[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-security
Subject:    Re: Script tag and cookie security
From:       "Stephen P. Morse" <morse () netscape ! com>
Date:       2002-04-12 6:20:28
[Download RAW message or body]

That depends on whether the src attribute points to a server that is in
the same domain as the original request.  From what you are describing,
it sounds like the cookie should have been sent out.  So file a bug
report on this, giving all the details, and assign it to me (it will
automatically get assigined to me if you set the component to cookies).

Of course third-party cookie testing just started working recently
(prior to that the thir-party cookie test was pretty much being
ignored), so that is why this problem just started showing up.

-- Steve Morse


Tom True wrote:
> 
> If  "Enable cookies for the originating web site only" is set, should
> the script tag pass back a cookie when using the 'src' attribute?  I've
> got a case where the main page sets a session id cookie with a path of
>  /,  but when <script> retrieves /javascript/md5.js, the cookie is _not_
> sent to the server and so a new 'Set-Cookie' sets the session id to a
> new value.  As a result, it is impossible to log in.  If I change cookie
> security to "Enable all cookies", everything works.
> 
> This problem showed up some time after milestone .9.8.
> 
> Thanks.
> Tom

[prev in list] [next in list] [prev in thread] [next in thread]