GNU bug report logs - #1401
23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls

Previous Next

Package: emacs;

Reported by: "Karol Hosiawa" <hosiawak <at> gmail.com>

Date: Fri, 21 Nov 2008 15:30:02 UTC

Severity: normal

Tags: fixed, patch

Fixed in version 24.2

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: "Karol Hosiawa" <hosiawak <at> gmail.com>
To: "Glenn Morris" <rgm <at> gnu.org>
Cc: 1401 <at> debbugs.gnu.org
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 2 Dec 2008 20:44:28 +0000

2008/12/2 Glenn Morris <rgm <at> gnu.org>:
>
> (Please keep 1401 <at> emacsbugs in the Cc:)
>
>
> Karol Hosiawa wrote (on Tue, 2 Dec 2008 at 17:03 +0000):
>
>> api.blip.pl tried to set a cookie for domain .blip.pl - rejected
>
>
> Interesting - your problems arise through being in Poland. :)
>
> It seems to be an instance of this issue:
>
> http://crisp.tweakblogs.net/blog/ie-and-2-letter-domain-names.html
>
> I'm not sure what the right solution is. Adding pl (and gr, and ?) to
> url-cookie-two-dot-domains will fix it.
>
> Can anyone with experience in this area say how other browsers handle
> this?
>

I don't think it's connected to 2 character polish and greek TLDs,
that article describes a bit different IE specific problem, this
problem lies in the following function (some examples):

(url-cookie-host-can-set-p "api.blip.pl" ".blip.pl")
nil

(url-cookie-host-can-set-p "api.hosteurope.de" ".hosteurope.de")
nil

(url-cookie-host-can-set-p "images.google.nl" ".google.nl")
nil

These are all valid domains and this function should not return nil in
these cases.

It does work however if it's a subdomain, eg:

(url-cookie-host-can-set-p "api.del.icio.us" ".del.icio.us")
4

It also works for a simple case like this:
(url-cookie-host-can-set-p "api.blip.pl" "api.blip.pl")
t

(when the path is exactly the same as the host setting the cookie).

To see what I mean exactly by this being a bug you can:

1. Disallow third party cookies in FF
2. Go to http://api.blip.pl
3. View FF cookies - there will be a session cookie set by api.blip.pl
for .blip.pl path - allowed by FF

--
Karol Hosiawa
This bug report was last modified 13 years and 101 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.