldn't really be security either.
You need to log in before you can comment on or make changes to this bug.