2nd level domains can't set cookies.

VERIFIED FIXED in Future

Status

()

Core
Networking: Cookies
P3
normal
VERIFIED FIXED
17 years ago
15 years ago

People

(Reporter: Judson Valeski, Assigned: dwitte@gmail.com)

Tracking

({testcase})

Trunk
Future
x86
Linux
testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
Sorry, no test case.

if I goto www.foo.com which sets the following cookie:

set-cookie: foo=bar; domain=foo.com

That cookie will be rejected because mozilla's cookie impl enforces the 2-dot
rule (correctly) for domain checking. However this seems pretty silly
considering that the vast majority of web content is only 2 levels deep, and
"foo.com" and ".foo.com" are ultimately the same.

Comment 1

17 years ago
Is this cookie accepted in 4.x?
(Reporter)

Comment 2

17 years ago
no, but IE accepts it.

Comment 3

17 years ago
And I believe that IE had other problems because of this.  I'm out of context on 
all the details now so I can't be more specific.  If you read the whole 
discussion in bug 8743, you'll probably find what I'm referring to.  Let me know 
if you want me to get back up to speed on this and give you a more intelligent 
answer.

Updated

17 years ago
Status: NEW → ASSIGNED
Whiteboard: [x]
Netscape Nav triage team: this is not a Netscape beta stopper.
Keywords: nsbeta1-

Updated

17 years ago
Whiteboard: [x]

Updated

17 years ago
Target Milestone: --- → Future

Comment 5

16 years ago
I have just found a cookie for the "domain" co.uk in my Moz 1.0 cookie list.
This is clearly not a good thing, and related to this bug and the referenced
previous discussion.
On selecting "don't allow removed cookies to be reaccepted later" of course
co.uk appears on the list on the denied tab (after restarting). 
So a kind of patch would be to preinstall all the country-specific extensions, 
co.uk, org.uk .... etc etc as denied "domains".

Comment 6

15 years ago
observed on Mozilla 1.3a (build 20021126) on IRIX 6.5.17:
meine.deutsche-bank.de can't set a cookie needed for login to online banking

Preferences/.../Enable all cookies is set

Mozilla 1.2b works well on this point.

Comment 7

15 years ago
The deutche-bank problem is covered in bug 171235.  It's not a mozilla problem
but rather an error on the deutche-bank website.

Comment 8

15 years ago
Cookieset to Mozilla:
Set-Cookie: Login=1; domain=foo.de; path=/
set a Cookie with Domain ".foo.de" First Char is a DOT
if you send
Set-Cookie: Login=1; path=/
from the same Server the Domain is correct set as "foo.de"
1.2 works correct,
1.3 until 1.4 Gecko/20030529 have this error
->dwitte
Assignee: morse → dwitte
Status: ASSIGNED → NEW
(Assignee)

Comment 10

15 years ago
this was fixed during the cookie rewrite in 1.4.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 11

15 years ago
VERIFIED:

per dwitte.

I'll add a testcase. I'm behind, so I'll ask here...

domain=foo.com is okay.
domain=.com or domain=com is not.

right?
Status: RESOLVED → VERIFIED
Keywords: testcase
QA Contact: tever → cookieqa
(Assignee)

Comment 12

15 years ago
correct - the domain must have > one embedded dot (irrelevant of
leading/trailing dots). thx benc!
You need to log in before you can comment on or make changes to this bug.