Closed
Bug 460776
Opened 16 years ago
Closed 16 years ago
Cookies set to nhs.uk treated as TLD and rejected
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
VERIFIED
FIXED
People
(Reporter: martin.button, Assigned: david+mozilla)
References
()
Details
(Keywords: verified1.9.0.5)
Attachments
(2 files)
492 bytes,
patch
|
gerv
:
review+
beltzner
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
878 bytes,
patch
|
gerv
:
review+
dveditz
:
approval1.9.0.5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729) If you register with the talk.nhs.uk website a single sign on cookie will be set for nhs.uk. Whilst this is a TLD, it is also used for all NHS websites in the uk and www.nhs.uk and talk.nhs.uk are valid addresses. For this reason a cookie set to nhs.uk is also valid. This works fine in IE7, Safari, Firefox 2 and Opera, but not in Firefox 3 or Google Chrome. I reported this in IRC and it was suggested that an exception could be added to the effective_tld_names.dat file to accomodate nhs.uk Reproducible: Always Steps to Reproduce: 1. Visit talk.nhs.uk 2. Click on create an account in the header 3. Complete the simple form (email address and password) and click create an account 4. Click 'Skip this step' at the foot of the page 5. Click 'Return to the page you were on' 6. This should return you to talk.nhs.uk in a logged in state. Viewing the cookies set you should see a cookie named CSUser set to the domain nhs.uk Actual Results: The CSUser cookie never appears and because of this you are unable to log in to the talk.nhs.uk website Expected Results: The CSUser cookie should be saved for the domain nhs.uk The NHS in the UK control all domains that end nhs.uk If you need to verify that can you please contact David Hinkinson-Hodnett using the email address david.hinkinson-hodnett@dh.gsi.gov.uk who can provide any paperwork necessary to verify this. This defect currently prevents anybody using Firefox 3 from using the NHS Talk application. Currently we have over 3 million (due to hit over 6 million in the next couple of months when we take over another site) users a month and with Firefox's market share this suggests a large number of users are being prevented from using our site by this bug.
Updated•16 years ago
|
Component: General → Networking
Product: Firefox → Core
QA Contact: general → networking
Updated•16 years ago
|
Component: Networking → Networking: Cookies
QA Contact: networking → networking.cookies
Comment 1•16 years ago
|
||
sounds like we need a !nhs.uk rule.
Updated•16 years ago
|
Severity: critical → major
Assignee | ||
Comment 2•16 years ago
|
||
Here is a patch for the issue, it only contains one change, but as this seems to affect a lot of people I hope we can get this into trunk and CVS soon. Maybe we should also set this bug blocking1.9.0.4.
Assignee: nobody → david+mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #344075 -
Flags: review?(gerv)
Comment 3•16 years ago
|
||
Wait a sec :-) The NHS in the UK is a multi-faceted beast; it's certainly not a no-brainer that all of the different companies and organizations which run NHS services should be allowed to set or see each other's cookies. For example, we don't allow cookies for sch.uk (schools) because, even if they all receive government funding, they are run independently. Isn't this arrangement parallel to different NHS trusts? Similarly, if I am on http://www.bcf.nhs.uk/, I want the ETLD+1 to be "bcf.nhs.uk" (Barnet and Chase Farm NHS Trust), not "nhs.uk". I need to contact david.hinkinson-hodnett@dh.gsi.gov.uk and discuss it with him. Gerv
Updated•16 years ago
|
Attachment #344075 -
Flags: review?(gerv) → review-
Assignee | ||
Comment 4•16 years ago
|
||
As Martin wrote, they are one organization, and they provide single sign-on for their services, which means they also share one user database. When you try to sign on for talk.nhs.uk you are redirected to www.nhs.uk. It's just the same as using secure.amazon.com for login (encrypted, when the password is transmitted) but using www.amazon.com for the rest (unecrypted), by using a cookie (with domain=.amazon.com) to store the session.
