Diff
Modified: trunk/LayoutTests/ChangeLog (221274 => 221275)
--- trunk/LayoutTests/ChangeLog 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/LayoutTests/ChangeLog 2017-08-28 22:08:34 UTC (rev 221275)
@@ -1,3 +1,16 @@
+2017-08-28 Brent Fulgham <[email protected]>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content (Part 2: Header Requests)
+ https://bugs.webkit.org/show_bug.cgi?id=175992
+ <rdar://problem/34086613>
+
+ Reviewed by Daniel Bates.
+
+ * http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt: Added.
+ * http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl: Added.
+ * http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt: Added.
+ * http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl: Added.
+
2017-08-28 Ryan Haddad <[email protected]>
Unreviewed, remove duplicated TestExpectation entry.
Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt (0 => 221275)
--- trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection-expected.txt 2017-08-28 22:08:34 UTC (rev 221275)
@@ -0,0 +1,11 @@
+Test WebSocket does not send Secure cookies over an insecure connection.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+WebSocket open
+WebSocket closed
+PASS cookie is "WK-websocket-test=1"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl (0 => 221275)
--- trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl 2017-08-28 22:08:34 UTC (rev 221275)
@@ -0,0 +1,65 @@
+#!/usr/bin/perl -wT
+use strict;
+
+if ($ENV{"QUERY_STRING"} eq "clear=1") {
+ print "Content-Type: text/plain\r\n";
+ print "Set-Cookie: WK-websocket-test=0; Max-Age=-1\r\n";
+ print "Set-Cookie: WK-websocket-test-secure=0; Secure; Max-Age=-1\r\n";
+ print "\r\n";
+ print "Cookies are cleared.";
+ exit;
+}
+
+print "Content-Type: text/html\r\n";
+print "Set-Cookie: WK-websocket-test=1\r\n";
+print "Set-Cookie: WK-websocket-test-secure=1; Secure\r\n";
+print "\r\n";
+print <<HTML
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p>Test WebSocket does not send Secure cookies over an insecure connection.</p>
+<p>On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".</p>
+<div id="console"></div>
+<script>
+window.jsTestIsAsync = true;
+
+var cookie;
+
+// Normalize a cookie string
+function normalizeCookie(cookie)
+{
+ // Split the cookie string, sort it and then put it back together.
+ return cookie.split('; ').sort().join('; ');
+}
+
+function clearCookies()
+{
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "secure-cookie-insecure-connection.pl?clear=1", false);
+ xhr.send(null);
+}
+
+var ws = new WebSocket("ws://127.0.0.1:8880/websocket/tests/hybi/echo-cookie");
+ws._onopen_ = function() {
+ debug("WebSocket open");
+};
+ws._onmessage_ = function(evt) {
+ cookie = evt.data;
+ ws.close();
+};
+ws._onclose_ = function() {
+ debug("WebSocket closed");
+ cookie = normalizeCookie(cookie);
+ shouldBe("cookie", '"WK-websocket-test=1"');
+ clearCookies();
+ finishJSTest();
+};
+
+</script>
+<script src=""
+</body>
+</html>
+HTML
Property changes on: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl
___________________________________________________________________
Added: svn:executable
+*
\ No newline at end of property
Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt (0 => 221275)
--- trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection-expected.txt 2017-08-28 22:08:34 UTC (rev 221275)
@@ -0,0 +1,15 @@
+Test WebSocket sends Secure cookies over secure connections.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+Note: mod_pywebsocket does not send secure cookies ('see FIXMEs in mod_pywebsocket code'), so this test is expected to FAIL to return WK-websocket-test-secure=1 until that bug is fixed.
+
+See pywebsocket Bug 150 for details.
