[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted
From: |
Glenn Morris |
Subject: |
bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls |
Date: |
Tue, 02 Dec 2008 03:26:48 -0500 |
User-agent: |
Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
"Karol Hosiawa" wrote:
> The function url-cookie-handle-set-cookie in url-cookie.el
> doesn't check if url-cookie-trusted-urls is set. It does some
> preliminary checks but doesn't apply this info in the end.
I'm not sure if this is a bug or not. The function _does_ check the
value of url-cookie-trusted-urls. It seems to control whether or not
you get asked for confirmation about accepting cookies (assuming
url-cookie-confirmation is non-nil, which by default it is not). You
will never get asked to confirm accpeting cookies from trusted URLs.
What your proposed patch would seem to do is allow trusted urls to set
any cookies they like, even outside their own domain. I presume this
corresponds to "third-party cookies". Firefox, for example, has a
separate option to control this. Currently, url will always reject
third-party cookies, even from trusted sites. Perhaps there should be
an option for this (nil, t, 'trusted?).
- bug#1401: 23.0.60; url-cookie-handle-set-cookie doesnt check for trusted urls,
Glenn Morris <=