Even if you have the pref (network.cookie.disableCookieForMailNews) set, mailnews still allows cookies. This is because MOZ_MAIL_NEWS is not defined in cpp files. And the code to check if cookies are from mailnews is inside #ifdef MOZ_MAIL_NEWS blocks. So the blocks are not compiled. (checked by adding garbage in the blocks, and gcc didn't complain about it. And i do have mailnews enabled) A solution would be to do like http://lxr.mozilla.org/seamonkey/source/calendar/libxpical/Makefile.in#86 but that looks like a hack. Filing in cookies, because that is where the code lives.
blames says mconnor added the #ifdef's
Since thunderbird compiles with --disable-cookies, this bug should only affect seamonkey. I think it affects Mozilla 1.7.3 :-(
Comment on attachment 165053 [details] [diff] [review] v1 patch a=mkaply for 1.7
A belated comment here. Thunderbird doesn't build the cookies directory (we don't list cookies in our list of extensions in mail\mozconfig) so we don't build anything in this directory. As such I wouldn't think we would need this patch for the Thunderbird branch. Then again I'm constantly getting myself confused on the cookies issue with Thunderbird :)
the cookie backend resides in necko now, so if you build necko, you build cookies ;) unless you specify the --disable-cookies build option I provided.
just to clarify that: while thunderbird builds the cookie backend, you're right that it doesn't build the seamonkey-mailnews pref code that lives in extensions/cookie, making this patch irrelevant. for tbird, it's still possible to disable cookies at runtime by using the network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)
(In reply to comment #8) > A belated comment here. Thunderbird doesn't build the cookies directory what about bug 250931 comment 7?
(In reply to comment #10) > just to clarify that: while thunderbird builds the cookie backend, you're right > that it doesn't build the seamonkey-mailnews pref code that lives in > extensions/cookie, making this patch irrelevant. > > for tbird, it's still possible to disable cookies at runtime by using the > network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.) Does this mean that setting network.cookie.disableCookieForMailNews to true (which it is for thunderbid on the branch and trunk)has no effect at all anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable cookies at run time? /me smells a respin coming....
(In reply to comment #12) > Does this mean that setting network.cookie.disableCookieForMailNews to true > (which it is for thunderbid on the branch and trunk)has no effect at all > anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable > cookies at run time? Correct. Thunderbird doesn't build the code that deals with those prefs (in ext/cookie), so it gets only the barebones GRE-oriented prefs. If you want finer control over cookies than just enable/disable, the way to do it is to roll your own nsICookiePermission impl - that's the code that lives in ext/cookie. (For instance, allowing only for RSS fu, or whatever). If you'd like to do that, we can help... send me a mail if you want to get in touch over aim.
thanks for explaining all that Dan. I think we just want to set the pref right now for the respin and then consider either your disable-cookies patch or adding our own implementation so we could potentially allow cookies for RSS messages on the trunk.
Created attachment 167985 [details] [diff] [review] set network.cookie.cookieBehavior to don't use for tbird
the pref change has been checked into the 1.0 branch for the respin.
Scott or Dan - can you help QA out on how we can verify this bug? thanks.
steps to QA (seamonkey mailnews), thanks to mvl for help: send yourself an html mail of the following source: <html> <head> <meta http-equiv="Set-Cookie" content="feedme=1;max-age=1000"> </head> <body> hi! </body> </html> set your network.cookie.disableCookieForMailNews pref to false (e.g. edit pref file), open mailnews, view mail (in 'original html' mode), close mailnews, check if the cookie is set in your cookies.txt file (profile directory). it should be. delete cookies.txt, set the pref to true, and repeat - should be no cookie (in fact no cookies.txt since you deleted it). i've confirmed this works with tbird now, just using the "disable cookies" pref, but this is different to the mailnews case.
Security Advisories published, clearing confidential flag
12 years ago