+
+WebSocket open
+WebSocket closed
+FAIL cookie should be WK-websocket-test-secure=1; WK-websocket-test=1. Was WK-websocket-test=1.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl (0 => 221275)
--- trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl 2017-08-28 22:08:34 UTC (rev 221275)
@@ -0,0 +1,70 @@
+#!/usr/bin/perl -wT
+use strict;
+
+if ($ENV{"QUERY_STRING"} eq "clear=1") {
+ print "Content-Type: text/plain\r\n";
+ print "Set-Cookie: WK-websocket-test=0; Max-Age=-1\r\n";
+ print "Set-Cookie: WK-websocket-test-secure=0; Secure; HttpOnly; Max-Age=-1\r\n";
+ print "\r\n";
+ print "Cookies are cleared.";
+ exit;
+}
+
+print "Content-Type: text/html\r\n";
+print "Set-Cookie: WK-websocket-test=1\r\n";
+print "Set-Cookie: WK-websocket-test-secure=1; Secure; HttpOnly\r\n";
+print "\r\n";
+print <<HTML
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p>Test WebSocket sends Secure cookies over secure connections.</p>
+<p>On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".</p>
+<p>Note: mod_pywebsocket does not send secure cookies ('see FIXMEs in mod_pywebsocket code'), so this test is expected to FAIL to return WK-websocket-test-secure=1 until that bug is fixed.</p>
+<p>See <a href="" Bug 150</a> for details.</p>
+<div id="console"></div>
+<script>
+window.jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setAllowsAnySSLCertificate(true);
+
+var cookie;
+
+// Normalize a cookie string
+function normalizeCookie(cookie)
+{
+ // Split the cookie string, sort it and then put it back together.
+ return cookie.split('; ').sort().join('; ');
+}
+
+function clearCookies()
+{
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "secure-cookie-secure-connection.pl?clear=1", false);
+ xhr.send(null);
+}
+
+var ws = new WebSocket("wss://127.0.0.1:9323/websocket/tests/hybi/echo-cookie");
+ws._onopen_ = function() {
+ debug("WebSocket open");
+};
+ws._onmessage_ = function(evt) {
+ cookie = evt.data;
+ ws.close();
+};
+ws._onclose_ = function() {
+ debug("WebSocket closed");
+ cookie = normalizeCookie(cookie);
+ shouldBe("cookie", '"WK-websocket-test-secure=1; WK-websocket-test=1"');
+ clearCookies();
+ finishJSTest();
+};
+
+</script>
+<script src=""
+</body>
+</html>
+HTML
Property changes on: trunk/LayoutTests/http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl
___________________________________________________________________
Added: svn:executable
+*
\ No newline at end of property
Modified: trunk/Source/WebCore/ChangeLog (221274 => 221275)
--- trunk/Source/WebCore/ChangeLog 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/ChangeLog 2017-08-28 22:08:34 UTC (rev 221275)
@@ -1,3 +1,58 @@
+2017-08-28 Brent Fulgham <[email protected]>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content (Part 2: Header Requests)
+ https://bugs.webkit.org/show_bug.cgi?id=175992
+ <rdar://problem/34086613>
+
+ Reviewed by Daniel Bates.
+
+ The original work in Bug 157053 did not properly handle the case of websockets. This patch completes
+ the changes to secure cookie handling to make sure websockets are also protected.
+
+ Tests: http/tests/websocket/tests/hybi/secure-cookie-insecure-connection.pl
+ http/tests/websocket/tests/hybi/secure-cookie-secure-connection.pl
+
+ * Modules/websockets/WebSocketChannel.cpp:
+ (WebCore::WebSocketChannel::clientHandshakeRequest): Remove 'const' declaration so we can work with
+ a mutable Document object. This allows us to mark the Document as having accessed secure cookies.
+ (WebCore::WebSocketChannel::clientHandshakeRequest const): Deleted.
+ * Modules/websockets/WebSocketChannel.h:
+ * Modules/websockets/WebSocketHandshake.cpp:
+ (WebCore::WebSocketHandshake::clientHandshakeMessage): Ditto.
+ (WebCore::WebSocketHandshake::clientHandshakeRequest): Ditto.
+ (WebCore::WebSocketHandshake::clientHandshakeMessage const): Deleted.
+ (WebCore::WebSocketHandshake::clientHandshakeRequest const): Deleted.
+ * Modules/websockets/WebSocketHandshake.h:
+ * loader/CookieJar.cpp:
+ (WebCore::cookies): Small naming cleanup.
+ (WebCore::cookieRequestHeaderFieldValue): Pass a flag indicating whether secure cookies should be
+ included in the result or not. Set the document flag indicating secure cookies were accessed (if
+ they were), and return the resulting cookie string.
+ * loader/CookieJar.h:
+ * platform/CookiesStrategy.h:
+ * platform/network/CacheValidation.cpp:
+ (WebCore::headerValueForVary): Revise to pass a flag indicating whether secure cookies should be included
+ or not.
