From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.bugs Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls Date: Tue, 02 Dec 2008 03:26:48 -0500 Message-ID: References: <577ed7ae0811210723s786a74c1l5f4292e653f04af1@mail.gmail.com> Reply-To: Glenn Morris , 1401@emacsbugs.donarmstrong.com NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1228207840 24365 80.91.229.12 (2 Dec 2008 08:50:40 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 2 Dec 2008 08:50:40 +0000 (UTC) Cc: 1401@emacsbugs.donarmstrong.com To: Karol Hosiawa Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Dec 02 09:51:44 2008 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1L7Qyu-0006bI-B2 for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 09:51:44 +0100 Original-Received: from localhost ([127.0.0.1]:49276 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1L7Qxk-00010o-5b for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 03:50:32 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1L7Qxg-00010d-No for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:28 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1L7Qxe-0000zs-6B for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:27 -0500 Original-Received: from [199.232.76.173] (port=45401 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1L7Qxe-0000zp-3X for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:26 -0500 Original-Received: from rzlab.ucr.edu ([138.23.92.77]:58163) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1L7Qxd-0004RT-Hx for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:25 -0500 Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB28oCHm007417; Tue, 2 Dec 2008 00:50:12 -0800 Original-Received: (from debbugs@localhost) by rzlab.ucr.edu (8.13.8/8.13.8/Submit) id mB28Z3EO003068; Tue, 2 Dec 2008 00:35:03 -0800 X-Loop: don@donarmstrong.com Resent-From: Glenn Morris Resent-To: bug-submit-list@donarmstrong.com Resent-CC: Emacs Bugs , don@donarmstrong.com Resent-Date: Tue, 02 Dec 2008 08:35:03 +0000 Resent-Message-ID: Resent-Sender: don@donarmstrong.com X-Emacs-PR-Message: report 1401 X-Emacs-PR-Package: emacs,url X-Emacs-PR-Keywords: Original-Received: via spool by 1401-submit@emacsbugs.donarmstrong.com id=B1401.12282064381729 (code B ref 1401); Tue, 02 Dec 2008 08:35:03 +0000 Original-Received: (at 1401) by emacsbugs.donarmstrong.com; 2 Dec 2008 08:27:18 +0000 Original-Received: from fencepost.gnu.org (fencepost.gnu.org [140.186.70.10]) by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB28RFkt001723 for <1401@emacsbugs.donarmstrong.com>; Tue, 2 Dec 2008 00:27:16 -0800 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.67) (envelope-from ) id 1L7Qam-0006JL-R1; Tue, 02 Dec 2008 03:26:48 -0500 X-Spook: STARLAN Centro rs9512c InfoSec spies spy counter X-Ran: oc,,M3i+FGxZ^lKW'+z01HowB+tl{([cys&?H1;NHw>o?bW]6IVQP7kH?Q%x;?$FNUW%ir X-Hue: red X-Attribution: GM In-Reply-To: <577ed7ae0811210723s786a74c1l5f4292e653f04af1@mail.gmail.com> (Karol Hosiawa's message of "Fri, 21 Nov 2008 15:23:37 +0000") User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 3) Resent-Date: Tue, 02 Dec 2008 03:50:27 -0500 X-BeenThere: bug-gnu-emacs@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:22836 Archived-At: "Karol Hosiawa" wrote: > The function url-cookie-handle-set-cookie in url-cookie.el > doesn't check if url-cookie-trusted-urls is set. It does some > preliminary checks but doesn't apply this info in the end. I'm not sure if this is a bug or not. The function _does_ check the value of url-cookie-trusted-urls. It seems to control whether or not you get asked for confirmation about accepting cookies (assuming url-cookie-confirmation is non-nil, which by default it is not). You will never get asked to confirm accpeting cookies from trusted URLs. What your proposed patch would seem to do is allow trusted urls to set any cookies they like, even outside their own domain. I presume this corresponds to "third-party cookies". Firefox, for example, has a separate option to control this. Currently, url will always reject third-party cookies, even from trusted sites. Perhaps there should be an option for this (nil, t, 'trusted?).