Closed Bug 633541 Opened 15 years ago Closed 10 years ago

cookieBehavior not flexible enough / incorrectly documented

Categories

(Core :: Networking: Cookies, enhancement)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: drice, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b10) Gecko/20100101 Firefox/4.0b10 Build Identifier: ff4.0b10, problem applies to all? The cookie behavior document reads... https://developer.mozilla.org/en/Cookies_Preferences_in_Mozilla "1 = only accept from the originating site (block third party cookies)" In truth, 1 also blocks *sending* cookies to third parties. That's different, and significant. I discovered this when viewing a local copy of a webpage I was developing, and the style (css) document which was linked with a fully-qualified path to the remote server wasn't be retrieved. It turns out that it was failing to be retrieved because my authentication cookies were not being sent with the css GET request. As a feature request, here are some suggestions. One or more can be helpful a) Have different policies for sending and receiving cookies. Add network.cookie.OutgoingCookieBehavior with the same values as CookieBehavior, as well as a -1 (default) to use CookieBehavior's value instead (backwards compatible). b) This may already be possible, tell me if it is. Allow cookieBehavior setting to be modified by (1) The site you are viewing (e.g. via capability policies) and/or (2) the site that is being contacted. Going with "and" would be more powerful, but obviously much more difficult. Having both available, but as "or" options, would be sufficient for most cases, I'd think. Examples: * I trust intranet.foo.com third-party cookies. Wherever I am, allow third-party cookies to/from intranet.foo.com * I trust intranet.foo.com not to request untrustworthy third-party resources. Whenever I am on intranet.foo.com, allow third-party cookies to/from all third-parties. * I trust intranet.foo.com to the extent that I will trust when its pages source content from other-intranet.foo.com. Whenever I am on intranet.foo.com, allow third-party cookies to/from other-intranet.foo.com. I think b) could be accomplished with an extension, but I'll let someone make the case for *not* including it in core. I imagine it could be done with: network.cookies.CookieBehaviorOverrides="policyone policytwo policythree" // Allow third-party cookies TO intranet.foo.com network.cookies.overrides.policyone.targetSites="intranet.foo.com" network.cookies.overrides.policyone.OutgoingCookieBehavior=0 // Allow third-party cookies TO/FROM * when on intranet.foo.com network.cookies.overrides.policytwo.currentSites="intranet.foo.com" network.cookies.overrides.policytwo.OutgoingCookieBehavior=0 network.cookies.overrides.policytwo.CookieBehavior=0 // Allow third-party sites TO/FROM other-intranet and intranet, both ways. network.cookies.overrides.policythree.currentSites="intranet.foo.com other-intranet.foo.com" network.cookies.overrides.policythree.targetSites="intranet.foo.com other-intranet.foo.com" network.cookies.overrides.policythree.OutgoingCookieBehavior=0 network.cookies.overrides.policythree.CookieBehavior=0 Obviously this is a big ask. At a minimum, the documentation should be updated to clarify that CookieBehavior doesn't just affect accepting cookies, but also sending cookies. Reproducible: Always
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.