290951 - Session is lost between the parent document and IFrame document even when both at the same page and window [when

Status: RESOLVED EXPIRED

(Firefox :: General, defect)

Description

[jery_wang2002]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2)

With the settings:
(Linux)
Edit -> Preferences -> Privacy -> Cookies:
Allow sites to set cookies (checked, default)
    for the originating web site only (checked, default was checked)


I tried to write the IFrame content:


document.getElementById("AnIFrame").contentWindow.document.write('<img
src="_relative_path/an_image.gif')

using javascript.

The page where the IFrame is located is already authenticated and carries 
session ID. 

The image inside the IFrame as the result of the above command unfortunately
does not carry the session ID anymore, thus it is rejected and does not display.



Reproducible: Always

Steps to Reproduce:
1.Set the preference:
'for the originating web site only' checked
(Please see details).
2.Create a HTML page that contains IFrame and javascript:

document.getElementById("AnIFrame").contentWindow.document.write('<img
src="_relative_path/an_image.gif')

3. The page is protected by authentication mechanism (can be running Tomcat)

4. Accessing the page is fine but the image inside the IFrame does not show
because the GET request does not carry the session ID like the page.

(I have used LiveHTTPHeader firefox extension to verify the missing Session ID.

Actual Results:  
Session ID is lost

Expected Results:  
The session ID should not be lost since the page and the IFrame are accessing
the originating website.

Furthermore, I can easily right click and 'view image' to show the image and it
successfully shows the image, meaning the session ID is presented to the website.

The document.write should also carry the session ID when the setting 'or the
originating web site only' is checked.

The behaviour is correct when 'or the originating web site only' is unchecked.
I.e., the session ID is carried by document.write

I hope that is not too complicated to be understood.

But the problem is deep and may not be seen easily every day, but as the usage
of the web has been increasing important, even being used in serious business
transaction, this should be quite an important problem that needs to be fixed.

Thanks.

Enjoy using firefox and developing my application to be 100% compatible in
firefox. In fact, I am using firefox for the testing of my codes before IE.

Comment 1

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 2

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.