Title: [214778] releases/WebKitGTK/webkit-2.16
- Revision
- 214778
- Author
- carlo...@webkit.org
- Date
- 2017-04-03 05:39:18 -0700 (Mon, 03 Apr 2017)
Log Message
Merge r214246 - [Soup] "Only from websites I visit" cookie policy is broken
https://bugs.webkit.org/show_bug.cgi?id=168912
Reviewed by Carlos Garcia Campos.
Source/WebCore:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
* platform/network/soup/ResourceHandleSoup.cpp:
(WebCore::doRedirect):
Source/WebKit2:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
LayoutTests:
* http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
* http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (214777 => 214778)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 12:36:54 UTC (rev 214777)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 12:39:18 UTC (rev 214778)
@@ -1,3 +1,13 @@
+2017-03-21 Sergio Villar Senin <svil...@igalia.com>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
+
2017-03-21 Brady Eidson <beid...@apple.com>
Disable all virtual tables.
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (0 => 214778)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt 2017-04-03 12:39:18 UTC (rev 214778)
@@ -0,0 +1,9 @@
+Checks that subresources that got redirected do not circumvent third-party cookie rules.
+This test PASS if you can see the text "FAILED: Cookie not set".
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+FAILED: Cookie not set
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (0 => 214778)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html 2017-04-03 12:39:18 UTC (rev 214778)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<script>
+function test() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ if (testRunner.setPrivateBrowsingEnabled)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ testRunner.setAlwaysAcceptCookies(false);
+}
+</script>
+
+<p>Checks that subresources that got redirected do not circumvent third-party cookie rules.<br>This test PASS if you can see the text "FAILED: Cookie not set".</p>
+<iframe _onload_="test" src=""
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (214777 => 214778)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 12:36:54 UTC (rev 214777)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 12:39:18 UTC (rev 214778)
@@ -1,3 +1,22 @@
+2017-03-21 Sergio Villar Senin <svil...@igalia.com>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
+
+ * platform/network/soup/ResourceHandleSoup.cpp:
+ (WebCore::doRedirect):
+
2017-03-21 Brady Eidson <beid...@apple.com>
Disable all virtual tables.
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp (214777 => 214778)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-04-03 12:36:54 UTC (rev 214777)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-04-03 12:39:18 UTC (rev 214778)
@@ -325,7 +325,6 @@
URL newURL = URL(URL(soup_message_get_uri(message)), location);
bool crossOrigin = !protocolHostAndPortAreEqual(handle->firstRequest().url(), newURL);
newRequest.setURL(newURL);
- newRequest.setFirstPartyForCookies(newURL);
if (newRequest.httpMethod() != "GET") {
// Change newRequest method to GET if change was made during a previous redirection
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog (214777 => 214778)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog 2017-04-03 12:36:54 UTC (rev 214777)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog 2017-04-03 12:39:18 UTC (rev 214778)
@@ -1,3 +1,20 @@
+2017-03-21 Sergio Villar Senin <svil...@igalia.com>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+ (WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
+
2017-03-15 Tim Horton <timothy_hor...@apple.com>
Null deref under callAfterNextPresentationUpdate
Modified: releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp (214777 => 214778)
--- releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-04-03 12:36:54 UTC (rev 214777)
+++ releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-04-03 12:39:18 UTC (rev 214778)
@@ -615,7 +615,6 @@
ResourceRequest request = m_firstRequest;
request.setURL(URL(m_response.url(), m_response.httpHeaderField(HTTPHeaderName::Location)));
- request.setFirstPartyForCookies(request.url());
// Should not set Referer after a redirect from a secure resource to non-secure one.
if (m_shouldClearReferrerOnHTTPSToHTTPRedirect && !request.url().protocolIs("https") && protocolIs(request.httpReferrer(), "https"))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes