Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 52f478f7656be56a1bd95b5f0514406d0b3246ad
https://github.com/WebKit/WebKit/commit/52f478f7656be56a1bd95b5f0514406d0b3246ad
Author: Rupin Mittal <[email protected]>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M LayoutTests/fast/canvas/offscreen-no-script-context-crash.html
M
LayoutTests/imported/w3c/web-platform-tests/cookiestore/cookieStore_set_domain_parsing.sub.https-expected.txt
M
LayoutTests/platform/glib/imported/w3c/web-platform-tests/cookiestore/cookieStore_set_domain_parsing.sub.https-expected.txt
M Source/WebCore/Modules/cookie-store/CookieStore.cpp
M Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/CookieStoreAPI.mm
Log Message:
-----------
[Cookie Store API] Allow setting a cookie with a mixed case domain passed in
https://bugs.webkit.org/show_bug.cgi?id=310414
rdar://173043058
Reviewed by Brady Eidson.
According to the spec (https://cookiestore.spec.whatwg.org/#set-a-cookie), when
setting a cookie:
"If domain is not a registrable domain suffix of and is not equal to host, then
return failure"
One of the first steps in checking this
(https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to)
is to "parse" the input (in our case the domain passed in):
"Let hostSuffix be the result of parsing hostSuffixString"
One of the steps of doing this parsing
(https://url.spec.whatwg.org/#concept-host-parser) is
"Let asciiDomain be the result of running domain to ASCII with domain and false"
One of the things that the "domain to ASCII" algorithm does
(https://url.spec.whatwg.org/#concept-domain-to-ascii)
is equivalent to lowercaseing the domain:
"this step is equivalent to ASCII lowercasing domain".
That means that we cannot reject setting a cookie because the domain passed in
does not match the case of the current host. If on google.com, we must be able
to
set cookie by passing in the domain "GOOGLE.com" or even "goGLe.com". Currently,
we do reject if the case doesn't match.
WebKit already has a function that does these steps:
SecurityOrigin::isMatchingRegistrableDomainSuffix(). So we change
CookieStore::set()
to use it. Since it already does the PublicSuffix check, we don't need to
explicitly
do it.
This fixes the test cookieStore_set_domain_parsing.sub.https.html.
We also add a check to the test SecurityOriginTest.IsRegistrableDomainSuffix()
to
confirm that it indeed lowercases the domain before checking it.
This changes causes fast/canvas/offscreen-no-script-context-crash.html to fail.
It calls "await frames.cookieStore.delete("bar")" and this promise is rejected
because isMatchingRegistrableDomainSuffix() returns false. The issue is that
this test is run with a file URL. For file URL, ScriptExecutionContext's
securityOrigin's domain is empty. This is passed as cookie.domain to
isMatchingRegistrableDomainSuffix() which returns false for an empty
domainSuffix.
So we update the test to catch this error so it can complete.
* LayoutTests/fast/canvas/offscreen-no-script-context-crash.html:
*
LayoutTests/imported/w3c/web-platform-tests/cookiestore/cookieStore_set_domain_parsing.sub.https-expected.txt:
*
LayoutTests/platform/glib/imported/w3c/web-platform-tests/cookiestore/cookieStore_set_domain_parsing.sub.https-expected.txt:
* Source/WebCore/Modules/cookie-store/CookieStore.cpp:
(WebCore::CookieStore::set):
* Tools/TestWebKitAPI/Tests/WebCore/SecurityOrigin.cpp:
(TestWebKitAPI::TEST_F(SecurityOriginTest, IsRegistrableDomainSuffix)):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/CookieStoreAPI.mm:
(TestWebKitAPI::TEST(WebKit, CookieStoreSetCookieForPublicSuffixDomain)):
Canonical link: https://commits.webkit.org/309770@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
