Changeset 221017 in webkit
- Timestamp:
- Aug 22, 2017 9:22:22 AM (7 years ago)
- Location:
- trunk
- Files:
-
- 23 added
- 21 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r221016 r221017 1 2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> 2 3 Disable access to secure cookies if an HTTPS site loads mixed content 4 https://bugs.webkit.org/show_bug.cgi?id=157053 5 <rdar://problem/11290808> 6 7 Reviewed by Dan Bates. 8 9 * http/tests/security/mixedContent/insecure-css-with-secure-cookies-expected.txt: Added. 10 * http/tests/security/mixedContent/insecure-css-with-secure-cookies.html: Added. 11 * http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies.html: Added. 12 * http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-expected.txt: Added. 13 * http/tests/security/mixedContent/insecure-image-with-securecookie-block-expected.txt: Added. 14 * http/tests/security/mixedContent/insecure-image-with-securecookie-block.html: Added. 15 * http/tests/security/mixedContent/insecure-image-with-securecookie-expected.txt: Added. 16 * http/tests/security/mixedContent/insecure-image-with-securecookie.html: Added. 17 * http/tests/security/mixedContent/insecure-script-with-secure-cookies-expected.txt: Added. 18 * http/tests/security/mixedContent/insecure-script-with-secure-cookies.html: Added. 19 * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-expected.txt: Added. 20 * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html: Added. 21 * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt: Added. 22 * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html: Added. 23 * http/tests/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html: Added. 24 * http/tests/security/mixedContent/resources/frame-with-insecure-executable-css-with-secure-cookies.html: Added. 25 * http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html: Added. 26 * http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html: Added. 27 * http/tests/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html: Added. 28 * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html: Added. 29 * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html: Added. 30 * http/tests/security/mixedContent/resources/insecure-executable.css: Added. 31 * http/tests/security/mixedContent/resources/insecure.css: Added. 32 * http/tests/security/resources/greenbox-hotspot5-4.cur: Added. 33 1 34 2017-08-22 Jer Noble <jer.noble@apple.com> 2 35 -
trunk/Source/WebCore/ChangeLog
r221016 r221017 1 2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> 2 3 Disable access to secure cookies if an HTTPS site loads mixed content 4 https://bugs.webkit.org/show_bug.cgi?id=157053 5 <rdar://problem/11290808> 6 7 Reviewed by Dan Bates. 8 9 Tests: http/tests/security/mixedContent/insecure-css-with-secure-cookies.html 10 http/tests/security/mixedContent/insecure-image-with-securecookie-block.html 11 http/tests/security/mixedContent/insecure-image-with-securecookie.html 12 http/tests/security/mixedContent/insecure-script-with-secure-cookies.html 13 http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html 14 http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html 15 16 * dom/SecurityContext.h: 17 (WebCore::SecurityContext::secureCookiesAccessed): Added. 18 (WebCore::SecurityContext::setSecureCookiesAccessed): Added. 19 * loader/CookieJar.cpp: 20 (WebCore::cookies): Pass Document as non-const so we can call 'setSecureCookiesAccessed' if necessary. 21 * loader/CookieJar.h: 22 * loader/MixedContentChecker.cpp: 23 (WebCore::MixedContentChecker::canRunInsecureContent): Updated checks to avoid running insecure content 24 if secure cookies were accessed. 25 * platform/CookiesStrategy.h: 26 (WebCore::CookiesStrategy::cookiesForDOM): Pass new argument indicating whether secure cookies should be included in the response. 27 * platform/network/PlatformCookieJar.h: 28 * platform/network/cf/CookieJarCFNet.cpp: 29 (copyCookiesForURLWithFirstPartyURL): Revise to accept new 'IncludeSecureCookiesOrNot' argument. 30 (WebCore::cookiesForSession): Updated to accept new 'IncludeSecureCookiesOrNot' argument. Also determine if secure cookies were 31 included in the response, and return this to the caller. 32 (WebCore::cookieRequestHeaderFieldValue): Revise for new 'copyCookiesForURLWithFirstPartyURL' signature. 33 (WebCore::getRawCookies): Ditto. 34 * platform/network/mac/CookieJarMac.mm: 35 (WebCore::cookiesForSession): Updated checks to keep track of secure cookies and filter out secure cookies if insecure content 36 was accessed. 37 (WebCore::cookiesForDOM): Update for new arguments and to return a pair. 38 (WebCore::cookieRequestHeaderFieldValue): Ditto. 39 1 40 2017-08-22 Jer Noble <jer.noble@apple.com> 2 41 -
trunk/Source/WebCore/dom/SecurityContext.h
