[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted
From: |
Karol Hosiawa |
Subject: |
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls |
Date: |
Tue, 2 Dec 2008 17:03:42 +0000 |
I'm writing a client for a webservice in Emacs.
The webservice is trying to set a cookie and here's what I get:
api.blip.pl tried to set a cookie for domain .blip.pl - rejected
Setting:
(setq url-cookie-trusted-urls "api.blip.pl")
doesn't have any effect. A similar client written in JS for Firefox
exists and works fine with the same webservice.
Is this a bug ? I think so, it's either that or a bug in
url-cookie-host-can-set-p function.
2008/12/2 Glenn Morris <rgm@gnu.org>:
> "Karol Hosiawa" wrote:
>
>> The function url-cookie-handle-set-cookie in url-cookie.el
>> doesn't check if url-cookie-trusted-urls is set. It does some
>> preliminary checks but doesn't apply this info in the end.
>
> I'm not sure if this is a bug or not. The function _does_ check the
> value of url-cookie-trusted-urls. It seems to control whether or not
> you get asked for confirmation about accepting cookies (assuming
> url-cookie-confirmation is non-nil, which by default it is not). You
> will never get asked to confirm accpeting cookies from trusted URLs.
>
> What your proposed patch would seem to do is allow trusted urls to set
> any cookies they like, even outside their own domain. I presume this
> corresponds to "third-party cookies". Firefox, for example, has a
> separate option to control this. Currently, url will always reject
> third-party cookies, even from trusted sites. Perhaps there should be
> an option for this (nil, t, 'trusted?).
>
--
Karol Hosiawa