Title: [239342] trunk
- Revision
- 239342
- Author
- [email protected]
- Date
- 2018-12-18 11:17:15 -0800 (Tue, 18 Dec 2018)
Log Message
Remove <meta http-equiv=set-cookie> support
https://bugs.webkit.org/show_bug.cgi?id=185077
<rdar://problem/41791397>
Reviewed by Brent Fulgham.
Source/WebCore:
Remove support for the HTTP-equiv. pragma Set-Cookie to set a cookie. In <https://github.com/whatwg/html/pull/3649>
the HTML living standard was ammended to define this pragma as no-op. Chrome and Edge have also
removed support for this pragma and Firefox has an open bug to remove it.
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Emit a message that the Set-Cookie pragma is obsolete and
was ignored instead of setting the cookie.
* html/parser/XSSAuditor.cpp:
(WebCore::isDangerousHTTPEquiv): We no longer need to consider the Set-Cookie pragma
as dangerous and erase attribute http-equiv when we find it because we no longer honor
this pragma.
LayoutTests:
Update test now that we no longer consider the HTTP equiv. pragma Set-Cookie as
dangerous (since it is ignored).
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (239341 => 239342)
--- trunk/LayoutTests/ChangeLog 2018-12-18 18:51:05 UTC (rev 239341)
+++ trunk/LayoutTests/ChangeLog 2018-12-18 19:17:15 UTC (rev 239342)
@@ -1,3 +1,16 @@
+2018-12-18 Daniel Bates <[email protected]>
+
+ Remove <meta http-equiv=set-cookie> support
+ https://bugs.webkit.org/show_bug.cgi?id=185077
+ <rdar://problem/41791397>
+
+ Reviewed by Brent Fulgham.
+
+ Update test now that we no longer consider the HTTP equiv. pragma Set-Cookie as
+ dangerous (since it is ignored).
+
+ * http/tests/security/xssAuditor/cookie-injection-expected.txt:
+
2018-12-18 Justin Michaud <[email protected]>
CSS Typed OM should expose attributeStyleMap
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt (239341 => 239342)
--- trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt 2018-12-18 18:51:05 UTC (rev 239341)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt 2018-12-18 19:17:15 UTC (rev 239342)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+CONSOLE MESSAGE: line 4: The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead.
ALERT: PASS
Modified: trunk/Source/WebCore/ChangeLog (239341 => 239342)
--- trunk/Source/WebCore/ChangeLog 2018-12-18 18:51:05 UTC (rev 239341)
+++ trunk/Source/WebCore/ChangeLog 2018-12-18 19:17:15 UTC (rev 239342)
@@ -1,3 +1,23 @@
+2018-12-18 Daniel Bates <[email protected]>
+
+ Remove <meta http-equiv=set-cookie> support
+ https://bugs.webkit.org/show_bug.cgi?id=185077
+ <rdar://problem/41791397>
+
+ Reviewed by Brent Fulgham.
+
+ Remove support for the HTTP-equiv. pragma Set-Cookie to set a cookie. In <https://github.com/whatwg/html/pull/3649>
+ the HTML living standard was ammended to define this pragma as no-op. Chrome and Edge have also
+ removed support for this pragma and Firefox has an open bug to remove it.
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Emit a message that the Set-Cookie pragma is obsolete and
+ was ignored instead of setting the cookie.
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::isDangerousHTTPEquiv): We no longer need to consider the Set-Cookie pragma
+ as dangerous and erase attribute http-equiv when we find it because we no longer honor
+ this pragma.
+
2018-12-18 Justin Michaud <[email protected]>
CSS Typed OM should expose attributeStyleMap
Modified: trunk/Source/WebCore/dom/Document.cpp (239341 => 239342)
--- trunk/Source/WebCore/dom/Document.cpp 2018-12-18 18:51:05 UTC (rev 239341)
+++ trunk/Source/WebCore/dom/Document.cpp 2018-12-18 19:17:15 UTC (rev 239342)
@@ -3499,11 +3499,8 @@
}
case HTTPHeaderName::SetCookie:
- // FIXME: make setCookie work on XML documents too; e.g. in case of <html:meta .....>
- if (is<HTMLDocument>(*this)) {
- // Exception (for sandboxed documents) ignored.
- downcast<HTMLDocument>(*this).setCookie(content);
- }
+ if (is<HTMLDocument>(*this))
+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, "The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead."_s);
break;
case HTTPHeaderName::ContentLanguage:
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (239341 => 239342)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2018-12-18 18:51:05 UTC (rev 239341)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2018-12-18 19:17:15 UTC (rev 239342)
@@ -149,7 +149,7 @@
static bool isDangerousHTTPEquiv(const String& value)
{
String equiv = value.stripWhiteSpace();
- return equalLettersIgnoringASCIICase(equiv, "refresh") || equalLettersIgnoringASCIICase(equiv, "set-cookie");
+ return equalLettersIgnoringASCIICase(equiv, "refresh");
}
static inline String decode16BitUnicodeEscapeSequences(const String& string)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
