UNCONFIRMED 23520
Webkit does not properly handle cookies set by Bonjour sites using http response 
https://bugs.webkit.org/show_bug.cgi?id=23520
Summary Webkit does not properly handle cookies set by Bonjour sites using http response
Yuan Qi
Reported 2009-01-24 12:01:34 PST
This bug can be reproduced on Safari 3.2.1 and WebKit r40102 This bug can only be reproduced by accessing the Bonjour site through its bonjour URL, but not when it's accessed through its IP address This bug can only be reproduced when the cookie is set through a http response, but not when it's set through Javascript I noticed two related issues: 1. When WebKit is set to ignore 3rd party cookies, the cookie is not stored at all 2. When WebKit is set to accept all cookies, the cookies is stored, but cannot be read
Attachments
Add attachment proposed patch, testcase, etc.
Yuan Qi
Comment 1 2009-01-24 12:04:54 PST
Part of the HTTP response: Set-Cookie sysauth=B5DA660A48613C990A9CE1BF512A01F2; path=/cgi-bin/luci/;stok=3A937557FC795C29CC1768A60ACFAC1E Notice that path="/cgi-bin/luci/;stok=3A937557FC795C29CC1768A60ACFAC1E"
Christopher Febles
Comment 2 2009-02-12 13:18:56 PST
I have seen this same issue here at the University of Rochester. We are setting our cookie through an HTTP Response, and have the same behavior that this bug is reporting. We are not using a Bonjour site, however, but the behavior is the same. I started a discussion thread here that led me to this bug: http://discussions.apple.com/thread.jspa?messageID=8987685
Christopher Febles
Comment 3 2009-02-13 05:56:18 PST
This bug is present in Safari 3.2.1 on Mac, but not present in Safari 3.2.1 on Windows, and not present in Safari 3.1.1 on Mac. This bug is present in the nightly build of WebKit, 40884. This is a regression bug.
Yuan Qi
Comment 4 2009-02-13 06:35:30 PST
Are you able to workaround your bug by accessing the website through its IP address? If not then we are looking at different bugs. This bug may be related to CFNetwork. It is NOT fixed by Apple Security Update 2009-001, which fixes a non-security-related bug affecting HTTP cookies.
Christopher Febles
Comment 5 2009-02-16 06:07:24 PST
I cannot workaround this bug by accessing the website through it's ip address, because of the way the site is designed. We have a mainframe program that sets the cookies which are then read by the client. So accessing the site via it's IP doesn't change the source address of the mainframe cookies. If you believe that these are unrelated issues, I can create another bug report.
Note You need to log in before you can comment on or make changes to this bug.