Comments on: XMLHttpRequest::setRequestHeader()

By: Andreas Amann

Andreas Amann — Sun, 09 Dec 2007 06:05:43 +0000

http://bugs.webkit.org/show_bug.cgi?id=16357#c4

Seems like this is located fairly deep in the system…

By: Andreas Amann

Andreas Amann — Sat, 08 Dec 2007 21:22:47 +0000

Arrgh, isn’t supposed to prevent this? Trying again…








	xmlRequest Cookie Test

	





	


		Type the following command in the Terminal


			sudo tcpdump -i en1 -c5 -A -s1500 dst host http://www.apple.com | grep ^Cookie


			(using en0 instead of en1 when using a wired instead of wireless connection


		Send new xmlRequest with empty Cookie via JavaScript


		Check Therminal output



By: Andreas Amann
Andreas Amann — Sat, 08 Dec 2007 21:20:48 +0000
The improper cookie handling is new in Safari 3 (at least in Leopard - I didn’t go back to test in Tiger). It seems that XMLHttpRequest for any Webkit-powered application (this includes the Dashboard) is using Safari’s cookie storage and sends the cookies in Safari. This most likely is the reason why your test works for some (it does for me in 3.0.4/10.5.1) but not for others - if Safari already has cookies for the site the XHR is going to, it the XHR will send those cookies. If no cookies are present, it seems as if the cookies specified in the setRequestHeader() are correctly used.
This is a serious issue as it breaks all cookie handling for Dashboard Widgets - I reported this to Apple as a bug back on 10/29 but it hasn’t even been confirmed yet (rdar://5567386)
The following is a little test to verify what is going on:
Steps to Reproduce:

1. Visit http://www.apple.com at least once with Safari to make sure that Safari has some cookies for the site

2. Create a new HTML file with the content outlines below and open it in Safari

3. Open Terminal and execute the command specified in the first step outlined in the HTML

4. Click the link in the second step of the HTML (this will send a new xmlRequest to http://www.apple.com with explicitly setting the Cookie to “” (i.e., no cookie sent)

5. Check the Terminal for the output of the command - this will (in addition to summary information from the tcpdump command) show the Cookie header sent by the xmlRequest

	xmlRequest Cookie Test
		function send_xmlRequest()

		{

			var xmlRequest = new XMLHttpRequest();

			xmlRequest.onload = function() {}

			xmlRequest.open("GET","http://www.apple.com/");

			xmlRequest.setRequestHeader("Cache-Control", "no-cache");

			xmlRequest.setRequestHeader("Cookie", "");

			xmlRequest.send(null);

		}
		Type the following command in the Terminal

			sudo tcpdump -i en1 -c5 -A -s1500 dst host http://www.apple.com | grep ^Cookie

			(using en0 instead of en1 when using a wired instead of wireless connection

		Send new xmlRequest with empty Cookie via JavaScript

		Check Therminal output




By: Ryan
Ryan — Tue, 20 Nov 2007 05:52:53 +0000
Frank…not that I’m aware of. I still don’t see the cookie in 3.0.4. So…odd.



By: Frank Manno
Frank Manno — Mon, 19 Nov 2007 13:57:18 +0000
Weird… I see it on Safari 2.0.4 (419.3):
Cookies

thisisa=test
Has a workaround been found, Ryan?



By: Ryan
Ryan — Sun, 18 Nov 2007 06:08:20 +0000
Sam, I’m running 3.0.4 on Leopard and I never see my “thisisa” cookie. What version are you running?
Steve, yeah…I’ve seen that bug called out before. Unfortunately, since I’m using the YUI connection manager, I’m not actually controlling the call to setRequestHeader().



By: Steve
Steve — Sat, 17 Nov 2007 20:50:44 +0000
You need to add it twice via setHeader in IE: http://support.microsoft.com/?id=234486
Or, just use setCookie() instead.



By: Sam Pullara
Sam Pullara — Sat, 17 Nov 2007 17:30:20 +0000
When I refreshed it though, I see Google Analytics cookies 



By: Sam Pullara
Sam Pullara — Sat, 17 Nov 2007 17:29:28 +0000
Your test works in Safari 3.0 on Leopard as well.