Open
Bug 787304
Opened 12 years ago
Updated 2 years ago
Disabling third party cookies causes View Page Source requests to not send any cookies
Categories
(Core :: Networking: Cookies, defect, P5)
Tracking
()
UNCONFIRMED
People
(Reporter: dsarratt, Unassigned)
References
Details
(Whiteboard: [necko-would-take])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0 Build ID: 20120824154833 Steps to reproduce: Disabled "Accept third-party cookies" in Privacy Settings. Loaded a webpage that requires cookies (e.g. an account settings page). Right-clicked on the page, selected "View Page Source". Reproducible: Always Actual results: When Firefox sends a new request to get the page source, it does so WITHOUT sending any cookies, causing the incorrect page to be loaded. Expected results: The page should have been requested WITH the existing cookies.
|
Reporter | |
Comment 1•12 years ago
|
||
Testing shows this only happens if "Vary: Cookie" is in the HTTP headers of the requested page. If the Vary header does not include Cookie (or *), or if the Vary header is absent, Firefox performs as expected.
Component: Untriaged → Networking: Cookies
Product: Firefox → Core
|
||
Comment 2•11 years ago
|
||
I've found that if a cookie exception is in place in preferences to 'Allow' cookies from a specific domain, then the cookie is sent even if 'Allow third-party cookies' remains unchecked in privacy settings. Example: Third party cookies disallowed; no cookie exception in place for x.example.com 1) Login to x.example.com 2) View source does not send any cookies to x.example.com 3) Add a privacy exception allowing cookies from x.example.com 4) View source now sends cookies to x.example.com and shows the correct page source
|
||
Comment 3•9 years ago
|
||
It also happen on firefox developper edition 37.0a2 (2015-02-12) under linux (debian wheezy)
|
||
Comment 4•9 years ago
|
||
I can confirm this happening as of the latest 42 alpha. The View Source functionality is essentially useless if you value your privacy. Previously before this was broken the View Source functionality would just show the previously downloaded source instead of reloading the page. There should never be a need to resubmit the page request especially when that could result in POST'ing a form twice.
|
||
Updated•8 years ago
|
Whiteboard: [necko-would-take]
|
||
Comment 5•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
|
||
Comment 7•4 years ago
|
||
This is still a problem in Firefox 80+. I am unable to debug my application in Firefox, because my server only sends the source if the browser request includes a valid cookie indicating I am logged in.
Other browsers (Chrome, Safari...) all handle this properly. This cannot be rocket science. 8 months ago a bug that is 19 years old was marked as a duplicate of this one. Is this ever going to get fixed???
|
|
||
Comment 8•4 years ago
|
||
bug 1149835 and bug 1654358 are likely related.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•