Closed Bug 336207 Opened 18 years ago Closed 17 years ago

Add wildcards to cookie exceptions list to permit subdomains if all cookies are blocked

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: joelandost, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

If all cookies are blocked, there is no way to allow cookies from a whole domain.  For example, if all cookies are blocked and you put "yahoo.com" as allowed, then  cookies will still not be set from mail.yahoo.com, games.yahoo.com, news.yahoo.com, login.yahoo.com, etc.

Recommendation: put in an option to have wildcards in the exceptions list, eg "*.yahoo.com" can be allowed.  This would allow all subdomains from a trusted domain.

Reproducible: Always

Steps to Reproduce:
1. Clear and block all cookies
2. Allow cookies from yahoo.com
3. Try to login in to mail.yahoo.com and you cant.




This would be a powerful addition.  It should work for both allowing and denying wildcard subdomains to set cookies and could make looking at the cookies list much cleaner.
Aunt Tilly doesn't understand *. wildcards.  Granted, Aunt Tilly might also not understand a checkbox "Include all subdomains too", either.  Point being, usability might need a proper think-through before you plunge ahead with this.

My vote would be on including subdomains by default, and having an "extra super advanced hidden <del>feature</del>bug" to specify blocking of the selected domain only.  Or something.
(In reply to comment #1)
> My vote would be on including subdomains by default, and having an "extra super
> advanced hidden <del>feature</del>bug" to specify blocking of the selected
> domain only.  Or something.

   I disagree.  The safest thing to do is to leave the default as it is.  In the current setup you never block anything you haven't explicitly said you want to block.  Wildcard blocking implies some sort of smarts about how cookies are used, especially among sub-domains.
   Just because Aunt Tilly accidentally clicks block on a Yahoo news cookie, you don't want her not to be able to get into her Yahoo mail account all of a sudden.  That'll confuse her to no end.

I actually am more interested in the inverse of the request.  I'd like to be able to block via wildcards.  "*.hitbox.com" can stop asking me about tracking my movements for each new domain I go to.

Additionally, wildcards are more powerful (but still rather simple) so that "ad.*" and "ads.*" could be blocked.  This is a more useful functionality than the "Include all subdomains" checkbox.

Oh, and if it isn't clear from my "disagree" statement, I'd like this functionality hung off the block/block all/accept cookie dialog.
re comment 0: yes there is! in fact a "*." is implied when entering domains - that setting will apply to the given domain and all subdomains.

therefore marking invalid - perhaps what we really want is to denote this fact in the UI, or somehow make it more obvious? (see bug 259445)
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.