GNU bug report logs - #1401
23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls

Previous Next

Full log

Message #13 received at 1401 <at> emacsbugs.donarmstrong.com (full text, mbox):

From: "Karol Hosiawa" <hosiawak <at> gmail.com>
To: "Glenn Morris" <rgm <at> gnu.org>
Subject: Re: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 17:03:42 +0000

I'm writing a client for a webservice in Emacs.

The webservice is trying to set a cookie and here's what I get:

api.blip.pl tried to set a cookie for domain .blip.pl - rejected

Setting:

(setq url-cookie-trusted-urls "api.blip.pl")

doesn't have any effect. A similar client written in JS for Firefox
exists and works fine with the same webservice.

Is this a bug ? I think so, it's either that or a bug in
url-cookie-host-can-set-p function.


2008/12/2 Glenn Morris <rgm <at> gnu.org>:
> "Karol Hosiawa" wrote:
>
>> The function url-cookie-handle-set-cookie in url-cookie.el
>> doesn't check if url-cookie-trusted-urls is set. It does some
>> preliminary checks but doesn't apply this info in the end.
>
> I'm not sure if this is a bug or not. The function _does_ check the
> value of url-cookie-trusted-urls. It seems to control whether or not
> you get asked for confirmation about accepting cookies (assuming
> url-cookie-confirmation is non-nil, which by default it is not). You
> will never get asked to confirm accpeting cookies from trusted URLs.
>
> What your proposed patch would seem to do is allow trusted urls to set
> any cookies they like, even outside their own domain. I presume this
> corresponds to "third-party cookies". Firefox, for example, has a
> separate option to control this. Currently, url will always reject
> third-party cookies, even from trusted sites. Perhaps there should be
> an option for this (nil, t, 'trusted?).
>

--
Karol Hosiawa

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.