From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Glenn Morris <rgm@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#1401: 23.0.60;
	url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 02 Dec 2008 03:26:48 -0500
Message-ID: <dsiqq3ason.fsf@fencepost.gnu.org>
References: <577ed7ae0811210723s786a74c1l5f4292e653f04af1@mail.gmail.com>
Reply-To: Glenn Morris <rgm@gnu.org>, 1401@emacsbugs.donarmstrong.com
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1228207840 24365 80.91.229.12 (2 Dec 2008 08:50:40 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 2 Dec 2008 08:50:40 +0000 (UTC)
Cc: 1401@emacsbugs.donarmstrong.com
To: Karol Hosiawa <hosiawak@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Dec 02 09:51:44 2008
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1L7Qyu-0006bI-B2
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 09:51:44 +0100
Original-Received: from localhost ([127.0.0.1]:49276 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1L7Qxk-00010o-5b
	for geb-bug-gnu-emacs@m.gmane.org; Tue, 02 Dec 2008 03:50:32 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1L7Qxg-00010d-No
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:28 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1L7Qxe-0000zs-6B
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:27 -0500
Original-Received: from [199.232.76.173] (port=45401 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1L7Qxe-0000zp-3X
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:26 -0500
Original-Received: from rzlab.ucr.edu ([138.23.92.77]:58163)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <debbugs@rzlab.ucr.edu>) id 1L7Qxd-0004RT-Hx
	for bug-gnu-emacs@gnu.org; Tue, 02 Dec 2008 03:50:25 -0500
Original-Received: from rzlab.ucr.edu (rzlab.ucr.edu [127.0.0.1])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB28oCHm007417; 
	Tue, 2 Dec 2008 00:50:12 -0800
Original-Received: (from debbugs@localhost)
	by rzlab.ucr.edu (8.13.8/8.13.8/Submit) id mB28Z3EO003068;
	Tue, 2 Dec 2008 00:35:03 -0800
X-Loop: don@donarmstrong.com
Resent-From: Glenn Morris <rgm@gnu.org>
Resent-To: bug-submit-list@donarmstrong.com
Resent-CC: Emacs Bugs <bug-gnu-emacs@gnu.org>, don@donarmstrong.com
Resent-Date: Tue, 02 Dec 2008 08:35:03 +0000
Resent-Message-ID: <handler.1401.B1401.12282064381729@emacsbugs.donarmstrong.com>
Resent-Sender: don@donarmstrong.com
X-Emacs-PR-Message: report 1401
X-Emacs-PR-Package: emacs,url
X-Emacs-PR-Keywords: 
Original-Received: via spool by 1401-submit@emacsbugs.donarmstrong.com
	id=B1401.12282064381729
	(code B ref 1401); Tue, 02 Dec 2008 08:35:03 +0000
Original-Received: (at 1401) by emacsbugs.donarmstrong.com; 2 Dec 2008 08:27:18 +0000
Original-Received: from fencepost.gnu.org (fencepost.gnu.org [140.186.70.10])
	by rzlab.ucr.edu (8.13.8/8.13.8/Debian-3) with ESMTP id mB28RFkt001723
	for <1401@emacsbugs.donarmstrong.com>; Tue, 2 Dec 2008 00:27:16 -0800
Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.67)
	(envelope-from <rgm@gnu.org>)
	id 1L7Qam-0006JL-R1; Tue, 02 Dec 2008 03:26:48 -0500
X-Spook: STARLAN Centro rs9512c InfoSec spies spy counter
X-Ran: oc,,M3i+FGxZ^lKW'+z01HowB+tl{([cys&?H1;NHw>o?bW]6IVQP7kH?Q%x;?$FNUW%ir
X-Hue: red
X-Attribution: GM
In-Reply-To: <577ed7ae0811210723s786a74c1l5f4292e653f04af1@mail.gmail.com>
	(Karol Hosiawa's message of "Fri, 21 Nov 2008 15:23:37 +0000")
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 3)
Resent-Date: Tue, 02 Dec 2008 03:50:27 -0500
X-BeenThere: bug-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:22836
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/22836>

"Karol Hosiawa" wrote:

> The function url-cookie-handle-set-cookie in url-cookie.el
> doesn't check if url-cookie-trusted-urls is set. It does some
> preliminary checks but doesn't apply this info in the end.

I'm not sure if this is a bug or not. The function _does_ check the
value of url-cookie-trusted-urls. It seems to control whether or not
you get asked for confirmation about accepting cookies (assuming
url-cookie-confirmation is non-nil, which by default it is not). You
will never get asked to confirm accpeting cookies from trusted URLs.

What your proposed patch would seem to do is allow trusted urls to set
any cookies they like, even outside their own domain. I presume this
corresponds to "third-party cookies". Firefox, for example, has a
separate option to control this. Currently, url will always reject
third-party cookies, even from trusted sites. Perhaps there should be
an option for this (nil, t, 'trusted?).