Changeset 214778 in webkit
- Timestamp:
- Apr 3, 2017 5:39:18 AM (7 years ago)
- Location:
- releases/WebKitGTK/webkit-2.16
- Files:
-
- 2 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog
r214776 r214778 1 2017-03-21 Sergio Villar Senin <svillar@igalia.com> 2 3 [Soup] "Only from websites I visit" cookie policy is broken 4 https://bugs.webkit.org/show_bug.cgi?id=168912 5 6 Reviewed by Carlos Garcia Campos. 7 8 * http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added. 9 * http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added. 10 1 11 2017-03-21 Brady Eidson <beidson@apple.com> 2 12 -
releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog
r214776 r214778 1 2017-03-21 Sergio Villar Senin <svillar@igalia.com> 2 3 [Soup] "Only from websites I visit" cookie policy is broken 4 https://bugs.webkit.org/show_bug.cgi?id=168912 5 6 Reviewed by Carlos Garcia Campos. 7 8 Do not reset the first party for cookies on redirects. That's properly done for the main 9 resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely 10 wrong (which is what we were doing since r143931). 11 12 The most notable effect was that subresources loaded via redirects were effectively 13 bypassing the "no third party" policy for cookies. 14 15 Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html 16 17 * platform/network/soup/ResourceHandleSoup.cpp: 18 (WebCore::doRedirect): 19 1 20 2017-03-21 Brady Eidson <beidson@apple.com> 2 21 -
releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp
r211946 r214778 326 326 bool crossOrigin = !protocolHostAndPortAreEqual(handle->firstRequest().url(), newURL); 327 327 newRequest.setURL(newURL); 328 newRequest.setFirstPartyForCookies(newURL);329 328 330 329 if (newRequest.httpMethod() != "GET") { -
releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog
r214748 r214778 1 2017-03-21 Sergio Villar Senin <svillar@igalia.com> 2 3 [Soup] "Only from websites I visit" cookie policy is broken 4 https://bugs.webkit.org/show_bug.cgi?id=168912 5 6 Reviewed by Carlos Garcia Campos. 7 8 Do not reset the first party for cookies on redirects. That's properly done for the main 9 resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely 10 wrong (which is what we were doing since r143931). 11 12 The most notable effect was that subresources loaded via redirects were effectively 13 bypassing the "no third party" policy for cookies. 14 15 * NetworkProcess/soup/NetworkDataTaskSoup.cpp: 16 (WebKit::NetworkDataTaskSoup::continueHTTPRedirection): 17 1 18 2017-03-15 Tim Horton <timothy_horton@apple.com> 2 19 -
releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp
r212286 r214778 616 616 ResourceRequest request = m_firstRequest; 617 617 request.setURL(URL(m_response.url(), m_response.httpHeaderField(HTTPHeaderName::Location))); 618 request.setFirstPartyForCookies(request.url());619 618 620 619 // Should not set Referer after a redirect from a secure resource to non-secure one.
Note: See TracChangeset
for help on using the changeset viewer.