Copying cookies when creating web apps

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Copying cookies when creating web apps

Michael Catanzaro-2
Hi,

In [1] a user discovered that Google Inbox is broken in Epiphany only
when used as a web app. The problem is that when creating a web app, we
copy all cookies for the web app's domain into the web app profile dir,
but no other cookies. Turns out Inbox depends on third-party cookies
(actually cookies from a different google domain) and breaks if Inbox
cookies are present without those other cookies. It uses frames, which
must be why our normal cookie policy (block third party cookies by
default) doesn't break Inbox.

Possible fixes:

 * Copy no cookies. User needs to log in again the first time the web
app is opened. One time cost. I'm leaning toward this right now, but it
seems a shame to remove this feature to work around a Google bug.
 * Copy all cookies. Almost all the cookies saved in the web app's
profile directory will then be unnecessary, and it will be impossible
to ever clear them.
 * Copy cookies only from the second-level domain (google.com). I
expect it would fix this case, but what if other sites have the same
problem. Also, this seems strange because it doesn't parallel the
normal security model for the web; subdomains are not trusted by parent
domains.

Thoughts, preferences, suggestions?

Michael

[1] https://bugzilla.gnome.org/show_bug.cgi?id=771540
_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Copying cookies when creating web apps

Carlos Garcia Campos
El vie, 16-09-2016 a las 20:31 -0500, Michael Catanzaro escribió:

> Hi,
>
> In [1] a user discovered that Google Inbox is broken in Epiphany only
> when used as a web app. The problem is that when creating a web app,
> we
> copy all cookies for the web app's domain into the web app profile
> dir,
> but no other cookies. Turns out Inbox depends on third-party cookies
> (actually cookies from a different google domain) and breaks if Inbox
> cookies are present without those other cookies. It uses frames,
> which
> must be why our normal cookie policy (block third party cookies by
> default) doesn't break Inbox.
>
> Possible fixes:
>
>  * Copy no cookies. User needs to log in again the first time the web
> app is opened. One time cost. I'm leaning toward this right now, but
> it
> seems a shame to remove this feature to work around a Google bug.
>  * Copy all cookies. Almost all the cookies saved in the web app's
> profile directory will then be unnecessary, and it will be impossible
> to ever clear them.
>  * Copy cookies only from the second-level domain (google.com). I
> expect it would fix this case, but what if other sites have the same
> problem. Also, this seems strange because it doesn't parallel the
> normal security model for the web; subdomains are not trusted by
> parent
> domains.
>
> Thoughts, preferences, suggestions?
If it's a gmail specific issue I would handle that as such, so when the
web app is for gmail I would not copy any cookie.

> Michael
>
> [1] https://bugzilla.gnome.org/show_bug.cgi?id=771540
> _______________________________________________
> epiphany-list mailing list
> [hidden email]
> https://mail.gnome.org/mailman/listinfo/epiphany-list
--
Carlos Garcia Campos
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Copying cookies when creating web apps

Michael Catanzaro-2
On Sat, 2016-09-17 at 10:18 +0200, Carlos Garcia Campos wrote:
> If it's a gmail specific issue I would handle that as such, so when
> the
> web app is for gmail I would not copy any cookie.

I don't really want to hardcode a workaround for Google, though. It's
probably related to missing cookies for accounts.google.com, but Google
is probably not the only such website that could be broken like this.
So I'm leaning towards never copying cookies.

Michael
_______________________________________________
epiphany-list mailing list
[hidden email]
https://mail.gnome.org/mailman/listinfo/epiphany-list
Loading...