r220427 r221017 1 1 /* 2 2 * Copyright (C) 2011 Google Inc. All Rights Reserved. 3 * Copyright (C) 2017 Apple Inc. All rights reserved. 3 4 * 4 5 * Redistribution and use in source and binary forms, with or without … … 84 85 bool geolocationAccessed() const { return m_geolocationAccessed; } 85 86 void setGeolocationAccessed() { m_geolocationAccessed = true; } 87 bool secureCookiesAccessed() const { return m_secureCookiesAccessed; } 88 void setSecureCookiesAccessed() { m_secureCookiesAccessed = true; } 86 89 87 90 bool isStrictMixedContentMode() const { return m_isStrictMixedContentMode; } … … 112 115 bool m_foundMixedContent { false }; 113 116 bool m_geolocationAccessed { false }; 117 bool m_secureCookiesAccessed { false }; 114 118 bool m_isStrictMixedContentMode { false }; 115 119 }; -
trunk/Source/WebCore/loader/CookieJar.cpp
r214084 r221017 1 1 /* 2 * Copyright (C) 2012 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2012-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 55 55 } 56 56 57 String cookies( constDocument& document, const URL& url)57 String cookies(Document& document, const URL& url) 58 58 { 59 59 TraceScope scope(FetchCookiesStart, FetchCookiesEnd); 60 60 61 return platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url); 61 auto includeSecureCookiesOrNot = (url.protocolIs("https") && !document.foundMixedContent()) ? IncludeSecureCookies::Yes : IncludeSecureCookies::No; 62 auto result = platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url, includeSecureCookiesOrNot); 63 if (result.second) 64 document.setSecureCookiesAccessed(); 65 66 return result.first; 62 67 } 63 68 -
trunk/Source/WebCore/loader/CookieJar.h
r213759 r221017 1 1 /* 2 * Copyright (C) 2003 , 2006, 2008, 2012, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2003-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 39 39 40 40 // These two functions implement document.cookie API, with special rules for HttpOnly cookies. 41 WEBCORE_EXPORT String cookies( constDocument&, const URL&);41 WEBCORE_EXPORT String cookies(Document&, const URL&); 42 42 WEBCORE_EXPORT void setCookies(Document&, const URL&, const String& cookieString); 43 43 -
trunk/Source/WebCore/loader/MixedContentChecker.cpp
r210859 r221017 1 1 /* 2 2 * Copyright (C) 2012 Google Inc. All rights reserved. 3 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 4 * 4 5 * Redistribution and use in source and binary forms, with or without … … 93 94 return false; 94 95 95 bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed() ;96 bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed() && !m_frame.document()->secureCookiesAccessed(); 96 97 logWarning(allowed, "run", url); 97 98 -
trunk/Source/WebCore/platform/CookiesStrategy.h
r220887 r221017 1 1 /* 2 * Copyright (C) 2011 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2011-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 24 24 */ 25 25 26 #ifndef CookiesStrategy_h 27 #define CookiesStrategy_h 26 #pragma once 28 27 29 28 #include <pal/SessionID.h> 29 #include <wtf/EnumTraits.h> 30 30 #include <wtf/Vector.h> 31 31 #include <wtf/text/WTFString.h> … … 33 33 namespace WebCore { 34 34 35 class NetworkStorageSession; 35 36 class URL; 36 class NetworkStorageSession; 37 37 38 struct Cookie; 39 40 enum class IncludeSecureCookies { No, Yes }; 38 41 39 42 class CookiesStrategy { 40 43 public: 41 virtual String cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;44 virtual std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0; 42 45 virtual void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String& cookieString) = 0; 43 46 virtual bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0; … … 53 56 } // namespace WebCore 54 57 55 #endif // CookiesStrategy_h 58 namespace WTF { 59 60 template<> struct EnumTraits<WebCore::IncludeSecureCookies> { 61 using values = EnumValues< 62 WebCore::IncludeSecureCookies, 63 WebCore::IncludeSecureCookies::No, 64 WebCore::IncludeSecureCookies::Yes 65 >; 66 }; 67 68 } // namespace WTF 69 -
trunk/Source/WebCore/platform/network/PlatformCookieJar.h
r217427 r221017 1 1 /* 2 * Copyright (C) 2003 , 2006, 2008, 2012, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2003-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 36 36 class URL; 37 37 class NetworkStorageSession; 38 38 39 struct Cookie; 40 41 enum class IncludeSecureCookies; 39 42 40 43 // FIXME: These should probably be NetworkStorageSession member functions. 41 44 42 WEBCORE_EXPORT String cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&);45 WEBCORE_EXPORT std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies); 43 46 WEBCORE_EXPORT void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String&); 44 47 WEBCORE_EXPORT bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&); -
trunk/Source/WebCore/platform/network/cf/CookieJarCFNet.cpp
