Root domain cookie returned over more specific subdomain cookie

UNCONFIRMED
Unassigned

Status

()

Core
Networking: Cookies
P5
major
UNCONFIRMED
12 years ago
10 months ago

People

(Reporter: Bill, Unassigned)

Tracking

1.8 Branch
x86
Windows Server 2003
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-would-take])

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

If you have the URLS site.com and subdomain.site.com which share a commonly named cookie, the cookie for site.com will always be returned, even when browsing from subdomain.site.com.  The cookie domain is correctly being set for each sites cookie.

IE returns the correct cookie, as expected.


Reproducible: Always

Steps to Reproduce:
1. Create a simple page that A) Displays the cookie from B, if avaialable B) Sets a cookie with Cookiedomain equal to the current url and expiration set to 1+ days.  The Cookie value should be set to the browsed URL so that it's clear who set the cookie on subsequent reads.

2. Modify hosts file to include testhost.com and sub.testhost.com, both pointing to the same page.
3. Browse each page.
4. Restart Browsers.
5. Browse each page.



Expected Results:  
The sub.testhost.com page should respond with a value of sub.testhost.com (From the subdomain cookie).  The testhost.com page should similarly respond with a value of testhost.com (From the root domain cookie)
Component: General → Networking: Cookies
Product: Firefox → Core
QA Contact: general → networking.cookies
Version: unspecified → 1.8 Branch

Comment 1

8 years ago
Using FF 3.6.13, the cookie sharing (leakage?) bug is still present.

IIRC there was a claim that FF implemented RFC 2109.  According to Section 2 "Terminology":

Hosts names can be specified either as an IP address or a FQHN string.  Sometimes we compare one host name with another.  Host A's name domain-matches host B's if

[...]

   * A is a FQDN string and has the form NB, where N is a non-empty name
     string, B has the form .B', and B' is a FQDN string.  (So, x.y.com
     domain-matches .y.com but not y.com.)
Whiteboard: [necko-would-take]
You need to log in before you can comment on or make changes to this bug.