Open Bug 780079 Opened 12 years ago Updated 2 years ago

Cookies which have a domain starting with a '.' (dot) are considered third-party cookies by firefox

Categories

(Firefox :: Security, defect)

14 Branch
x86
Windows 7
defect

Tracking

()

UNCONFIRMED

People

(Reporter: msilvoso, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Authentication (using the Luxtrust product) to www.guichet.lu or http://www.pt.lu/portal/CCPConnect?lang=en fails if the checkbox "Accept third-party cookies" is checked.


Actual results:

Apparently the session cookie's a domain starts with a '.' (.services-publics.lu for instance) which could be the reason for the failure.


Expected results:

According to RFC 6265 the cookie's domain should not start with a '.'
I don't know if such a cookie should then be considered a third-party cookie by firefox and filtered out if the option is not checked.
This is a Luxtrust authentication (smart card), and cookies seem to be involved. It appears the problematic cookies are at lines greater than 1440 on both files.

Manu
Component: Untriaged → Security
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: