Last Comment Bug 268107 - mailnews allows cookies, despite the pref
: mailnews allows cookies, despite the pref
Status: RESOLVED FIXED
: fixed-aviary1.0, fixed1.4.4, fixed1.7.5
Product: Core
Classification: Components
Component: Networking: Cookies (show other bugs)
: Trunk
: x86 Linux
: -- major (vote)
: mozilla1.8beta1
Assigned To: Darin Fisher
:
: Patrick McManus [:mcmanus]
Mentors:
Depends on:
Blocks: 248511
  Show dependency treegraph
 
Reported: 2004-11-06 07:51 PST by Michiel van Leeuwen (email: mvl+moz@)
Modified: 2005-04-06 19:58 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
v1 patch (610 bytes, patch)
2004-11-07 13:34 PST, Darin Fisher
mvl: review+
mozilla: superreview+
mozilla: approval1.7.5+
Details | Diff | Splinter Review
set network.cookie.cookieBehavior to don't use for tbird (675 bytes, patch)
2004-12-05 20:39 PST, Scott MacGregor
no flags Details | Diff | Splinter Review

Description Michiel van Leeuwen (email: mvl+moz@) 2004-11-06 07:51:21 PST
Even if you have the pref (network.cookie.disableCookieForMailNews) set,
mailnews still allows cookies.
This is because MOZ_MAIL_NEWS is not defined in cpp files. And the code to check
if cookies are from mailnews is inside #ifdef MOZ_MAIL_NEWS blocks. So the
blocks are not compiled. (checked by adding garbage in the blocks, and gcc
didn't complain about it. And i do have mailnews enabled)

A solution would be to do like
http://lxr.mozilla.org/seamonkey/source/calendar/libxpical/Makefile.in#86 but
that looks like a hack.

Filing in cookies, because that is where the code lives.
Comment 1 Michiel van Leeuwen (email: mvl+moz@) 2004-11-07 09:10:26 PST
blames says mconnor added the #ifdef's
Comment 2 Darin Fisher 2004-11-07 13:34:25 PST
Created attachment 165053 [details] [diff] [review]
v1 patch
Comment 3 Darin Fisher 2004-11-07 13:37:53 PST
Since thunderbird compiles with --disable-cookies, this bug should only affect
seamonkey.  I think it affects Mozilla 1.7.3 :-(
Comment 4 dwitte@gmail.com 2004-11-07 17:06:46 PST
(In reply to comment #3)
> Since thunderbird compiles with --disable-cookies, this bug should only affect
> seamonkey.

Unfortunately thunderbird still uses cookies. See following bug, mscott hasn't
ok'ed the patch yet.

https://bugzilla.mozilla.org/show_bug.cgi?id=250931#c3
Comment 5 Darin Fisher 2004-11-08 14:18:13 PST
fixed-on-trunk
Comment 6 Mike Kaply [:mkaply] 2004-11-09 05:58:33 PST
Comment on attachment 165053 [details] [diff] [review]
v1 patch

a=mkaply for 1.7
Comment 7 Darin Fisher 2004-11-09 11:52:58 PST
fixed1.7.x
Comment 8 Scott MacGregor 2004-12-05 00:33:49 PST
A belated comment here. Thunderbird doesn't build the cookies directory (we
don't list cookies in our list of extensions in mail\mozconfig) so we don't
build anything in this directory. As such I wouldn't think we would need this
patch for the Thunderbird branch. 

Then again I'm constantly getting myself confused on the cookies issue with
Thunderbird :)
Comment 9 dwitte@gmail.com 2004-12-05 00:52:59 PST
the cookie backend resides in necko now, so if you build necko, you build cookies ;)

unless you specify the --disable-cookies build option I provided.
Comment 10 dwitte@gmail.com 2004-12-05 01:02:12 PST
just to clarify that: while thunderbird builds the cookie backend, you're right
that it doesn't build the seamonkey-mailnews pref code that lives in
extensions/cookie, making this patch irrelevant.

for tbird, it's still possible to disable cookies at runtime by using the
network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)
Comment 11 Christian :Biesinger (don't email me, ping me on IRC) 2004-12-05 06:21:12 PST
(In reply to comment #8)
> A belated comment here. Thunderbird doesn't build the cookies directory 

what about bug 250931 comment 7?
Comment 12 Scott MacGregor 2004-12-05 09:17:26 PST
(In reply to comment #10)
> just to clarify that: while thunderbird builds the cookie backend, you're right
> that it doesn't build the seamonkey-mailnews pref code that lives in
> extensions/cookie, making this patch irrelevant.
> 
> for tbird, it's still possible to disable cookies at runtime by using the
> network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)

Does this mean that setting network.cookie.disableCookieForMailNews to true
(which it is for thunderbid on the branch and trunk)has no effect at all
anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
cookies at run time? 

/me smells a respin coming....
Comment 13 dwitte@gmail.com 2004-12-05 14:18:04 PST
(In reply to comment #12)
> Does this mean that setting network.cookie.disableCookieForMailNews to true
> (which it is for thunderbid on the branch and trunk)has no effect at all
> anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
> cookies at run time? 

Correct. Thunderbird doesn't build the code that deals with those prefs (in
ext/cookie), so it gets only the barebones GRE-oriented prefs.

If you want finer control over cookies than just enable/disable, the way to do
it is to roll your own nsICookiePermission impl - that's the code that lives in
ext/cookie. (For instance, allowing only for RSS fu, or whatever). If you'd like
to do that, we can help... send me a mail if you want to get in touch over aim.
Comment 14 Scott MacGregor 2004-12-05 15:30:36 PST
thanks for explaining all that Dan. I think we just want to set the pref right
now for the respin and then consider either your disable-cookies patch or adding
our own implementation so we could potentially allow cookies for RSS messages on
the trunk.

Comment 15 Scott MacGregor 2004-12-05 20:39:03 PST
Created attachment 167985 [details] [diff] [review]
set network.cookie.cookieBehavior to don't use for tbird
Comment 16 Scott MacGregor 2004-12-05 20:40:55 PST
the pref change has been checked into the 1.0 branch for the respin.
Comment 17 Marcia Knous [:marcia - use ni] 2004-12-06 10:11:10 PST
Scott or Dan - can you help QA out on how we can verify this bug? thanks.
Comment 18 dwitte@gmail.com 2004-12-10 04:58:03 PST
steps to QA (seamonkey mailnews), thanks to mvl for help:

send yourself an html mail of the following source:

<html>
<head>
<meta http-equiv="Set-Cookie" content="feedme=1;max-age=1000">
</head>
<body>
hi!
</body>
</html>

set your network.cookie.disableCookieForMailNews pref to false (e.g. edit pref
file), open mailnews, view mail (in 'original html' mode), close mailnews, check
if the cookie is set in your cookies.txt file (profile directory). it should be.

delete cookies.txt, set the pref to true, and repeat - should be no cookie (in
fact no cookies.txt since you deleted it).

i've confirmed this works with tbird now, just using the "disable cookies" pref,
but this is different to the mailnews case.
Comment 19 Daniel Veditz [:dveditz] 2005-01-24 13:40:51 PST
Security Advisories published, clearing confidential flag

Note You need to log in before you can comment on or make changes to this bug.