+ * platform/network/PlatformCookieJar.h:
+ * platform/network/cf/CookieJarCFNet.cpp:
+ (WebCore::doesContainSecureCookies): Added helper method.
+ (WebCore::cookiesForDOM): Revise to use new helper function.
+ (WebCore::cookieRequestHeaderFieldValue): Revise to accept a flag indicating if secure cookies should
+ be included in the result. Return a pair consisting of the cookie string, and a flag indicating whether
+ secure cookies were accessed or not.
+ * platform/network/curl/CookieJarCurl.cpp:
+ (WebCore::CookieJarCurlFileSystem::cookieRequestHeaderFieldValue): Ditto.
+ (WebCore::cookieRequestHeaderFieldValue): Ditto.
+ * platform/network/curl/CookieJarCurl.h:
+ * platform/network/mac/CookieJarMac.mm:
+ (WebCore::cookiesForSession): Ditto.
+ (WebCore::cookiesForDOM): Update for new 'cookiesForSession' signature.
+ (WebCore::cookieRequestHeaderFieldValue): Ditto.
+ * platform/network/soup/CookieJarSoup.cpp:
+ (WebCore::cookieRequestHeaderFieldValue): Revise to accept a flag indicating if secure cookies should
+ be included in the result. Return a pair consisting of the cookie string, and a flag indicating whether
+ secure cookies were accessed or not.
+
2017-08-28 Carlos Alberto Lopez Perez <[email protected]>
[GTK] [WPE] Rename EventHandlerGlib to EventHandlerGLib
Modified: trunk/Source/WebCore/Modules/websockets/WebSocketChannel.cpp (221274 => 221275)
--- trunk/Source/WebCore/Modules/websockets/WebSocketChannel.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/Modules/websockets/WebSocketChannel.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -828,7 +828,7 @@
m_handle->sendData(frameData.data(), frameData.size(), WTFMove(completionHandler));
}
-ResourceRequest WebSocketChannel::clientHandshakeRequest() const
+ResourceRequest WebSocketChannel::clientHandshakeRequest()
{
return m_handshake->clientHandshakeRequest();
}
Modified: trunk/Source/WebCore/Modules/websockets/WebSocketChannel.h (221274 => 221275)
--- trunk/Source/WebCore/Modules/websockets/WebSocketChannel.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/Modules/websockets/WebSocketChannel.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -116,7 +116,7 @@
void didFail(int errorCode) override;
unsigned identifier() const { return m_identifier; }
- ResourceRequest clientHandshakeRequest() const;
+ ResourceRequest clientHandshakeRequest();
const ResourceResponse& serverHandshakeResponse() const;
WebSocketHandshake::Mode handshakeMode() const;
Modified: trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.cpp (221274 => 221275)
--- trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -179,7 +179,7 @@
return builder.toString();
}
-CString WebSocketHandshake::clientHandshakeMessage() const
+CString WebSocketHandshake::clientHandshakeMessage()
{
// Keep the following consistent with clientHandshakeRequest().
StringBuilder builder;
@@ -233,7 +233,7 @@
return builder.toString().utf8();
}
-ResourceRequest WebSocketHandshake::clientHandshakeRequest() const
+ResourceRequest WebSocketHandshake::clientHandshakeRequest()
{
// Keep the following consistent with clientHandshakeMessage().
