Closed
Bug 878311
Opened 12 years ago
Closed 5 years ago
The cookie-changed observer topic sent by nsICookieService should include an origin or DOM reference
Categories
(Core :: Networking: Cookies, enhancement, P5)
Core
Networking: Cookies
Tracking
()
RESOLVED
INVALID
People
(Reporter: pde-lists, Unassigned)
Details
(Whiteboard: [necko-would-take])
The cookie-changed observer topic is the only sane method for extensions to know when some piece of JS somewhere sets or modifies a cookie: https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsICookieService
However that observer callback doesn't tell you what the origin of the DOM is. But it should; there are a lot of reasons why extensions may need to know it.
|
Reporter | |
Comment 1•12 years ago
|
||
A couple of example use cases:
1. In HTTPS Everywhere, we have rules that add the "secure" flag to cookies on numerous sites, to prevent cookie theft attacks if the case where there are some holes in our HTTP->HTTPS rewrites for a particular domain.
However one should enable the secure flag if the cookie is being set from an HTTP origin! We have been unable to implement a sane version of this functionality for cookies set from JavaScript, and instead rely on a horrifying heuristic workaround to get close to the correct behaviour. https://gitweb.torproject.org/https-everywhere.git/blob/4.0development.7:/src/chrome/content/code/HTTPSRules.js#l607
2. For extensions that deal with cookie privacy issues, it is clearly important whether a JS set cookie event is creating or modifying a first or third party cookie!
|
|
Reporter | |
Comment 2•12 years ago
|
||
(In reply to Peter Eckersley from comment #1)
> However one should enable the secure flag if the cookie is being set from an
> HTTP origin!
Sorry, that should have read: "one should never enable the secure flag if the cookie is being set from an HTTP origin".
|
|
Reporter | |
Comment 3•12 years ago
|
||
Two possible implementation strategies:
1. Make an observable cookie-changed2 event, whose topic is a new kind of object that contains both the existing callback subject (nsICookie2 or nsIArray of nsICookie2 s) and an additional attribute which is the origin or a reference to the DOM.
2. Modify the nsICookie2 (would this mean it needs to become an nsICookie3?) to contain a "last modified by" attribute that is the origin which last changed the cookie. In the case of a cookie-changed callback, it could be promised that this would be the origin of the JS that caused the callback.
|
||
Comment 4•11 years ago
|
||
Mark Goodwin is working on a SameDomain cookie concept that will most likely also require extending nsICookie2. If the stars align it'd be nice to change the interface for both in the same release.
|
||
Updated•9 years ago
|
Whiteboard: [necko-would-take]
|
||
Comment 5•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
|
||
Comment 6•5 years ago
|
||
This is not needed anymore. Now extensions can use the cookie API.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•