GNU bug report logs - #1401
23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls

Previous Next

Package: emacs;

Reported by: "Karol Hosiawa" <hosiawak <at> gmail.com>

Date: Fri, 21 Nov 2008 15:30:02 UTC

Severity: normal

Tags: fixed, patch

Fixed in version 24.2

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Glenn Morris <rgm <at> gnu.org>
To: Karol Hosiawa <hosiawak <at> gmail.com>
Cc: 1401 <at> debbugs.gnu.org
Subject: bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls
Date: Tue, 02 Dec 2008 03:26:48 -0500

"Karol Hosiawa" wrote:

> The function url-cookie-handle-set-cookie in url-cookie.el
> doesn't check if url-cookie-trusted-urls is set. It does some
> preliminary checks but doesn't apply this info in the end.

I'm not sure if this is a bug or not. The function _does_ check the
value of url-cookie-trusted-urls. It seems to control whether or not
you get asked for confirmation about accepting cookies (assuming
url-cookie-confirmation is non-nil, which by default it is not). You
will never get asked to confirm accpeting cookies from trusted URLs.

What your proposed patch would seem to do is allow trusted urls to set
any cookies they like, even outside their own domain. I presume this
corresponds to "third-party cookies". Firefox, for example, has a
separate option to control this. Currently, url will always reject
third-party cookies, even from trusted sites. Perhaps there should be
an option for this (nil, t, 'trusted?).
This bug report was last modified 13 years and 102 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.