ResourceRequest request(m_url);
Modified: trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.h (221274 => 221275)
--- trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/Modules/websockets/WebSocketHandshake.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -62,8 +62,8 @@
String clientOrigin() const;
String clientLocation() const;
- CString clientHandshakeMessage() const;
- ResourceRequest clientHandshakeRequest() const;
+ CString clientHandshakeMessage();
+ ResourceRequest clientHandshakeRequest();
void reset();
void clearDocument();
Modified: trunk/Source/WebCore/loader/CookieJar.cpp (221274 => 221275)
--- trunk/Source/WebCore/loader/CookieJar.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/loader/CookieJar.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -58,8 +58,8 @@
{
TraceScope scope(FetchCookiesStart, FetchCookiesEnd);
- auto includeSecureCookiesOrNot = (url.protocolIs("https") && !document.foundMixedContent()) ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
- auto result = platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url, includeSecureCookiesOrNot);
+ auto includeSecureCookies = (url.protocolIs("https") && !document.foundMixedContent()) ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+ auto result = platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url, includeSecureCookies);
if (result.second)
document.setSecureCookiesAccessed();
@@ -76,9 +76,14 @@
return platformStrategies()->cookiesStrategy()->cookiesEnabled(storageSession(document), document.firstPartyForCookies(), document.cookieURL());
}
-String cookieRequestHeaderFieldValue(const Document& document, const URL& url)
+String cookieRequestHeaderFieldValue(Document& document, const URL& url)
{
- return platformStrategies()->cookiesStrategy()->cookieRequestHeaderFieldValue(storageSession(document), document.firstPartyForCookies(), url);
+ auto includeSecureCookies = (url.protocolIs("https") && !document.foundMixedContent()) ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+ auto result = platformStrategies()->cookiesStrategy()->cookieRequestHeaderFieldValue(storageSession(document), document.firstPartyForCookies(), url, includeSecureCookies);
+ if (result.second)
+ document.setSecureCookiesAccessed();
+
+ return result.first;
}
bool getRawCookies(const Document& document, const URL& url, Vector<Cookie>& cookies)
Modified: trunk/Source/WebCore/loader/CookieJar.h (221274 => 221275)
--- trunk/Source/WebCore/loader/CookieJar.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/loader/CookieJar.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -42,7 +42,7 @@
WEBCORE_EXPORT void setCookies(Document&, const URL&, const String& cookieString);
WEBCORE_EXPORT bool cookiesEnabled(const Document&);
-WEBCORE_EXPORT String cookieRequestHeaderFieldValue(const Document&, const URL&);
+WEBCORE_EXPORT String cookieRequestHeaderFieldValue(Document&, const URL&);
WEBCORE_EXPORT bool getRawCookies(const Document&, const URL&, Vector<Cookie>&);
WEBCORE_EXPORT void deleteCookie(const Document&, const URL&, const String& cookieName);
Modified: trunk/Source/WebCore/platform/CookiesStrategy.h (221274 => 221275)
--- trunk/Source/WebCore/platform/CookiesStrategy.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/CookiesStrategy.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -44,8 +44,8 @@
virtual std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
virtual void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String& cookieString) = 0;
virtual bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
- virtual String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
- virtual String cookieRequestHeaderFieldValue(PAL::SessionID, const URL& firstParty, const URL&) = 0;
+ virtual std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
+ virtual std::pair<String, bool> cookieRequestHeaderFieldValue(PAL::SessionID, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
virtual bool getRawCookies(const NetworkStorageSession&, const URL& firstParty, const URL&, Vector<Cookie>&) = 0;
virtual void deleteCookie(const NetworkStorageSession&, const URL&, const String& cookieName) = 0;
Modified: trunk/Source/WebCore/platform/network/CacheValidation.cpp (221274 => 221275)
--- trunk/Source/WebCore/platform/network/CacheValidation.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/CacheValidation.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -346,12 +346,13 @@
// We could fetch the cookie when making the request but that seems overkill as the case is very rare and it
// is a blocking operation. This should be sufficient to cover reasonable cases.