Reporter | ||
Comment 5•16 years ago
|
||
You are more than welcome to contact David to check the validity of this request. All nhs.uk addresses are controlled by an organisation called Connected For Health, part of the NHS in the UK. David can provide details for them if required. You are quite right in that there are many different arms to the NHS, but they are all part of the NHS. Currently the only sites using the single sign on features are talk.nhs.uk, www.nhs.uk and an internal moderation administration site that I shouldn't really divulge the URL for. If other NHS websites wished to use the single sign on they could. When we decided to use the .nhs.uk cookie we did this fully aware and accepting the fact that all other NHS websites can see this cookie. This is not a problem in the slightest. (In reply to comment #3) > Wait a sec :-) > > The NHS in the UK is a multi-faceted beast; it's certainly not a no-brainer > that all of the different companies and organizations which run NHS services > should be allowed to set or see each other's cookies. For example, we don't > allow cookies for sch.uk (schools) because, even if they all receive government > funding, they are run independently. Isn't this arrangement parallel to > different NHS trusts? > > Similarly, if I am on http://www.bcf.nhs.uk/, I want the ETLD+1 to be > "bcf.nhs.uk" (Barnet and Chase Farm NHS Trust), not "nhs.uk". > > I need to contact david.hinkinson-hodnett@dh.gsi.gov.uk and discuss it with > him. > > Gerv
Updated•16 years ago
|
Component: Networking: Cookies → Networking
OS: Windows Server 2003 → All
QA Contact: networking.cookies → networking
Hardware: PC → All
Version: unspecified → Trunk
Comment 6•16 years ago
|
||
I've emailed my contact at Nominet, who control .uk, to ask them what they think. I'll probably do whatever they decide. Gerv
Reporter | ||
Comment 7•16 years ago
|
||
Has Nominet got back to you yet? As far as I'm aware they don't actually have any control over nhs.uk. It's managed internally by Connect for Health, the IT arm of the NHS. David Hinkinson-Hodnett can confirm all the details or put you in touch with whoever you need to speak to if you drop him an email. Martin
Comment 8•16 years ago
|
||
No, they haven't. <sigh> OK, fair enough. David: can you make a patch and get it checked in to the necessary places? Thanks, Gerv
Reporter | ||
Comment 9•16 years ago
|
||
Thanks for the update Gerv. Do you have any idea of timescales to when we can hope to see this change in a firefox release? Will it appear in a beta quickly or still take a while to filter through? Also is there a date set for the next release of Firefox that might include this change? I don't mean to harass you but as with most of us I have people to answer to and so I could do with something to tell them basically.
Assignee | ||
Updated•16 years ago
|
Attachment #344075 -
Flags: review?(gerv)
Assignee | ||
Comment 10•16 years ago
|
||
Comment on attachment 344075 [details] [diff] [review] Patch to add nhs.uk as exception to the effective TLD list The patch is still valid, it just needs a review ;-) Martin Button: If everything goes ok the patch might make it into Firefox 3.0.5, but the code freeze is in one week and the patch has yet to be checked into trunk and then into the 3.0.x branch). For more information, please take a look at https://wiki.mozilla.org/Releases
Comment 11•16 years ago
|
||
Comment on attachment 344075 [details] [diff] [review] Patch to add nhs.uk as exception to the effective TLD list r=gerv. If you get it on the trunk ASAP, then you can get it on the branch in a few days if you are quick. It hardly needs much baking :-) Gerv
Attachment #344075 -
Flags: review?(gerv) → review+
Updated•16 years ago
|
Attachment #344075 -
Flags: review-
Comment 12•16 years ago
|
||
Comment on attachment 344075 [details] [diff] [review] Patch to add nhs.uk as exception to the effective TLD list clearing r- flag to make things more obvious ;)
Assignee | ||
Comment 13•16 years ago
|
||
Thanks, tagging as checkin-needed. Can somebody please check this into trunk? I also requested blocking1.9.0.5-flag, as according to Martin Button this breaks a site with up to 6 million possible users. If it gets approved, I will add another patch that includes the changes made in #455771, so that trunk and 3.0 branch are in sync again.
