Bug 16357 - XMLHttpRequest.setRequestHeader("Cookie","") does not work correctly
Summary: XMLHttpRequest.setRequestHeader("Cookie","") does not work correctly
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords: HasReduction, InRadar
Depends on:
Blocks:
 
Reported: 2007-12-08 14:09 PST by Andreas Amann
Modified: 2008-07-27 23:57 PDT (History)
2 users (show)

See Also:


Attachments
Test case (setting empty cookie does not work) (830 bytes, text/html)
2007-12-08 14:10 PST, Andreas Amann
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Amann 2007-12-08 14:09:36 PST
Cookies specified by an XMLHttpRequest using setRequestHeader() are not being sent properly. Instead, the request uses the cookie jar and sends the cookies stored in Safari.

This makes it impossible to use multiple logins (e.g., for Dashboard widgets) to a site or explicitly sending an empty header and requires login through Safari for widgets connecting to cookie-based login sites.

See attached test case detailed instructions on how to reproduce this bug and check the actual headers being sent by the request.
Comment 1 Andreas Amann 2007-12-08 14:10:33 PST
Created attachment 17790 [details]
Test case (setting empty cookie does not work)
Comment 2 David Kilzer (:ddkilzer) 2007-12-08 14:55:02 PST
See Bug 16325 and r28515:
http://trac.webkit.org/projects/webkit/changeset/28515

To clear a cookie properly, I believe you need to set the same cookie name with a date in the past.

Does this work on other browsers (like MSIE or Firefox)?

Comment 3 Andreas Amann 2007-12-08 15:36:37 PST
(In reply to comment #2)

> Does this work on other browsers (like MSIE or Firefox)?

It used to work in Safari 2.0.x (and Dashboard in 10.4.x) - the problem is not just setting an empty cookie does not work but even setting XMLHttpRequest.setRequestHeader("Cookie","test=1234") will result in only the cookies from Safari being sent, the "test" cookie is nowhere to be found in the request being sent.

Firefox did not allow the request to be sent due to some security issue :-(
Comment 4 Mark Rowe (bdash) 2007-12-08 20:06:34 PST
Reporter had filed this in Radar as <rdar://problem/5567386>.  Commentary in the Radar shows that this issue is below WebKit in the CFNetwork layer.  I'm going close this bug as INVALID as the issue here is not inside WebKit.
Comment 5 Andreas Amann 2007-12-08 21:57:56 PST
(In reply to comment #4)
> Reporter had filed this in Radar as <rdar://problem/5567386>.  Commentary in
> the Radar shows that this issue is below WebKit in the CFNetwork layer.

Sorry about the dupe submission - I don't see any activity for the bug submitted to Radar. It would be extremely useful if submitters would see comments on bugs they submitted - currently submitting a bug is pretty much a black hole (unless they come back as duplicates which makes things even worse...)
Comment 6 Alexey Proskuryakov 2007-12-08 23:32:10 PST
(In reply to comment #5)
> Sorry about the dupe submission

It is perfectly OK and even helpful to file bugs in both places. It helps to cross-reference them, though.

(In reply to comment #3)
> Firefox did not allow the request to be sent due to some security issue :-(

So, does Firefox disallow setting the Cookie header for security reasons? We may want to block that more thoroughly than via a CFNetwork quirk then!
Comment 7 Andreas Amann 2007-12-08 23:42:26 PST
(In reply to comment #6)
> So, does Firefox disallow setting the Cookie header for security reasons? We
> may want to block that more thoroughly than via a CFNetwork quirk then!

No, Firefox disallows sending a non-local XMLHttpRequest from an HTML file loaded via the file:// protocol. This can be overwritten using
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
though (without any notification to the user):
http://www.mozilla.org/projects/security/components/signed-scripts.html

Comment 8 Alexey Proskuryakov 2008-06-27 23:43:47 PDT
Please note that the XMLHttpRequest spec now forbids setting the Cookie header, citing security reasons. We could have local files exempt from this limitation though.
Comment 9 Alexey Proskuryakov 2008-06-27 23:46:25 PDT
...not only we could, but this is already so.
Comment 10 Stu Charlton 2008-07-27 16:36:54 PDT
(In reply to comment #8)
> Please note that the XMLHttpRequest spec now forbids setting the Cookie header,
> citing security reasons. We could have local files exempt from this limitation
> though.
> 

Where in the spec is this?  http://www.w3.org/TR/XMLHttpRequest/ doesn't say anything of the sort
Comment 11 Alexey Proskuryakov 2008-07-27 23:57:42 PDT
A newer version of the draft is available at <http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8>. This requirement is in setRequestHeader description.