if (headerName == httpHeaderNameString(HTTPHeaderName::Cookie)) {
+ auto includeSecureCookies = request.url().protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
auto* cookieStrategy = platformStrategies() ? platformStrategies()->cookiesStrategy() : nullptr;
if (!cookieStrategy) {
ASSERT(sessionID == PAL::SessionID::defaultSessionID());
- return cookieRequestHeaderFieldValue(NetworkStorageSession::defaultStorageSession(), request.firstPartyForCookies(), request.url());
+ return cookieRequestHeaderFieldValue(NetworkStorageSession::defaultStorageSession(), request.firstPartyForCookies(), request.url(), includeSecureCookies).first;
}
- return cookieStrategy->cookieRequestHeaderFieldValue(sessionID, request.firstPartyForCookies(), request.url());
+ return cookieStrategy->cookieRequestHeaderFieldValue(sessionID, request.firstPartyForCookies(), request.url(), includeSecureCookies).first;
}
return request.httpHeaderField(headerName);
}
Modified: trunk/Source/WebCore/platform/network/PlatformCookieJar.h (221274 => 221275)
--- trunk/Source/WebCore/platform/network/PlatformCookieJar.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/PlatformCookieJar.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -45,7 +45,7 @@
WEBCORE_EXPORT std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies);
WEBCORE_EXPORT void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String&);
WEBCORE_EXPORT bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&);
-WEBCORE_EXPORT String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&);
+WEBCORE_EXPORT std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies);
WEBCORE_EXPORT bool getRawCookies(const NetworkStorageSession&, const URL& firstParty, const URL&, Vector<Cookie>&);
WEBCORE_EXPORT void deleteCookie(const NetworkStorageSession&, const URL&, const String&);
WEBCORE_EXPORT void getHostnamesWithCookies(const NetworkStorageSession&, HashSet<String>& hostnames);
Modified: trunk/Source/WebCore/platform/network/cf/CookieJarCFNet.cpp (221274 => 221275)
--- trunk/Source/WebCore/platform/network/cf/CookieJarCFNet.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/cf/CookieJarCFNet.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -168,6 +168,17 @@
CFHTTPCookieStorageSetCookies(session.cookieStorage().get(), filterCookies(unfilteredCookies.get()).get(), urlCF.get(), firstPartyForCookiesCF.get());
}
+static bool containsSecureCookies(CFArrayRef cookies)
+{
+ CFIndex cookieCount = CFArrayGetCount(cookies);
+ while (cookieCount--) {
+ if (CFHTTPCookieIsSecure(checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookies, cookieCount))))
+ return true;
+ }
+
+ return false;
+}
+
std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
@@ -174,28 +185,22 @@
auto filteredCookies = filterCookies(cookiesCF.get());
- bool didAccessSecureCookies = false;
+ bool didAccessSecureCookies = containsSecureCookies(filteredCookies.get());
- CFIndex cookieCount = CFArrayGetCount(filteredCookies.get());
- while (cookieCount--) {
- if (CFHTTPCookieIsSecure(checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(filteredCookies.get(), cookieCount)))) {
- didAccessSecureCookies = true;
- break;
- }
- }
-
RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, filteredCookies.get()));
String cookieString = checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF));
return { cookieString, didAccessSecureCookies };
}
-String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+ RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
- RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
+ bool didAccessSecureCookies = containsSecureCookies(cookiesCF.get());
+
RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, cookiesCF.get()));
- return checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF));
+ String cookieString = checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF));
+ return { cookieString, didAccessSecureCookies };
}
bool cookiesEnabled(const NetworkStorageSession& session, const URL& /*firstParty*/, const URL& /*url*/)
Modified: trunk/Source/WebCore/platform/network/curl/CookieJarCurl.cpp (221274 => 221275)
--- trunk/Source/WebCore/platform/network/curl/CookieJarCurl.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/curl/CookieJarCurl.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -293,9 +293,10 @@
return { cookiesForSession(session, firstParty, url, false), false };
}
-String CookieJarCurlFileSystem::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> CookieJarCurlFileSystem::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies)
{
- return cookiesForSession(session, firstParty, url, true);
+ // FIXME: This should filter secure cookies out if the caller requests it.
+ return { cookiesForSession(session, firstParty, url, true), false };
}
bool CookieJarCurlFileSystem::cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&)
@@ -347,9 +348,9 @@
CurlContext::singleton().cookieJar().setCookiesFromDOM(session, firstParty, url, value);
}
-String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- return CurlContext::singleton().cookieJar().cookieRequestHeaderFieldValue(session, firstParty, url);
+ return CurlContext::singleton().cookieJar().cookieRequestHeaderFieldValue(session, firstParty, url, includeSecureCookies);
}
bool cookiesEnabled(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
Modified: trunk/Source/WebCore/platform/network/curl/CookieJarCurl.h (221274 => 221275)
--- trunk/Source/WebCore/platform/network/curl/CookieJarCurl.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/curl/CookieJarCurl.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -31,7 +31,7 @@
virtual std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
virtual void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String&) = 0;
virtual bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
- virtual String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
+ virtual std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
virtual bool getRawCookies(const NetworkStorageSession&, const URL& firstParty, const URL&, Vector<Cookie>&) = 0;
virtual void deleteCookie(const NetworkStorageSession&, const URL&, const String&) = 0;
virtual void getHostnamesWithCookies(const NetworkStorageSession&, HashSet<String>& hostnames) = 0;
@@ -44,7 +44,7 @@
std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) override;
void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String&) override;
bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&) override;
- String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&) override;
+ std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) override;
bool getRawCookies(const NetworkStorageSession&, const URL& firstParty, const URL&, Vector<Cookie>&) override;
void deleteCookie(const NetworkStorageSession&, const URL&, const String&) override;
void getHostnamesWithCookies(const NetworkStorageSession&, HashSet<String>& hostnames) override;
Modified: trunk/Source/WebCore/platform/network/mac/CookieJarMac.mm (221274 => 221275)
--- trunk/Source/WebCore/platform/network/mac/CookieJarMac.mm 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/mac/CookieJarMac.mm 2017-08-28 22:08:34 UTC (rev 221275)
@@ -133,15 +133,16 @@
}
enum IncludeHTTPOnlyOrNot { DoNotIncludeHTTPOnly, IncludeHTTPOnly };
-static String cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly, IncludeSecureCookies includeSecureCookies, bool& didAccessSecureCookies)
+static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly, IncludeSecureCookies includeSecureCookies)
{
BEGIN_BLOCK_OBJC_EXCEPTIONS;
NSArray *cookies = cookiesForURL(session, firstParty, url);
if (![cookies count])
- return String(); // Return a null string, not an empty one that StringBuilder would create below.
