Closed Bug 299160 Opened 19 years ago Closed 19 years ago

Set cookies from originating website only - all cookies are set regardless of origin

Categories

(Core :: Networking: Cookies, defect)

defect
Not set
major

Tracking

()

VERIFIED DUPLICATE of bug 200716

People

(Reporter: zach, Assigned: darin.moz)

References

()

Details

From BFT day, see the testcase at
http://testrunner.mozilla.org/tr_caselogform.cgi?id=55329. 

The "set cookies from originating website only" option should be restricting the
cookies that can be set, but the option has no effect; all cookies are set. 

Steps to reproduce: 
1. Prefs->Privacy->Cookies
2. Allow site to set cookies for the originating website only, keep until they
expire
3. Close prefs
4. Load aol.com
5. Reopen Prefs->Privacy->Cookies
6. View cookies

In addition to the aol.com cookie, a cookie from edge.ru4.com is saved, yet it
should not have been as aol.com does not equal ru4.com. 

Seen on FF 20050629 trunk with OS 10.4.1 and by a BFT tester on Windows.
This should probably be a 1.1 beta blocker if not alpha. 
Flags: blocking-aviary1.1?
*** Bug 149115 has been marked as a duplicate of this bug. ***
confirmed on Mac OS X 10.2.8

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050629
Firefox/1.0+

So that's why I currently have so many cookies in my list ...
do I need a special login for testrunner?
If so, the caption is misleading. 
I logged out of mozilla, had to submit a change password request, logged in
again, and still couldn´t log in to testrunner.

Bug 299174 cookie pref: "for the orginating site only" doesn't strictly block
all non orginating site cookies

has a more explicit description of what is going on, and mentions 
Bug 287571 Remove UI for 'Load Images for the originating web site only' pref
Sorry yes. You will need access to testrunner to be able to view the testcase.
However, it is functionally the same as the steps to reproduce I posted. 
(In reply to comment #5)
> Sorry yes. You will need access to testrunner to be able to view the testcase.
> However, it is functionally the same as the steps to reproduce I posted. 

A testcase has the big advantage you don´t need to switch between two tabs to
see how to proceed, and everybody commenting is following the same link.

I can understand that the access to testrunner is restricted, but what I can´t
understand is that I´m not told that I don´t have sufficient privilegs.
I was logged in to Bugzilla, got the message 'This is Bugzilla ... Login'
This triggered my debugging reflexes, ask for new password, ok.
I got a mail to change my password, and reused my old one, as I use my bugzilla
account on more than one machine.
Same behaviour.
Then I retried the email address I used before, and got a correct error message,
something like I need special privileges, mail Asa.

*** Bug 299174 has been marked as a duplicate of this bug. ***
from my dupe:

- Set the prefs in Tools | Privacy | cookies to 
[x] Allow sites to set cookies (pref on)
  [ ] for the originating site only ( pref off)

- clear your cookies
- visit www.aol.com
- view cookies
[+]edge.ru4.com
[+]aol.com
[+]2o7.net
the above sites have cookies set.

then try it with: [x] "for the originating site only" (pref on)

- clear your cookies
- visit www.aol.com
- view cookies
[+]edge.ru4.com
[+]aol.com
the above sites have cookies set. cookies from 2o7.net were not allowed. Is that
expected, or should the cookies for edge.ru4.com have been blocked as well.

a strict interpretation of the pref wording would be that all cookies except
those from aol.com would be blocked.
Seems like a dupe of <a
href="https://bugzilla.mozilla.org/show_bug.cgi?id=200716">Bug 200716</a>
This is gonna need to make b4 if it's gonna make 1.1 so shifting the nomination.
Flags: blocking-aviary1.1? → blocking1.8b4?
Flags: blocking1.8b4? → blocking1.8b4-
"Normal" cookies don't seem to be set regardless of origin.. those with cross
site javascripts seem to set the cookies though.

*** This bug has been marked as a duplicate of 200716 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.