PATCH: Bug 72811: Don't ask users to accept cookies without domain
Dawit A.
adawit at kde.org
Tue May 18 14:28:29 BST 2004
On Tuesday 18 May 2004 05:29, Waldo Bastian wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue May 18 2004 01:35, Dawit A. wrote:
> > Waldo,
> >
> > This patch allows the cookiejar to ignore cookie set/get requests for
> > URLs without hostnames as well as the local URL (file:///). Do you see
> > any problems with doing this ?
>
> BR72811 asks to always accept them, this patch always rejects them. I'm
> inclined to say that they should always be accepted as session cookies. The
> rationale being that .war files might otherwise trigger javascript based
> "missing cookie support"-redirections contained in the html page..
But there is a problem with doing that. A local .war file contains no host
information. As a result, the cookiejar is ill equipped to process it
correctly even if the contains a "domain=" property. In other words all the
hostname/domain checking we do before setting a cookie fails to do its job
properly because the cookie originated from a URL that does not have a
hostname. The side effect of this is that the cookiejar simply processes and
accepts the cookie which I think is unintentional and IMHO wrong. Without
hostname information, the cookie spec simply does not work.
Moreover, even if we accept the cookie, it will never match any host the .war
file might redirect us to since it came from a completely different source,
especially if the cookie contains no "domain=" property...
--
Regards,
Dawit A.
"Preach what you practice, practice what you preach"
More information about the kfm-devel
mailing list