Closed Bug 58497 Opened 24 years ago Closed 21 years ago

2nd level domains can't set cookies.

Categories

(Core :: Networking: Cookies, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED FIXED
Future

People

(Reporter: jud, Assigned: dwitte)

Details

(Keywords: testcase)

Sorry, no test case.

if I goto www.foo.com which sets the following cookie:

set-cookie: foo=bar; domain=foo.com

That cookie will be rejected because mozilla's cookie impl enforces the 2-dot
rule (correctly) for domain checking. However this seems pretty silly
considering that the vast majority of web content is only 2 levels deep, and
"foo.com" and ".foo.com" are ultimately the same.
Is this cookie accepted in 4.x?
no, but IE accepts it.
And I believe that IE had other problems because of this.  I'm out of context on 
all the details now so I can't be more specific.  If you read the whole 
discussion in bug 8743, you'll probably find what I'm referring to.  Let me know 
if you want me to get back up to speed on this and give you a more intelligent 
answer.
Status: NEW → ASSIGNED
Whiteboard: [x]
Netscape Nav triage team: this is not a Netscape beta stopper.
Keywords: nsbeta1-
Whiteboard: [x]
Target Milestone: --- → Future
I have just found a cookie for the "domain" co.uk in my Moz 1.0 cookie list.
This is clearly not a good thing, and related to this bug and the referenced
previous discussion.
On selecting "don't allow removed cookies to be reaccepted later" of course
co.uk appears on the list on the denied tab (after restarting). 
So a kind of patch would be to preinstall all the country-specific extensions, 
co.uk, org.uk .... etc etc as denied "domains".
observed on Mozilla 1.3a (build 20021126) on IRIX 6.5.17:
meine.deutsche-bank.de can't set a cookie needed for login to online banking

Preferences/.../Enable all cookies is set

Mozilla 1.2b works well on this point.
The deutche-bank problem is covered in bug 171235.  It's not a mozilla problem
but rather an error on the deutche-bank website.
Cookieset to Mozilla:
Set-Cookie: Login=1; domain=foo.de; path=/
set a Cookie with Domain ".foo.de" First Char is a DOT
if you send
Set-Cookie: Login=1; path=/
from the same Server the Domain is correct set as "foo.de"
1.2 works correct,
1.3 until 1.4 Gecko/20030529 have this error
->dwitte
Assignee: morse → dwitte
Status: ASSIGNED → NEW
this was fixed during the cookie rewrite in 1.4.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
VERIFIED:

per dwitte.

I'll add a testcase. I'm behind, so I'll ask here...

domain=foo.com is okay.
domain=.com or domain=com is not.

right?
Status: RESOLVED → VERIFIED
Keywords: testcase
QA Contact: tever → cookieqa
correct - the domain must have > one embedded dot (irrelevant of
leading/trailing dots). thx benc!
You need to log in before you can comment on or make changes to this bug.