From: "Karol Hosiawa" <hosiawak@gmail.com>
To: "Glenn Morris" <rgm@gnu.org>
Cc: 1401@emacsbugs.donarmstrong.com
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 20:44:28 +0000 [thread overview]
Message-ID: <577ed7ae0812021244u16eec55egaaf1d94628916ee7@mail.gmail.com> (raw)
In-Reply-To: <18741.34990.817107.710972@fencepost.gnu.org>
2008/12/2 Glenn Morris <rgm@gnu.org>:
>
> (Please keep 1401@emacsbugs in the Cc:)
>
>
> Karol Hosiawa wrote (on Tue, 2 Dec 2008 at 17:03 +0000):
>
>> api.blip.pl tried to set a cookie for domain .blip.pl - rejected
>
>
> Interesting - your problems arise through being in Poland. :)
>
> It seems to be an instance of this issue:
>
> http://crisp.tweakblogs.net/blog/ie-and-2-letter-domain-names.html
>
> I'm not sure what the right solution is. Adding pl (and gr, and ?) to
> url-cookie-two-dot-domains will fix it.
>
> Can anyone with experience in this area say how other browsers handle
> this?
>
I don't think it's connected to 2 character polish and greek TLDs,
that article describes a bit different IE specific problem, this
problem lies in the following function (some examples):
(url-cookie-host-can-set-p "api.blip.pl" ".blip.pl")
nil
(url-cookie-host-can-set-p "api.hosteurope.de" ".hosteurope.de")
nil
(url-cookie-host-can-set-p "images.google.nl" ".google.nl")
nil
These are all valid domains and this function should not return nil in
these cases.
It does work however if it's a subdomain, eg:
(url-cookie-host-can-set-p "api.del.icio.us" ".del.icio.us")
4
It also works for a simple case like this:
(url-cookie-host-can-set-p "api.blip.pl" "api.blip.pl")
t
(when the path is exactly the same as the host setting the cookie).
To see what I mean exactly by this being a bug you can:
1. Disallow third party cookies in FF
2. Go to http://api.blip.pl
3. View FF cookies - there will be a session cookie set by api.blip.pl
for .blip.pl path - allowed by FF
--
Karol Hosiawa
next prev parent reply other threads:[~2008-12-02 20:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-21 15:23 bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls Karol Hosiawa
2008-12-02 8:26 ` Glenn Morris
2008-12-02 17:03 ` Karol Hosiawa
2008-12-02 19:12 ` Glenn Morris
2008-12-02 20:44 ` Karol Hosiawa [this message]
2008-12-02 20:56 ` Glenn Morris
2011-09-11 18:16 ` Lars Magne Ingebrigtsen
2011-09-12 17:52 ` Glenn Morris
2011-09-13 19:38 ` Lars Magne Ingebrigtsen
2011-09-13 21:20 ` Glenn Morris
2011-09-13 21:22 ` Lars Magne Ingebrigtsen
2011-09-13 21:33 ` Glenn Morris
2011-09-15 0:33 ` Lars Magne Ingebrigtsen
2011-09-15 1:24 ` Stefan Monnier
2011-09-15 5:42 ` Lars Magne Ingebrigtsen
2012-04-10 1:53 ` Lars Magne Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577ed7ae0812021244u16eec55egaaf1d94628916ee7@mail.gmail.com \
--to=hosiawak@gmail.com \
--cc=1401@emacsbugs.donarmstrong.com \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).