268107 - mailnews allows cookies, despite the pref

Status: RESOLVED FIXED

(Core :: Networking: Cookies, defect)

Description

[Michiel van Leeuwen (email: mvl+moz@)]

Even if you have the pref (network.cookie.disableCookieForMailNews) set,
mailnews still allows cookies.
This is because MOZ_MAIL_NEWS is not defined in cpp files. And the code to check
if cookies are from mailnews is inside #ifdef MOZ_MAIL_NEWS blocks. So the
blocks are not compiled. (checked by adding garbage in the blocks, and gcc
didn't complain about it. And i do have mailnews enabled)

A solution would be to do like
http://lxr.mozilla.org/seamonkey/source/calendar/libxpical/Makefile.in#86 but
that looks like a hack.

Filing in cookies, because that is where the code lives.

Comment 1

[Michiel van Leeuwen (email: mvl+moz@)]

blames says mconnor added the #ifdef's

Comment 2

[Darin Fisher]

Attachment: v1 patch

Comment 3

[Darin Fisher]

Since thunderbird compiles with --disable-cookies, this bug should only affect
seamonkey.  I think it affects Mozilla 1.7.3 :-(

Comment 4

[dwitte@gmail.com]

(In reply to comment #3)
> Since thunderbird compiles with --disable-cookies, this bug should only affect
> seamonkey.

Unfortunately thunderbird still uses cookies. See following bug, mscott hasn't
ok'ed the patch yet.

https://bugzilla.mozilla.org/show_bug.cgi?id=250931#c3

Comment 5

[Darin Fisher]

fixed-on-trunk

Comment 6

[Mike Kaply [:mkaply]]

Comment on attachment 165053 [details] [diff] [review]
v1 patch

a=mkaply for 1.7

Comment 7

[Darin Fisher]

fixed1.7.x

Comment 8

[Scott MacGregor]

A belated comment here. Thunderbird doesn't build the cookies directory (we
don't list cookies in our list of extensions in mail\mozconfig) so we don't
build anything in this directory. As such I wouldn't think we would need this
patch for the Thunderbird branch. 

Then again I'm constantly getting myself confused on the cookies issue with
Thunderbird :)

Comment 9

[dwitte@gmail.com]

the cookie backend resides in necko now, so if you build necko, you build cookies ;)

unless you specify the --disable-cookies build option I provided.

Comment 10

[dwitte@gmail.com]

just to clarify that: while thunderbird builds the cookie backend, you're right
that it doesn't build the seamonkey-mailnews pref code that lives in
extensions/cookie, making this patch irrelevant.

for tbird, it's still possible to disable cookies at runtime by using the
network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)

Comment 11

[Christian :Biesinger (don't email me, ping me on IRC)]

(In reply to comment #8)
> A belated comment here. Thunderbird doesn't build the cookies directory 

what about bug 250931 comment 7?

Comment 12

[Scott MacGregor]

(In reply to comment #10)
> just to clarify that: while thunderbird builds the cookie backend, you're right
> that it doesn't build the seamonkey-mailnews pref code that lives in
> extensions/cookie, making this patch irrelevant.
> 
> for tbird, it's still possible to disable cookies at runtime by using the
> network.cookie.cookieBehavior pref. (the default for this is still 'use p3p'.)

Does this mean that setting network.cookie.disableCookieForMailNews to true
(which it is for thunderbid on the branch and trunk)has no effect at all
anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
cookies at run time? 

/me smells a respin coming....

Comment 13

[dwitte@gmail.com]

(In reply to comment #12)
> Does this mean that setting network.cookie.disableCookieForMailNews to true
> (which it is for thunderbid on the branch and trunk)has no effect at all
> anymore? And we have to set network.cookie.cookieBehavior to 2 to really disable
> cookies at run time? 

Correct. Thunderbird doesn't build the code that deals with those prefs (in
ext/cookie), so it gets only the barebones GRE-oriented prefs.

If you want finer control over cookies than just enable/disable, the way to do
it is to roll your own nsICookiePermission impl - that's the code that lives in
ext/cookie. (For instance, allowing only for RSS fu, or whatever). If you'd like
to do that, we can help... send me a mail if you want to get in touch over aim.

Comment 14

[Scott MacGregor]

thanks for explaining all that Dan. I think we just want to set the pref right
now for the respin and then consider either your disable-cookies patch or adding
our own implementation so we could potentially allow cookies for RSS messages on
the trunk.

Comment 15

[Scott MacGregor]

Attachment: set network.cookie.cookieBehavior to don't use for tbird

Comment 16

[Scott MacGregor]

the pref change has been checked into the 1.0 branch for the respin.

Comment 17

[Marcia Knous [:marcia]]

Scott or Dan - can you help QA out on how we can verify this bug? thanks.

Comment 18

[dwitte@gmail.com]

steps to QA (seamonkey mailnews), thanks to mvl for help:

send yourself an html mail of the following source:

<html>
<head>
<meta http-equiv="Set-Cookie" content="feedme=1;max-age=1000">
</head>
<body>
hi!
</body>
</html>

set your network.cookie.disableCookieForMailNews pref to false (e.g. edit pref
file), open mailnews, view mail (in 'original html' mode), close mailnews, check
if the cookie is set in your cookies.txt file (profile directory). it should be.

delete cookies.txt, set the pref to true, and repeat - should be no cookie (in
fact no cookies.txt since you deleted it).

i've confirmed this works with tbird now, just using the "disable cookies" pref,
but this is different to the mailnews case.

Comment 19

[Daniel Veditz [:dveditz]]

Security Advisories published, clearing confidential flag