Bugzilla cookies HTTP only

Gervase Markham gerv at mozilla.org
Tue Jan 19 11:30:22 UTC 2010

On 15/01/10 23:49, Daniel Veditz wrote:
> Any add-on can get the real cookies through the cookie service. 

A fair point, indeed.

> Isn't it somewhat irritating--and temporary--that the BzAPI doesn't
> actually live at bugzilla.mozilla.org ? Once the API is production-ready
> it will presumably be hosted at BMO and this won't be a problem.

There are currently no plans to host it on the exact same machine. We
could do that eventually but, given the understandable concern there
would be about installing new software on an important production
system, it's a way off.

Also, it's useful for people to be able to set up a BzAPI against a
legacy Bugzilla, even one they don't control.

> The fact that a GreaseMonkey script wants to ship the BMO cookie off to
> a 3rd party server is suspicious and alarming and we shouldn't be
> training people that this is a perfectly normal and OK behavior.

Hmm. Yes.

> Wait a minute, aren't bugzilla login cookies scoped to an IP address? If
> users are bouncing requests off your server why isn't BMO rejecting the
> cookie when it comes in from that different address?

I hadn't even got that far. Maybe you're right.

OK, I give up :-) We'll just have to say you can't do this easily right now.

dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org

More information about the developers mailing list