The default bug view has changed. See this FAQ.

mailnews allows cookies, despite the pref

RESOLVED FIXED in mozilla1.8beta1

Status

()

Core
Networking: Cookies
--
major
RESOLVED FIXED
13 years ago
12 years ago

People

(Reporter: Michiel van Leeuwen (email: mvl+moz@), Assigned: Darin Fisher)

Tracking

({fixed-aviary1.0, fixed1.4.4, fixed1.7.5})

Trunk
mozilla1.8beta1
x86
Linux
fixed-aviary1.0, fixed1.4.4, fixed1.7.5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

Even if you have the pref (network.cookie.disableCookieForMailNews) set,
mailnews still allows cookies.
This is because MOZ_MAIL_NEWS is not defined in cpp files. And the code to check
if cookies are from mailnews is inside #ifdef MOZ_MAIL_NEWS blocks. So the
blocks are not compiled. (checked by adding garbage in the blocks, and gcc
didn't complain about it. And i do have mailnews enabled)

A solution would be to do like
http://lxr.mozilla.org/seamonkey/source/calendar/libxpical/Makefile.in#86 but
that looks like a hack.

Filing in cookies, because that is where the code lives.
(Reporter)

Comment 1

13 years ago
blames says mconnor added the #ifdef's
(Assignee)

Comment 2

13 years ago
Created attachment 165053 [details] [diff] [review]
v1 patch
(Assignee)

Updated

13 years ago
Attachment #165053 - Flags: superreview?(bienvenu)
Attachment #165053 - Flags: review?(mvl)
(Assignee)

Updated

13 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
(Assignee)

Comment 3

13 years ago
Since thunderbird compiles with --disable-cookies, this bug should only affect
seamonkey.  I think it affects Mozilla 1.7.3 :-(
Flags: blocking1.7.x?
(Reporter)

Updated

13 years ago
Attachment #165053 - Flags: review?(mvl) → review+

Comment 4

13 years ago
(In reply to comment #3)
> Since thunderbird compiles with --disable-cookies, this bug should only affect
> seamonkey.

Unfortunately thunderbird still uses cookies. See following bug, mscott hasn't
ok'ed the patch yet.

https://bugzilla.mozilla.org/show_bug.cgi?id=250931#c3

Updated

13 years ago
Attachment #165053 - Flags: superreview?(bienvenu) → superreview+
(Assignee)

Comment 5

13 years ago
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Updated

13 years ago
Attachment #165053 - Flags: approval1.7.x?
Attachment #165053 - Flags: approval-aviary?

Comment 6

13 years ago
Comment on attachment 165053 [details] [diff] [review]
v1 patch

a=mkaply for 1.7
Attachment #165053 - Flags: approval1.7.x? → approval1.7.x+
(Assignee)

Comment 7

13 years ago
fixed1.7.x
Keywords: fixed1.7.x

Updated

13 years ago
Flags: blocking1.7.5?

Comment 8

13 years ago
A belated comment here. Thunderbird doesn't build the cookies directory (we
don't list cookies in our list of extensions in mail\mozconfig) so we don't
build anything in this directory. As such I wouldn't think we would need this
patch for the Thunderbird branch. 

Then again I'm constantly getting myself confused on the cookies issue with
Thunderbird :)

Comment 9

13 years ago
the cookie backend resides in necko now, so if you build necko, you build cookies ;)

unless you specify the --disable-cookies build option I provided.

Comment 10

13 years ago
just to clarify that: while thunderbird builds the cookie backend, you're right
that it doesn't build the seamonkey-mailnews pref code that lives in
extensions/cookie, making this patch irrelevant.

for tbird, it's still possible to disable cookies at runtime by using the
network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)
(In reply to comment #8)
> A belated comment here. Thunderbird doesn't build the cookies directory 

what about bug 250931 comment 7?

Comment 12

13 years ago
(In reply to comment #10)
> just to clarify that: while thunderbird builds the cookie backend, you're right
> that it doesn't build the seamonkey-mailnews pref code that lives in
> extensions/cookie, making this patch irrelevant.
> 
> for tbird, it's still possible to disable cookies at runtime by using the
> network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)

Does this mean that setting network.cookie.disableCookieForMailNews to true
(which it is for thunderbid on the branch and trunk)has no effect at all
anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
cookies at run time? 

/me smells a respin coming....

Comment 13

13 years ago
(In reply to comment #12)
> Does this mean that setting network.cookie.disableCookieForMailNews to true
> (which it is for thunderbid on the branch and trunk)has no effect at all
> anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
> cookies at run time? 

Correct. Thunderbird doesn't build the code that deals with those prefs (in
ext/cookie), so it gets only the barebones GRE-oriented prefs.

If you want finer control over cookies than just enable/disable, the way to do
it is to roll your own nsICookiePermission impl - that's the code that lives in
ext/cookie. (For instance, allowing only for RSS fu, or whatever). If you'd like
to do that, we can help... send me a mail if you want to get in touch over aim.

Comment 14

13 years ago
thanks for explaining all that Dan. I think we just want to set the pref right
now for the respin and then consider either your disable-cookies patch or adding
our own implementation so we could potentially allow cookies for RSS messages on
the trunk.

Comment 15

13 years ago
Created attachment 167985 [details] [diff] [review]
set network.cookie.cookieBehavior to don't use for tbird

Comment 16

13 years ago
the pref change has been checked into the 1.0 branch for the respin.
Keywords: fixed-aviary1.0
Scott or Dan - can you help QA out on how we can verify this bug? thanks.

Comment 18

13 years ago
steps to QA (seamonkey mailnews), thanks to mvl for help:

send yourself an html mail of the following source:

<html>
<head>
<meta http-equiv="Set-Cookie" content="feedme=1;max-age=1000">
</head>
<body>
hi!
</body>
</html>

set your network.cookie.disableCookieForMailNews pref to false (e.g. edit pref
file), open mailnews, view mail (in 'original html' mode), close mailnews, check
if the cookie is set in your cookies.txt file (profile directory). it should be.

delete cookies.txt, set the pref to true, and repeat - should be no cookie (in
fact no cookies.txt since you deleted it).

i've confirmed this works with tbird now, just using the "disable cookies" pref,
but this is different to the mailnews case.

Updated

12 years ago
Blocks: 248511
Security Advisories published, clearing confidential flag
Group: security
Keywords: fixed1.4.4

Updated

12 years ago
Attachment #165053 - Flags: approval-aviary?
You need to log in before you can comment on or make changes to this bug.