Live bookmarks not cookie aware

Bug #226840 reported by bweber
4
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Invalid
Undecided
bweber

Bug Description

Binary package hint: firefox-3.0

I am using live bookmarks to have a central place to keep my favourites. To keep those bookmarks private the page needs login credentials which are stored in a cookie. When updating the live bookmark, this cookie will not be used, so I just get prompted to log-in.

This is only happening on the Linux versions of FF3b5, with FF2 it works perfectly, the Win32 version of FF3b5 does not show this beahviour either.

Tested on:
Ubuntu 8.04 - as delivered,
Xandros (EeePC - using the .tar.bz2 package from mozilla.org)

ProblemType: Bug
Architecture: amd64
Date: Mon May 5 12:09:04 2008
DistroRelease: Ubuntu 8.04
Package: firefox-3.0 3.0~b5+nobinonly-0ubuntu3
PackageArchitecture: amd64
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: firefox-3.0
Uname: Linux 2.6.24-16-generic x86_64

Tags: apport-bug
Revision history for this message
bweber (foxbow) wrote :
Revision history for this message
bweber (foxbow) wrote :

Seems to work fine with XUbuntu 7.10/8.04, trying to set up waterproof testcase.

Changed in firefox-3.0:
assignee: nobody → foxbow
status: New → Incomplete
Revision history for this message
bweber (foxbow) wrote :

This happens when setting the Cookie management to just allow cookies from the original site. Nonetheless it's confusing as it's just the Livebookmarks which are affected. Calling the RSS feed directly from the location bar will show all the contents and offer me to subscribe to the feed.

Changed in firefox-3.0:
status: Incomplete → Invalid
Revision history for this message
In , Bru-1b3i7 (bru-1b3i7) wrote :

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.0.5) Gecko/2008121623 Ubuntu/8.10 (intrepid) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2a1pre) Gecko/20090125 Minefield/3.2a1pre

When third-party cookies are disabled, live bookmarks fail to authenticate by cookies, even on the same domain.

Reproducible: Always

Steps to Reproduce:
0. Disable third-party cookies in preferences > privacy by unchecking the "accept third-party cookies" button.
1. Find a feed that requires cookie authentication, i.e wikipedia watchlist: http://en.wikipedia.org/w/api.php?action=feedwatchlist
2. Open the feed as a web page. Check you are logged in and add it as a live bookmark.
3. Check live bookmark contents.
Actual Results:
On wikipedia, you will get a unique element "Error (wlnotloggedin)", but not watchlist content.

Expected Results:
Watchlist content displayed without authentication error.

To confirm that you are still logged-in, you can re-enable third-party cookies and then refresh live bookmark. Also, reloading the feed displayed as webpage demonstrates that your are still logged-in.

I could confirm with LiveHTTPHeaders <http://livehttpheaders.mozdev.org/> extension that the problem comes from cookies. A cookie is always sent when third-party cookies are allowed. A cookie is always sent when the feed is opened as a webpage. Cookie is NOT sent when third-party cookies are disabled AND live bookmark is reloaded.

If your wikipedia watchlist is empty, you can watch the page http://en.wikipedia.org/wiki/Wikipedia:Village_pump_%28miscellaneous%29 (click on the "watch" tab button) which is frequently updated. This allows you to clearly see whether your watchlist is displayed or not.

This bug was seen on a Windows XP i686 platform with Firefox 3.0.5; on Ubuntu 8.10 x64 with Firefox 3.0.5; and with latest-trunk Linux i686 nightly.

This could be a security issue for some people. See http://getsatisfaction.com/twitter/topics/how_do_i_use_firefoxs_live_bookmarks_with_twitter for an example where password was sent visible (along with the URL).

Revision history for this message
Xavier Robin (jti-533g) wrote :

I can confirm that it is specific to third-party cookie disabling (even if it is clearly not a third-party here)
I opened an upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=475238
It is not specific of Ubuntu and was verified also on a Windows system. Therefore I think it should be fixed upstream.

Revision history for this message
In , Shawn Wilsher (sdwilsh) wrote :

*** Bug 543766 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Shawn Wilsher (sdwilsh) wrote :

Should be pretty easy to fix. In nsLivemarkService.js, the LS__updateLivemarkChildren function just needs to QI httpChannel to nsIHttpChannelInternal, and set forceAllowThirdPartyCookie.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.