From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: "Karol Hosiawa" <hosiawak@gmail.com>
Newsgroups: gmane.emacs.bugs
Subject: bug#1401: 23.0.60;
	url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 20:44:28 +0000
Message-ID: <577ed7ae0812021244u16eec55egaaf1d94628916ee7@mail.gmail.com>
References: <577ed7ae0811210723s786a74c1l5f4292e653f04af1@mail.gmail.com>
	<dsiqq3ason.fsf@fencepost.gnu.org>
	<577ed7ae0812020903g62c2394fha38f29de8e3f807a@mail.gmail.com>
	<18741.34990.817107.710972@fencepost.gnu.org>
Reply-To: Karol Hosiawa <hosiawak@gmail.com>, 1401@emacsbugs.donarmstrong.com
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1228251072 15653 80.91.229.12 (2 Dec 2008 20:51:12 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 2 Dec 2008 20:51:12 +0000 (UTC)
Cc: 1401@emacsbugs.donarmstrong.com
To: "Glenn Morris" <rgm@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Dec 02 21:52:16 2008
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1L7cDs-0004v0-9g
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 21:51:57 +0100
Original-Received: from localhost ([127.0.0.1]:46970 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1L7cCf-0005XT-BV
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 15:50:41 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L7cCa-0005Wl-8m
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 15:50:36 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L7cCY-0005WF-JY
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 15:50:35 -0500
Original-Received: from [199.232.76.173] (port=57661 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L7cCY-0005WA-Bs
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 15:50:34 -0500
Original-Received: from rzlab.ucr.edu ([138.23.92.77]:32813)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <debbugs@rzlab.ucr.edu>) id 1L7cCX-00010U-SB
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 15:50:34 -0500
Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB2KoCc1027711; 
	Tue, 2 Dec 2008 12:50:13 -0800
Original-Received: (from debbugs@localhost)
	by rzlab.ucr.edu (8.13.8/8.13.8/Submit) id mB2Ko2iu026871;
	Tue, 2 Dec 2008 12:50:02 -0800
X-Loop: don@donarmstrong.com
Resent-From: "Karol Hosiawa" <hosiawak@gmail.com>
Resent-To: bug-submit-list@donarmstrong.com
Resent-CC: Emacs Bugs <bug-gnu-emacs@gnu.org>, don@donarmstrong.com
Resent-Date: Tue, 02 Dec 2008 20:50:02 +0000
Resent-Message-ID: <handler.1401.B1401.122825067825632@emacsbugs.donarmstrong.com>
Resent-Sender: don@donarmstrong.com
X-Emacs-PR-Message: report 1401
X-Emacs-PR-Package: emacs,url
X-Emacs-PR-Keywords: 
Original-Received: via spool by 1401-submit@emacsbugs.donarmstrong.com
	id=B1401.122825067825632
	(code B ref 1401); Tue, 02 Dec 2008 20:50:02 +0000
Original-Received: (at 1401) by emacsbugs.donarmstrong.com; 2 Dec 2008 20:44:38 +0000
Original-Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.191])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB2KiYHR025621
	for <1401@emacsbugs.donarmstrong.com>; Tue, 2 Dec 2008 12:44:36 -0800
Original-Received: by rn-out-0910.google.com with SMTP id j66so2828416rne.20
	for <1401@emacsbugs.donarmstrong.com>;
	Tue, 02 Dec 2008 12:44:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:cc:in-reply-to:mime-version:content-type
	:content-transfer-encoding:content-disposition:references;
	bh=D2VQCEgbF69wRT4P6f3smkiNHuCQCnfM/hsQhzHziHc=;
	b=oMMaHlvcMIYBvFLLf0zoWMponjwjpyz42Q5c1/hg7clkMPdIdsFZ96cW5EBozzGSM+
	hUZKsO763g+z2QwSyfMFhiIGuzPlon0ITXCyPSDj83Sax4zshXri+3l/sG8gYeGCY5On
	FfyvlCHSud04zt0PH98aQLQ11+cy0yRtI0hOM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:cc:in-reply-to:mime-version
	:content-type:content-transfer-encoding:content-disposition
	:references;
	b=Dj5PRKnWVLbayZMtpX1dv1CFvPdBJKdjMFPylH874fAg+BaVR6m4eM1G6bJMdffucs
	cC9VZX8oM7/yW/5F69ZoV8NqMyCjOGmTWQAsz3iJz8pD470a+O4QNQ9gXw4BsyMDTcBp
	Xclg/Subtr0VXUn0we/SWRh6dDlaoXXgG/6Y4=
Original-Received: by 10.142.154.14 with SMTP id b14mr5018719wfe.250.1228250668358;
	Tue, 02 Dec 2008 12:44:28 -0800 (PST)
Original-Received: by 10.143.13.11 with HTTP; Tue, 2 Dec 2008 12:44:28 -0800 (PST)
In-Reply-To: <18741.34990.817107.710972@fencepost.gnu.org>
Content-Disposition: inline
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 3)
Resent-Date: Tue, 02 Dec 2008 15:50:35 -0500
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:22853
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/22853>

2008/12/2 Glenn Morris <rgm@gnu.org>:
>
> (Please keep 1401@emacsbugs in the Cc:)
>
>
> Karol Hosiawa wrote (on Tue, 2 Dec 2008 at 17:03 +0000):
>
>> api.blip.pl tried to set a cookie for domain .blip.pl - rejected
>
>
> Interesting - your problems arise through being in Poland. :)
>
> It seems to be an instance of this issue:
>
> http://crisp.tweakblogs.net/blog/ie-and-2-letter-domain-names.html
>
> I'm not sure what the right solution is. Adding pl (and gr, and ?) to
> url-cookie-two-dot-domains will fix it.
>
> Can anyone with experience in this area say how other browsers handle
> this?
>

I don't think it's connected to 2 character polish and greek TLDs,
that article describes a bit different IE specific problem, this
problem lies in the following function (some examples):

(url-cookie-host-can-set-p "api.blip.pl" ".blip.pl")
nil

(url-cookie-host-can-set-p "api.hosteurope.de" ".hosteurope.de")
nil

(url-cookie-host-can-set-p "images.google.nl" ".google.nl")
nil

These are all valid domains and this function should not return nil in
these cases.

It does work however if it's a subdomain, eg:

(url-cookie-host-can-set-p "api.del.icio.us" ".del.icio.us")
4

It also works for a simple case like this:
(url-cookie-host-can-set-p "api.blip.pl" "api.blip.pl")
t

(when the path is exactly the same as the host setting the cookie).

To see what I mean exactly by this being a bug you can:

1. Disallow third party cookies in FF
2. Go to http://api.blip.pl
3. View FF cookies - there will be a session cookie set by api.blip.pl
for .blip.pl path - allowed by FF

--
Karol Hosiawa