+ return { String(), false }; // Return a null string, not an empty one that StringBuilder would create below.
StringBuilder cookiesBuilder;
+ bool didAccessSecureCookies = false;
for (NSHTTPCookie *cookie in cookies) {
if (![[cookie name] length])
continue;
@@ -162,24 +163,20 @@
cookiesBuilder.append('=');
cookiesBuilder.append([cookie value]);
}
- return cookiesBuilder.toString();
+ return { cookiesBuilder.toString(), didAccessSecureCookies };
END_BLOCK_OBJC_EXCEPTIONS;
- return String();
+ return { String(), false };
}
std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- bool didAccessSecureCookies = false;
- auto cookieString = cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly, includeSecureCookies, didAccessSecureCookies);
- return { cookieString, didAccessSecureCookies };
+ return cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly, includeSecureCookies);
}
-String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- bool ignore = false;
- auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
- return cookiesForSession(session, firstParty, url, IncludeHTTPOnly, includeSecureCookies, ignore);
+ return cookiesForSession(session, firstParty, url, IncludeHTTPOnly, includeSecureCookies);
}
void setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, const String& cookieStr)
Modified: trunk/Source/WebCore/platform/network/soup/CookieJarSoup.cpp (221274 => 221275)
--- trunk/Source/WebCore/platform/network/soup/CookieJarSoup.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebCore/platform/network/soup/CookieJarSoup.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -118,10 +118,10 @@
return cookiesForSession(session, url, false, includeSecureCookies);
}
-String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& /*firstParty*/, const URL& url)
+std::pair<String, bool> cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& /*firstParty*/, const URL& url, IncludeSecureCookies includeSecureCookies)
{
// Secure cookies will still only be included if url's protocol is https.
- return cookiesForSession(session, url, true, IncludeSecureCookies::Yes).first;
+ return cookiesForSession(session, url, true, includeSecureCookies);
}
bool cookiesEnabled(const NetworkStorageSession& session, const URL& /*firstParty*/, const URL& /*url*/)
Modified: trunk/Source/WebKit/ChangeLog (221274 => 221275)
--- trunk/Source/WebKit/ChangeLog 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/ChangeLog 2017-08-28 22:08:34 UTC (rev 221275)
@@ -1,3 +1,24 @@
+2017-08-28 Brent Fulgham <[email protected]>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content (Part 2: Header Requests)
+ https://bugs.webkit.org/show_bug.cgi?id=175992
+ <rdar://problem/34086613>
+
+ Reviewed by Daniel Bates.
+
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::cookiesForDOM): Use a better label than 'result'.
+ (WebKit::NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue): Modify to accept a flag
+ indicating if secure cookies should be included, and return a pair containing the resulting
+ cookie string and a boolean indicating if secure cookies were accessed.
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in: Ditto.
+ * Shared/mac/CookieStorageShim.mm:
+ (WebKit::webKitCookieStorageCopyRequestHeaderFieldsForURL): Ditto.
+ * WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
+ (WebKit::WebPlatformStrategies::cookieRequestHeaderFieldValue): Ditto.
