Bug 3420 - XMLHttpRequest does not handle set-cookie headers
Summary: XMLHttpRequest does not handle set-cookie headers
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: XML (show other bugs)
Version: 412
Hardware: Mac OS X 10.4
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2005-06-10 13:46 PDT by John Sullivan
Modified: 2007-01-05 11:43 PST (History)
3 users (show)

See Also:


Attachments
test case (3.79 KB, patch)
2007-01-03 06:39 PST, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff
fix the test (1.35 KB, patch)
2007-01-05 11:40 PST, Alexey Proskuryakov
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Sullivan 2005-06-10 13:46:51 PDT
This is also in Radar as <rdar://problem/4079527>

When sending a login POST to a website with an XMLHttpRequest object in JavaScript, the expected 
behavior is the creation of a cookie that is reusable later (and ideally reusable by Safari when it directly 
hits the same domain).  However, that does not happen.  It appears that XMLHttpRequest is not handing 
the set-cookie headers that come back from such an action.

Attached cookiebug.zip.  It's a teardown of a 3rd-party Dashboard widget.  To reproduce:

0) Turn off popup blocking.
1) Load CRSX.html.  Username is dashboard, password 'tiger'
2) click "Log in normally" you'll be redirected to forums.clubrsx.com.  Notice that the front page says 
"Welcome, dashboard", acknowledging you've logged in.
3) Reload CRSX.html and click the "Clear all cookies" link to start over.
4) Log in again this time using the "Log in using XMLHttpRequest" link

The debug div will walk through the submission of the post. The login confirmation from the server will 
appear as a popup and you'll see the debug div throw out the set-cookie headers that the 
XMLHttpRequest received.  It will also send a 2nd request to the forum FAQ page, which should have a 
div saying "Welcome, dashboard" assuming the session was persisted.  It does not.  You can also 
confirm that cookies.xml has none of the entries listed in the debug div.

You can also to go clubrsx.com in a new window after the XMLHttpRequest login and see that it does 
not recognize that you've logged in.
Comment 1 John Sullivan 2005-06-10 13:47:24 PDT
Created attachment 2227
Comment 2 John Sullivan 2005-06-23 09:28:35 PDT
Comment on attachment 2227


Removed attachment as it contained login information.
Comment 3 Alexey Proskuryakov 2007-01-03 06:39:34 PST
Created attachment 12186 [details]
test case

I cannot reproduce this problem with shipping Safari or TOT. Here is a test case, since we didn't have this behavior covered.
Comment 4 Alexey Proskuryakov 2007-01-03 11:35:52 PST
Test committed revision 18549.
Comment 5 Mark Rowe (bdash) 2007-01-03 18:10:05 PST
I'm seeing this test failing locally in a debug build of r18568.

--- /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/LayoutTests/http/tests/xmlhttprequest/cookies-expected.txt       2007-01-04 10:51:32.000000000 +1100
+++ /tmp/layout-test-results/http/tests/xmlhttprequest/cookies-actual.txt       2007-01-04 12:57:04.000000000 +1100
@@ -1,4 +1,4 @@
 Tests for bug 3420: XMLHttpRequest does not handle set-cookie headers.
 
-SUCCESS
+FAIL: the cookie was not set
Comment 6 Alexey Proskuryakov 2007-01-04 02:06:37 PST
Could you please tell more about the failure?
1. Is this on Tiger or Leopard?
2. Does this test fail with shipping Safari?
3. Does it fail with a nightly build (without DRT)?
Comment 7 Mark Rowe (bdash) 2007-01-04 16:48:46 PST
I'm on Tiger.  I've narrowed the problem down somewhat -- the test fails when the URL is <http://127.0.0.1:8000/xmlhttprequest/cookies.html>, but passes when it is <http://localhost:8000/xmlhttprequest/cookies.html>.  The same behaviour occurs in DRT, Safari with WebKit 418.9.1, and Safari with ToT WebKit.
Comment 8 Alexey Proskuryakov 2007-01-05 11:40:04 PST
Created attachment 12241 [details]
fix the test

The test failed if there were other cookies already present for 127.0.0.1. I accounted for that in .html, but not in .cgi; fixed.
Comment 9 Darin Adler 2007-01-05 11:40:56 PST
Comment on attachment 12241 [details]
fix the test

r=me
Comment 10 Alexey Proskuryakov 2007-01-05 11:43:05 PST
Committed revision 18620.