[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted
From: |
Karol Hosiawa |
Subject: |
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls |
Date: |
Tue, 2 Dec 2008 20:44:28 +0000 |
2008/12/2 Glenn Morris <rgm@gnu.org>:
>
> (Please keep 1401@emacsbugs in the Cc:)
>
>
> Karol Hosiawa wrote (on Tue, 2 Dec 2008 at 17:03 +0000):
>
>> api.blip.pl tried to set a cookie for domain .blip.pl - rejected
>
>
> Interesting - your problems arise through being in Poland. :)
>
> It seems to be an instance of this issue:
>
> http://crisp.tweakblogs.net/blog/ie-and-2-letter-domain-names.html
>
> I'm not sure what the right solution is. Adding pl (and gr, and ?) to
> url-cookie-two-dot-domains will fix it.
>
> Can anyone with experience in this area say how other browsers handle
> this?
>
I don't think it's connected to 2 character polish and greek TLDs,
that article describes a bit different IE specific problem, this
problem lies in the following function (some examples):
(url-cookie-host-can-set-p "api.blip.pl" ".blip.pl")
nil
(url-cookie-host-can-set-p "api.hosteurope.de" ".hosteurope.de")
nil
(url-cookie-host-can-set-p "images.google.nl" ".google.nl")
nil
These are all valid domains and this function should not return nil in
these cases.
It does work however if it's a subdomain, eg:
(url-cookie-host-can-set-p "api.del.icio.us" ".del.icio.us")
4
It also works for a simple case like this:
(url-cookie-host-can-set-p "api.blip.pl" "api.blip.pl")
t
(when the path is exactly the same as the host setting the cookie).
To see what I mean exactly by this being a bug you can:
1. Disallow third party cookies in FF
2. Go to http://api.blip.pl
3. View FF cookies - there will be a session cookie set by api.blip.pl
for .blip.pl path - allowed by FF
--
Karol Hosiawa