+ * WebProcess/WebCoreSupport/WebPlatformStrategies.h:
+
2017-08-28 Alex Christensen <[email protected]>
Add WKUIDelegatePrivate equivalent of WKPageUIClient's didExceedBackgroundResourceLimitWhileInForeground
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp (221274 => 221275)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -323,9 +323,9 @@
loader->convertToDownload(downloadID, request, response);
}
-void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies, String& result, bool& secureCookiesAccessed)
+void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies, String& cookieString, bool& secureCookiesAccessed)
{
- std::tie(result, secureCookiesAccessed) = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url, includeSecureCookies);
+ std::tie(cookieString, secureCookiesAccessed) = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url, includeSecureCookies);
}
void NetworkConnectionToWebProcess::setCookiesFromDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, const String& cookieString)
@@ -338,9 +338,9 @@
result = WebCore::cookiesEnabled(storageSession(sessionID), firstParty, url);
}
-void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url, String& result)
+void NetworkConnectionToWebProcess::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies, String& cookieString, bool& secureCookiesAccessed)
{
- result = WebCore::cookieRequestHeaderFieldValue(storageSession(sessionID), firstParty, url);
+ std::tie(cookieString, secureCookiesAccessed) = WebCore::cookieRequestHeaderFieldValue(storageSession(sessionID), firstParty, url, includeSecureCookies);
}
void NetworkConnectionToWebProcess::getRawCookies(PAL::SessionID sessionID, const URL& firstParty, const URL& url, Vector<Cookie>& result)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h (221274 => 221275)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -97,10 +97,10 @@
void startDownload(PAL::SessionID, DownloadID, const WebCore::ResourceRequest&, const String& suggestedName = { });
void convertMainResourceLoadToDownload(PAL::SessionID, uint64_t mainResourceLoadIdentifier, DownloadID, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&);
- void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies, String& result, bool& secureCookiesAccessed);
+ void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies, String& cookieString, bool& secureCookiesAccessed);
void setCookiesFromDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, const String&);
void cookiesEnabled(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, bool& result);
- void cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, String& result);
+ void cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies, String& cookieString, bool& secureCookiesAccessed);
void getRawCookies(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, Vector<WebCore::Cookie>&);
void deleteCookie(PAL::SessionID, const WebCore::URL&, const String& cookieName);
Modified: trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in (221274 => 221275)
--- trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in 2017-08-28 22:08:34 UTC (rev 221275)
@@ -32,10 +32,10 @@
StartDownload(PAL::SessionID sessionID, WebKit::DownloadID downloadID, WebCore::ResourceRequest request, String suggestedName)
ConvertMainResourceLoadToDownload(PAL::SessionID sessionID, uint64_t mainResourceLoadIdentifier, WebKit::DownloadID downloadID, WebCore::ResourceRequest request, WebCore::ResourceResponse response)
- CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, enum WebCore::IncludeSecureCookies includeSecureCookies) -> (String result, bool didAccessSecureCookies)
+ CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, enum WebCore::IncludeSecureCookies includeSecureCookies) -> (String cookieString, bool didAccessSecureCookies)
SetCookiesFromDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, String cookieString)
CookiesEnabled(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (bool enabled)
- CookieRequestHeaderFieldValue(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (String result)
+ CookieRequestHeaderFieldValue(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, enum WebCore::IncludeSecureCookies includeSecureCookies) -> (String cookieString, bool didAccessSecureCookies)
GetRawCookies(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (Vector<WebCore::Cookie> cookies)
DeleteCookie(PAL::SessionID sessionID, WebCore::URL url, String cookieName)
Modified: trunk/Source/WebKit/Shared/mac/CookieStorageShim.mm (221274 => 221275)
--- trunk/Source/WebKit/Shared/mac/CookieStorageShim.mm 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/Shared/mac/CookieStorageShim.mm 2017-08-28 22:08:34 UTC (rev 221275)
@@ -31,6 +31,7 @@
#include "NetworkProcessConnection.h"
#include "WebCoreArgumentCoders.h"
#include "WebProcess.h"
+#include <WebCore/CookiesStrategy.h>
#include <WebCore/URL.h>
#include <dlfcn.h>
#include <pal/SessionID.h>
@@ -55,9 +56,12 @@
static CFDictionaryRef webKitCookieStorageCopyRequestHeaderFieldsForURL(CFHTTPCookieStorageRef inCookieStorage, CFURLRef inRequestURL)
{
+ IncludeSecureCookies includeSecureCookies = URL(inRequestURL).protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+
String cookies;
+ bool secureCookiesAccessed = false;