Flags: blocking1.9.0.5?
Keywords: checkin-needed
Comment 14•16 years ago
|
||
Comment on attachment 344075 [details] [diff] [review] Patch to add nhs.uk as exception to the effective TLD list Trunk is currently locked down for blockers and approved patches only, so requesting approval for this.
Attachment #344075 -
Flags: approval1.9.1b2?
Comment 15•16 years ago
|
||
Comment on attachment 344075 [details] [diff] [review] Patch to add nhs.uk as exception to the effective TLD list a=beltzner if you can find a green tree somewhere
Attachment #344075 -
Flags: approval1.9.1b2? → approval1.9.1b2+
Comment 16•16 years ago
|
||
Pushed changeset bb2c08a5fb4e.
Assignee | ||
Comment 17•16 years ago
|
||
Thank you for the help ;-) Here is another patch, that includes the changes made in bug #455771. It will finally bring trunk and mozilla-1.9 back in sync.
Attachment #347725 -
Flags: review?(gerv)
Attachment #347725 -
Flags: approval1.9.0.5?
Assignee | ||
Updated•16 years ago
|
Attachment #347725 -
Attachment is patch: true
Attachment #347725 -
Attachment mime type: application/octet-stream → text/plain
Updated•16 years ago
|
Attachment #347725 -
Flags: review?(gerv) → review+
Comment 18•16 years ago
|
||
Comment on attachment 347725 [details] [diff] [review] Patch to sync trunk and gecko 1.9.0 r=gerv. Gerv
Comment 19•16 years ago
|
||
Not blocking, we'll look at the patch approval after another day or two of trunk testing. Can someone verify the fix on the trunk?
Flags: blocking1.9.0.5? → wanted1.9.0.x+
Updated•16 years ago
|
Whiteboard: [needs trunk verification]
Assignee | ||
Comment 20•16 years ago
|
||
Ok, I just tried the 3.1 beta and the current nightly in qemu from a clean windows system image. On Firefox 3.1b1 (Gecko/20081007 Firefox/3.1b1) no cookies were set for .nhs.uk. On Firefox 3.1b2pre (Gecko/20081114 Minefield/3.1b2pre) two cookies (WT_FPC and CSUser) were set for .nhs.uk. On my main workstation, running Iceweasel 3.0.3 (Gecko 2008092814 Iceweasel/3.0.3) no cookies were set. I hope this justifies as trunk verification.
Updated•16 years ago
|
Status: RESOLVED → VERIFIED
Whiteboard: [needs trunk verification]
Comment 21•16 years ago
|
||
Comment on attachment 347725 [details] [diff] [review] Patch to sync trunk and gecko 1.9.0 Approved for 1.9.0.5, a=dveditz for release-drivers
Attachment #347725 -
Flags: approval1.9.0.5? → approval1.9.0.5+
Updated•16 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 22•16 years ago
|
||
Checked in by mrbkap as CVS revision 1.9 of file effective_tld_names.dat. Thanks ;-)
Keywords: checkin-needed → fixed1.9.0.5
Reporter | ||
Comment 23•16 years ago
|
||
Sorry to be a pest, but does this mean the fix will make the 3.0.5 release scheduled for mid December?
Assignee | ||
Comment 24•16 years ago
|
||
Yes, this will be fixed in the following releases: 3.0.5: around December 16 3.1b2: around November 24 David
Reporter | ||
Comment 25•16 years ago
|
||
Many thanks for everybodies assistance in resolving this.
Comment 26•16 years ago
|
||
This is verified fixed in 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008120105 GranParadiso/3.0.5pre. You can log into the site now and cookies are set.
Keywords: fixed1.9.0.5 → verified1.9.0.5
Comment 27•16 years ago
|
||
Might be interesting to see why this works in other browsers. Do they not block cookies for the .co.uk etc. domains? Or are they using a different black/whitelist that includes the old domains such as nhs.uk, parliament.uk, jet.uk etc. (examples from Wikipedia)?
You need to log in
before you can comment on or make changes to this bug.
Description
•