Title: [214246] trunk
- Revision
- 214246
- Author
- [email protected]
- Date
- 2017-03-22 03:09:23 -0700 (Wed, 22 Mar 2017)
Log Message
[Soup] "Only from websites I visit" cookie policy is broken
https://bugs.webkit.org/show_bug.cgi?id=168912
Reviewed by Carlos Garcia Campos.
Source/WebCore:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
* platform/network/soup/ResourceHandleSoup.cpp:
(WebCore::doRedirect):
Source/WebKit2:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
LayoutTests:
* http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
* http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (214245 => 214246)
--- trunk/LayoutTests/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/LayoutTests/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
@@ -1,5 +1,15 @@
2017-03-21 Sergio Villar Senin <[email protected]>
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
+
+2017-03-21 Sergio Villar Senin <[email protected]>
+
All http/ tests with PHP fail in Debian unstable with php7
https://bugs.webkit.org/show_bug.cgi?id=169913
Added: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (0 => 214246)
--- trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt 2017-03-22 10:09:23 UTC (rev 214246)
@@ -0,0 +1,9 @@
+Checks that subresources that got redirected do not circumvent third-party cookie rules.
+This test PASS if you can see the text "FAILED: Cookie not set".
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+FAILED: Cookie not set
Property changes on: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt
___________________________________________________________________
Added: svn:eol-style
+LF
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (0 => 214246)
--- trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html 2017-03-22 10:09:23 UTC (rev 214246)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<script>
+function test() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ if (testRunner.setPrivateBrowsingEnabled)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ testRunner.setAlwaysAcceptCookies(false);
+}
+</script>
+
+<p>Checks that subresources that got redirected do not circumvent third-party cookie rules.<br>This test PASS if you can see the text "FAILED: Cookie not set".</p>
+<iframe _onload_="test" src=""
Property changes on: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html
___________________________________________________________________
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:mime-type
+text/html
\ No newline at end of property
Modified: trunk/Source/WebCore/ChangeLog (214245 => 214246)
--- trunk/Source/WebCore/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebCore/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
@@ -1,3 +1,22 @@
+2017-03-21 Sergio Villar Senin <[email protected]>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
+
+ * platform/network/soup/ResourceHandleSoup.cpp:
+ (WebCore::doRedirect):
+
2017-03-22 Carlos Garcia Campos <[email protected]>
Make it possible to use WEB_UI_STRING macros to mark translatable strings in glib based ports
Modified: trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp (214245 => 214246)
--- trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-03-22 10:09:23 UTC (rev 214246)
@@ -322,7 +322,6 @@
URL newURL = URL(URL(soup_message_get_uri(message)), location);
bool crossOrigin = !protocolHostAndPortAreEqual(handle->firstRequest().url(), newURL);
newRequest.setURL(newURL);
- newRequest.setFirstPartyForCookies(newURL);
if (newRequest.httpMethod() != "GET") {
// Change newRequest method to GET if change was made during a previous redirection
Modified: trunk/Source/WebKit2/ChangeLog (214245 => 214246)
--- trunk/Source/WebKit2/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebKit2/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
@@ -1,3 +1,20 @@
+2017-03-21 Sergio Villar Senin <[email protected]>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+ (WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
+
2017-03-19 Wenson Hsieh <[email protected]>
Teach TextIndicator to estimate the background color of the given Range
Modified: trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp (214245 => 214246)
--- trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-03-22 10:09:23 UTC (rev 214246)
@@ -638,7 +638,6 @@
ResourceRequest request = m_firstRequest;
request.setURL(URL(m_response.url(), m_response.httpHeaderField(HTTPHeaderName::Location)));
- request.setFirstPartyForCookies(request.url());
// Should not set Referer after a redirect from a secure resource to non-secure one.
if (m_shouldClearReferrerOnHTTPSToHTTPRedirect && !request.url().protocolIs("https") && protocolIs(request.httpReferrer(), "https"))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
