Skip to content

Instantly share code, notes, and snippets.

@nmalkin

nmalkin/README.md

Created July 30, 2014 22:58
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nmalkin/cb50a41698ed99f84a6f to your computer and use it in GitHub Desktop.
Save nmalkin/cb50a41698ed99f84a6f to your computer and use it in GitHub Desktop.
Download ZIP
Nightly cookies+redirect+iframe bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1046430
Raw
README.md

User agent:

This bug appears in the latest Nightly (Firefox 34). It behaves correctly in the current stable version (Firefox 31).

Steps to reproduce:

  1. Start with a page that sets a cookie and redirects (HTTP 302) in the same request
  2. Load that page in an iframe
  3. Make sure the page that serves the iframe is on a different host/origin from the page in the iframe

Expected behavior:

  • The cookie is set

Actual behavior:

  • The cookie is not set

Test case: (clone this gist to try it yourself)

This defines a simple server that sets a cookie before redirecting the page to a new destination. The destination checks to see if the cookie was set.

(To run the server, install Flask [pip install -r requirements.txt] and run server.py)

To see the bug in action: open iframe.html in your browser, as a local file. As you'll see, the iframe is redirected to the new page, but the cookie is not set.

If you now open the root of the server, which serves the exact same content, you'll see that, this time, the cookie is set successfully.

(Note that the page with the iframe doesn't have to be served over file://; the bug also appears if it's served over http or https, as long as the host/origin is different from that of the iframe.)

Extra:

  • I reproduced this on a fresh profile, with no extensions.
  • I cannot reproduce in Firefox 31, the current stable version.
Raw
iframe.html
<iframe src="http://127.0.0.1:5000/start"></iframe>
Raw
server.py
#!/usr/bin/env python
import flask
app = flask.Flask(__name__)
app.debug = True
@app.route('/start')
def start():
response = flask.redirect('/finish')
response.set_cookie('a_cookie', 'yes')
return response
@app.route('/finish')
def finish():
return 'Cookie set: %s' % flask.request.cookies.get('a_cookie', 'no')
@app.route('/reset')
def reset():
response = flask.make_response('Reset done')
response.set_cookie('a_cookie', expires=0)
return response
@app.route('/')
def iframe():
return '<iframe src="http://127.0.0.1:5000/start"></iframe>'
if __name__ == "__main__":
app.run()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment