[prev in list] [next in list] [prev in thread] [next in thread]
List: mozilla-security
Subject: Re: Script tag and cookie security
From: "Stephen P. Morse" <morse () netscape ! com>
Date: 2002-04-12 6:20:28
[Download RAW message or body]
That depends on whether the src attribute points to a server that is in
the same domain as the original request. From what you are describing,
it sounds like the cookie should have been sent out. So file a bug
report on this, giving all the details, and assign it to me (it will
automatically get assigined to me if you set the component to cookies).
Of course third-party cookie testing just started working recently
(prior to that the thir-party cookie test was pretty much being
ignored), so that is why this problem just started showing up.
-- Steve Morse
Tom True wrote:
>
> If "Enable cookies for the originating web site only" is set, should
> the script tag pass back a cookie when using the 'src' attribute? I've
> got a case where the main page sets a session id cookie with a path of
> /, but when <script> retrieves /javascript/md5.js, the cookie is _not_
> sent to the server and so a new 'Set-Cookie' sets the session id to a
> new value. As a result, it is impossible to log in. If I change cookie
> security to "Enable all cookies", everything works.
>
> This problem showed up some time after milestone .9.8.
>
> Thanks.
> Tom
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic