nsICookieManager2.add is changed

Bug reports and enhancement requests
Post Reply
PLD
Junior Member
Posts: 30
Joined: Fri May 08, 2015 7:00 am

nsICookieManager2.add is changed

Post by PLD »

Saw some of these recently:

Code: Select all

“nsICookieManager2.add()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2      
Source was chrome://noscript/content/Cookie.js:120:21.

I saw these when entering the site using https://www.verizon.com/ForYourHome/Bil ... yBill.aspx. They came right after NoScript "cleaning secure flag" messages like:

Code: Select all

[NoScript HTTPS] Cleaning Secure flag from AAAAAAA=BBBBBBBB; domain=.verizon.com; path=/; Secure
I have Verizon cookies allowed for session, I force HTTPS at all Verizon domains, and I have the Enable Automatic Secure Cookies Management option checked (with nothing in the boxes). Using NS 2.9.0.14, FF 49.0.2.

I'm not sure what is going on and whether it reflects a real problem. I don't think Verizon's site fully supports HTTPS, but it does well enough to allow me into my account. I think I also saw some NoScript messages mentioning toggling of the secure flag. I'll try to learn more when I get a chance. Thought I'd share what I can now.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: nsICookieManager2.add is changed

Post by barbaz »

I'm not sure what to make of this. Got a similar message today from a custom add-on:

Code: Select all

“nsICookieManager2.getCookiesFromHost()” is changed. Update your code and pass the correct originAttributes. Read more on MDN: https://developer.mozilla.org/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsICookieManager2
If you actually go to that link, originAttributes isn't mentioned anywhere. But it does exist - https://dxr.mozilla.org/mozilla-central ... nager2.idl

Looks like this is not a problem atm, but will be in future. Thanks for bringing this up.
*Always* check the changelogs BEFORE updating that important software!
-
PLD
Junior Member
Posts: 30
Joined: Fri May 08, 2015 7:00 am

Re: nsICookieManager2.add is changed

Post by PLD »

I'm starting to look around. Since it is related, mind if I put questions here? If you prefer elsewhere, feel free to move.

1) What's is the objective of Cookie.js line #134?

Code: Select all

133:  sameAs: function(c) {
134:    (c instanceof Ci.nsICookie) && (c instanceof Ci.nsICookie2);
135:    return Cookie.computeId(c) == this.id;
136:  },
2) I'd like an opinion on HTTPS.js about line #195. It appears to me that Cookie.find enumerates cookies via nsICookieManager and the variable c here should be an instance of nsiCookie. But nsiCookie doesn't have a property named "secure" (it uses isSecure). So I'm thinking the return on line 196 will never be true. And if the c.secure were changed to c.isSecure it would be looking for *any* secure cookie including cookies set for domains totally unrelated to the current one. What am I missing?

Code: Select all

193:          if (unsafe && !(forced || secureFound)) {
194:            // this page did not set any secure cookie, let's check if we already have one
195:            secureFound = Cookie.find(function(c) {
196:              return (c instanceof Ci.nsICookie) && (c instanceof Ci.nsICookie2)
197:                && c.secure && !unsafe.find(function(x) { return x.sameAs(c); })
198:            });
199:            if (secureFound) {
200:              this.log("Secure cookie found for this host: " + Cookie.prototype.toString.apply(secureFound));
201:            }
202:          }
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: nsICookieManager2.add is changed

Post by Giorgio Maone »

They changed the interface but didn't bother to document it on MDN, maybe because they kept the extra parameter optional in order not to break add-ons (see comments in the code).
PLD wrote: 1) What's is the objective of Cookie.js line #134?
To tell whether two cookies are equivalent, even if set on different origins (http://xy.z is different than https://xy.z) and with different flags.
PLD wrote: 2) I'd like an opinion on HTTPS.js about line #195. It appears to me that Cookie.find enumerates cookies via nsICookieManager and the variable c here should be an instance of nsiCookie.
Good catch! The callback erronously assumes the nsICookie instance is wrapped in a r/w Cookie object, which does have a "secure" property.
The effect is that all the HTTP cookies are upgraded on HTTPS connections, even if a Secure one is present. No security degradation here (actually, this policy is stricter than intended) but it has more chance of breaking poorly configured websites. It's been this way for ever now, so it doesn't seem to be a big deal, but I'm fixing it nevertheless, thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
PLD
Junior Member
Posts: 30
Joined: Fri May 08, 2015 7:00 am

Re: nsICookieManager2.add is changed

Post by PLD »

I meant Cookie.js line #134 appears to have no effect. It is simply:

Code: Select all

134:    (c instanceof Ci.nsICookie) && (c instanceof Ci.nsICookie2);
Is that a remnant of something or does it actually do something? I tried to see if noscript-2.9.5rc21.xpi has the same line but got a 404 for https://secure.informaction.com/downloa ... .5rc21.xpi.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Post Reply