[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #14059 [Tor Browser]: Revision of existing double key cookie logic to meet requirements



#14059: Revision of existing double key cookie logic to meet requirements
-----------------------------+----------------------------
     Reporter:  michael      |      Owner:  michael
         Type:  defect       |     Status:  needs_revision
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:  #3246
       Points:               |
-----------------------------+----------------------------
Changes (by gk):

 * status:  needs_information => needs_revision
 * keywords:  TorBrowserTeam201502R, GeorgKoppen201502R =>


Comment:

 Second part of the review:

 1) Please document why you use one time
 `mThirdPartyUtil->GetFirstPartyURIFromChannel` and the other time
 `mThirdPartyUtil->GetFirstPartyIsolationURI` and what that implies.

 2) You can't reuse `requireHostMatch` in `SetCookieStringInternal` as this
 would mean that the URL bar domain could influence unrelated cookies
 checks which it must not do.

 3)
 {{{
 // origin matches matches
 }}}

 4) There are several places where you just use `baseDomain` in
 nsCookie::Create() which is especially consifusing in `GetCookieFromRow()`
 as the first comment is talks about to skip reading the baseDomain what we
 do that nevertheless. Could you add a comment on this baseDomain usage
 please?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14059#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs