Changeset 214778 in webkit

Timestamp:

Apr 3, 2017 5:39:18 AM (7 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r214246 - [Soup] "Only from websites I visit" cookie policy is broken
​https://bugs.webkit.org/show_bug.cgi?id=168912

Reviewed by Carlos Garcia Campos.

Source/WebCore:

Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).

The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.

Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html

• platform/network/soup/ResourceHandleSoup.cpp:

(WebCore::doRedirect):

Source/WebKit2:

Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since r143931).

The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.

• NetworkProcess/soup/NetworkDataTaskSoup.cpp:

(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):

LayoutTests:

• http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
• http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.

Location:

releases/WebKitGTK/webkit-2.16

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (added)
• LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp (modified) (1 diff)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp (modified) (1 diff)

releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog

@@ +1 @@
+2017-03-21  Sergio Villar Senin  <svillar@igalia.com>
+
+        [Soup] "Only from websites I visit" cookie policy is broken
+        https://bugs.webkit.org/show_bug.cgi?id=168912
+
+        Reviewed by Carlos Garcia Campos.
+
+        * http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
+        * http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
+
 2017-03-21  Brady Eidson  <beidson@apple.com>
 

releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog

@@ +1 @@
+2017-03-21  Sergio Villar Senin  <svillar@igalia.com>
+
+        [Soup] "Only from websites I visit" cookie policy is broken
+        https://bugs.webkit.org/show_bug.cgi?id=168912
+
+        Reviewed by Carlos Garcia Campos.
+
+        Do not reset the first party for cookies on redirects. That's properly done for the main
+        resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+        wrong (which is what we were doing since r143931).
+
+        The most notable effect was that subresources loaded via redirects were effectively
+        bypassing the "no third party" policy for cookies.
+
+        Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
+
+        * platform/network/soup/ResourceHandleSoup.cpp:
+        (WebCore::doRedirect):
+
 2017-03-21  Brady Eidson  <beidson@apple.com>
 

releases/WebKitGTK/webkit-2.16/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp

@@ -326 +326 @@
     bool crossOrigin = !protocolHostAndPortAreEqual(handle->firstRequest().url(), newURL);
     newRequest.setURL(newURL);
-    newRequest.setFirstPartyForCookies(newURL);
 
     if (newRequest.httpMethod() != "GET") {

releases/WebKitGTK/webkit-2.16/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-03-21  Sergio Villar Senin  <svillar@igalia.com>
+
+        [Soup] "Only from websites I visit" cookie policy is broken
+        https://bugs.webkit.org/show_bug.cgi?id=168912
+
+        Reviewed by Carlos Garcia Campos.
+
+        Do not reset the first party for cookies on redirects. That's properly done for the main
+        resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+        wrong (which is what we were doing since r143931).
+
+        The most notable effect was that subresources loaded via redirects were effectively
+        bypassing the "no third party" policy for cookies.
+
+        * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+        (WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
+
 2017-03-15  Tim Horton  <timothy_horton@apple.com>
 

releases/WebKitGTK/webkit-2.16/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp

@@ -616 +616 @@
     ResourceRequest request = m_firstRequest;
     request.setURL(URL(m_response.url(), m_response.httpHeaderField(HTTPHeaderName::Location)));
-    request.setFirstPartyForCookies(request.url());
 
     // Should not set Referer after a redirect from a secure resource to non-secure one.