Open
Bug 492043
Opened 16 years ago
Updated 3 years ago
consider storing the geolocation token as a proper cookie
Categories
(Firefox :: General, defect)
Firefox
General
Tracking
()
NEW
People
(Reporter: zeniko, Unassigned)
Details
Attachments
(1 file)
|
10.78 KB,
patch
|
Details | Diff | Splinter Review |
There's an increasing number of hacks for treating the geolocation token the same as a tracking cookie (which it effectively is) - see e.g. bug 491810.
These hacks wouldn't be needed if the token was stored in the cookie manager to start with - e.g. with "<geolocation>" as the cookie's host (making sure that the cookie isn't actually sent out with any http connection).
|
||
Comment 1•16 years ago
|
||
Also see 492043.
|
Reporter | |
Comment 2•16 years ago
|
||
Attachment #376456 -
Flags: review?(doug.turner)
|
|
Reporter | |
Updated•16 years ago
|
Flags: wanted-firefox3.5?
|
||
Comment 3•16 years ago
|
||
Comment on attachment 376456 [details] [diff] [review]
like so?
>diff --git a/dom/src/geolocation/NetworkGeolocationProvider.js b/dom/src/geolocation/NetworkGeolocationProvider.js
>--- a/dom/src/geolocation/NetworkGeolocationProvider.js
>+++ b/dom/src/geolocation/NetworkGeolocationProvider.js
<...snip...>
>+ let cookieManager = Cc["@mozilla.org/cookiemanager;1"].getService(Ci.nsICookieManager2);
>+ // XXXzeniko use getCookiesFromHost once bug 423132 is fixed
>+ let cookieEnum = cookieManager.enumerator;
>+ while (cookieEnum.hasMoreElements()) {
>+ let cookie = enu.getNext().QueryInterface(Ci.nsICookie);
enu? what's that? :)
|
|
Reporter | |
Comment 4•16 years ago
|
||
(In reply to comment #3)
> >+ let cookie = enu.getNext().QueryInterface(Ci.nsICookie);
s/enu/cookieEnum/
|
||
Comment 5•16 years ago
|
||
Comment on attachment 376456 [details] [diff] [review]
like so?
>+ // the token host is created such that
>+ // * it isn't a valid host name so that the cookie is never sent anywhere
>+ let tokenHost = "<geolocation>." + req.target.channel.URI.host;
Is that comment true? "<geolocation>.foo.com" appears to be a valid hostname, at least as far as nsIURI is concerned. Are we relying on it not being valid in DNS or something? At least some versions of "host" seem to resolve "<geo>.g4v.org", though I apparently can't get firefox or wget to do it...
|
|
Reporter | |
Comment 6•16 years ago
|
||
(In reply to comment #5)
> Is that comment true? "<geolocation>.foo.com" appears to be a valid hostname
It shouldn't be valid, at least according to RFC 2396 3.2.2. However it indeed looks like internally we only check for spaces - not conformance to the RFC.
On second thought, I actually rely on "<geolocation>.foo.com" to pass for a valid host name internally (otherwise clearing all data for a site wouldn't clear the geolocation cookie). If this isn't acceptable, I guess we'd need first a cookie manager enhancement for storing chrome-only cookies...
|
|
||
Comment 7•16 years ago
|
||
having a chrome only flag would be good for safe browsing, right?
|
||
Comment 8•16 years ago
|
||
Yes, see bug 368255. dwitte has said it would be feasible to make the cookie DB support something like this, if someone finds the time.
|
||
Comment 9•16 years ago
|
||
(i can find the time in late June, but not until then unfortunately.)
|
|
Reporter | |
Updated•16 years ago
|
Flags: wanted-firefox3.5?
|
|
Reporter | |
Updated•16 years ago
|
Attachment #376456 -
Flags: review?(doug.turner)
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•