URL firstPartyForCookiesURL;
- if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(cookies), 0))
+ if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL, includeSecureCookies), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(cookies, secureCookiesAccessed), 0))
return 0;
if (cookies.isNull())
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp (221274 => 221275)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp 2017-08-28 22:08:34 UTC (rev 221275)
@@ -132,17 +132,18 @@
return result;
}
-String WebPlatformStrategies::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- return cookieRequestHeaderFieldValue(session.sessionID(), firstParty, url);
+ return cookieRequestHeaderFieldValue(session.sessionID(), firstParty, url, includeSecureCookies);
}
-String WebPlatformStrategies::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- String result;
- if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(sessionID, firstParty, url), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(result), 0))
- return String();
- return result;
+ String cookieString;
+ bool secureCookiesAccessed = false;
+ if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(sessionID, firstParty, url, includeSecureCookies), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(cookieString, secureCookiesAccessed), 0))
+ return { String(), false };
+ return { cookieString, secureCookiesAccessed };
}
bool WebPlatformStrategies::getRawCookies(const NetworkStorageSession& session, const URL& firstParty, const URL& url, Vector<Cookie>& rawCookies)
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h (221274 => 221275)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -50,8 +50,8 @@
std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override;
bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
- String cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
- String cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&) override;
+ std::pair<String, bool> cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
+ std::pair<String, bool> cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
bool getRawCookies(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, Vector<WebCore::Cookie>&) override;
void deleteCookie(const WebCore::NetworkStorageSession&, const WebCore::URL&, const String&) override;
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (221274 => 221275)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2017-08-28 22:08:34 UTC (rev 221275)
@@ -1,3 +1,17 @@
+2017-08-28 Brent Fulgham <[email protected]>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content (Part 2: Header Requests)
+ https://bugs.webkit.org/show_bug.cgi?id=175992
+ <rdar://problem/34086613>
+
+ Reviewed by Daniel Bates.
+
+ * WebCoreSupport/WebPlatformStrategies.h:
+ * WebCoreSupport/WebPlatformStrategies.mm:
+ (WebPlatformStrategies::cookieRequestHeaderFieldValue): Modify to accept a flag indicating if secure
+ cookies should be included, and return a pair containing the resulting cookie string and a boolean
+ indicating if secure cookies were accessed.
+
2017-08-27 Wenson Hsieh <[email protected]>
Picking an emoji via the emoji dialog (Ctrl+Cmd+Space) fires inconsistent beforeinput events.
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h (221274 => 221275)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h 2017-08-28 22:08:34 UTC (rev 221275)
@@ -50,8 +50,8 @@
std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override;
bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
- String cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
- String cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&) override;
+ std::pair<String, bool> cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
+ std::pair<String, bool> cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
bool getRawCookies(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, Vector<WebCore::Cookie>&) override;
void deleteCookie(const WebCore::NetworkStorageSession&, const WebCore::URL&, const String&) override;
Modified: trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm (221274 => 221275)
--- trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm 2017-08-28 21:57:28 UTC (rev 221274)
+++ trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm 2017-08-28 22:08:34 UTC (rev 221275)
@@ -88,15 +88,15 @@
return WebCore::cookiesEnabled(session, firstParty, url);
}
-String WebPlatformStrategies::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- return WebCore::cookieRequestHeaderFieldValue(session, firstParty, url);
+ return WebCore::cookieRequestHeaderFieldValue(session, firstParty, url, includeSecureCookies);
}
-String WebPlatformStrategies::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookieRequestHeaderFieldValue(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
auto& session = sessionID.isEphemeral() ? WebFrameNetworkingContext::ensurePrivateBrowsingSession() : NetworkStorageSession::defaultStorageSession();
- return WebCore::cookieRequestHeaderFieldValue(session, firstParty, url);
+ return WebCore::cookieRequestHeaderFieldValue(session, firstParty, url, includeSecureCookies);
}
bool WebPlatformStrategies::getRawCookies(const NetworkStorageSession& session, const URL& firstParty, const URL& url, Vector<Cookie>& rawCookies)
