Created attachment 254434 [details] test.cc and server.js to reproduce Hi, if i do this: ``` load blank page in private webview http://localhost:40001/one page change http://localhost:40001/one 0 page change http://localhost:40001/one 2 page change http://localhost:40001/one 3 set cookie by running script on page http://localhost:40001/one document.cookie = 'sid=firstcookie; Path=/'; loading blank page in another private webview http://localhost:40001/two page change http://localhost:40001/two 0 page change http://localhost:40001/two 2 page change http://localhost:40001/two 3 set cookie by running script on page http://localhost:40001/two document.cookie = 'sid=secondcookie; Path=/'; load actual page1 content with script that do a xhr GET request to /xhr (need a http server) page change http://localhost:40001/one 0 page change http://localhost:40001/one 2 page change http://localhost:40001/one 3 ``` then the HTTP server receives a request to http://localhost:40001/xhr with these headers: ``` { host: 'localhost:40001', referer: 'http://localhost:40001/one', 'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/601.1 (KHTML, like Gecko) Version/8.0 Safari/601.1', accept: '*/*', 'accept-encoding': 'gzip, deflate', 'accept-language': 'fr-fr', connection: 'Keep-Alive', cookie: 'sid=secondcookie' } ``` I expected cookie to be 'sid=firstcookie', especially in private mode. Am i wrong ? I attach actual code to reproduce with webkit2gtk 2.8 or 2.9 (and probably 2.6 too). The server part is a nodejs script but any other server is good.
> I expected cookie to be 'sid=firstcookie', especially in private mode. > Am i wrong ? I think cookies should never leak out of private mode. :(
Still happening with webkit2gtk up to 2.10.3
Oh, you're using the enable-private-browsing setting... Carlos, is that setting supposed to be exposed? In Epiphany we implement private browsing by using a separate profile directory and deleting the directory when we're done. I'm rather concerned that we have this setting if it doesn't work reliably. I've seen private browsing-related bugs fixed in Mac-specific ways in the past, which I thought was fine because I didn't realize we exposed this mode.
I thought someone would come and tell me "you did not enable private browsing so it's not a bug" - so i enabled the option, but you'll get the same result without it.
Created attachment 283316 [details] client test with a new context There was a bug in the test itself (the second view was used to load the first page). However, fixing that bug without setting a new context on each view does not isolate cookies.
So i finally understood how to isolate cookies by setting a new context for each new view. So the only "bug" left is the fact "private mode" setting is misleading, and should be dropped and replaced by proper use of context (?).