r220243 r221017 1 1 /* 2 * Copyright (C) 2006 , 2007, 2008, 2012, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2006-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 37 37 #include <pal/spi/cf/CFNetworkSPI.h> 38 38 #include <wtf/SoftLinking.h> 39 #include <wtf/TypeCastsCF.h> 39 40 #include <wtf/text/WTFString.h> 40 41 … … 49 50 }; 50 51 #endif 52 53 namespace WTF { 54 55 #define DECLARE_CF_TYPE_TRAIT(ClassName) \ 56 template <> \ 57 struct CFTypeTrait<ClassName##Ref> { \ 58 static inline CFTypeID typeID() { return ClassName##GetTypeID(); } \ 59 }; 60 61 DECLARE_CF_TYPE_TRAIT(CFHTTPCookieRef); 62 63 #undef DECLARE_CF_TYPE_TRAIT 64 } // namespace WTF 51 65 52 66 namespace WebCore { … … 103 117 } 104 118 105 static RetainPtr<CFArrayRef> copyCookiesForURLWithFirstPartyURL(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 106 { 107 bool secure = url.protocolIs("https"); 119 static RetainPtr<CFArrayRef> copyCookiesForURLWithFirstPartyURL(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies) 120 { 121 bool secure = includeSecureCookies == IncludeSecureCookies::Yes; 122 123 ASSERT(!secure || (secure && url.protocolIs("https"))); 108 124 109 125 #if PLATFORM(COCOA) … … 152 168 } 153 169 154 String cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 155 { 156 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url); 157 RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, filterCookies(cookiesCF.get()).get())); 158 return (CFStringRef)CFDictionaryGetValue(headerCF.get(), s_cookieCF); 170 std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies) 171 { 172 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies); 173 174 auto filteredCookies = filterCookies(cookiesCF.get()); 175 176 bool didAccessSecureCookies = false; 177 178 CFIndex cookieCount = CFArrayGetCount(filteredCookies.get()); 179 while (cookieCount--) { 180 if (CFHTTPCookieIsSecure(checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(filteredCookies.get(), cookieCount)))) { 181 didAccessSecureCookies = true; 182 break; 183 } 184 } 185 186 RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, filteredCookies.get())); 187 String cookieString = checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF)); 188 return { cookieString, didAccessSecureCookies }; 159 189 } 160 190 161 191 String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 162 192 { 163 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url); 193 auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No; 194 195 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies); 164 196 RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, cookiesCF.get())); 165 return (CFStringRef)CFDictionaryGetValue(headerCF.get(), s_cookieCF);197 return checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF)); 166 198 } 167 199 … … 176 208 rawCookies.clear(); 177 209 178 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url); 210 auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No; 211 212 RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies); 179 213 180 214 CFIndex count = CFArrayGetCount(cookiesCF.get()); … … 182 216 183 217 for (CFIndex i = 0; i < count; i++) { 184 CFHTTPCookieRef cookie = (CFHTTPCookieRef)CFArrayGetValueAtIndex(cookiesCF.get(), i);218 CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i)); 185 219 String name = cookieName(cookie).get(); 186 220 String value = cookieValue(cookie).get(); … … 215 249 CFIndex count = CFArrayGetCount(cookiesCF.get()); 216 250 for (CFIndex i = 0; i < count; i++) { 217 CFHTTPCookieRef cookie = (CFHTTPCookieRef)CFArrayGetValueAtIndex(cookiesCF.get(), i);251 CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i)); 218 252 if (String(cookieName(cookie).get()) == name) { 219 253 CFHTTPCookieStorageDeleteCookie(cookieStorage.get(), cookie); … … 231 265 CFIndex count = CFArrayGetCount(cookiesCF.get()); 232 266 for (CFIndex i = 0; i < count; ++i) { 233 CFHTTPCookieRef cookie = static_cast<CFHTTPCookieRef>(const_cast<void *>(CFArrayGetValueAtIndex(cookiesCF.get(), i)));267 CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i)); 234 268 RetainPtr<CFStringRef> domain = cookieDomain(cookie); 235 269 hostnames.add(domain.get()); -
trunk/Source/WebCore/platform/network/mac/CookieJarMac.mm
r220243 r221017 1 1 /* 2 * Copyright (C) 2003 , 2006, 2008, 2012Apple Inc. All rights reserved.2 * Copyright (C) 2003-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 27 27 #import "PlatformCookieJar.h" 28 28 29 #import "CookiesStrategy.h" 29 30 #import "NetworkStorageSession.h" 30 31 #import "WebCoreSystemInterface.h" … … 133 134 134 135 enum IncludeHTTPOnlyOrNot { DoNotIncludeHTTPOnly, IncludeHTTPOnly }; 135 static String cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly )136 static String cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly, IncludeSecureCookies includeSecureCookies, bool& didAccessSecureCookies) 136 137 { 137 138 BEGIN_BLOCK_OBJC_EXCEPTIONS; … … 149 150 continue; 150 151 152 if ([cookie isSecure]) { 153 didAccessSecureCookies = true; 154 if (includeSecureCookies == IncludeSecureCookies::No) 155 continue; 156 } 157 151 158 if (!cookiesBuilder.isEmpty()) 152 159 cookiesBuilder.appendLiteral("; "); … … 162 169 } 163 170 164 String cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 165 { 166 return cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly); 171 std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies) 172 { 173 bool didAccessSecureCookies = false; 174 auto cookieString = cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly, includeSecureCookies, didAccessSecureCookies); 175 return { cookieString, didAccessSecureCookies }; 167 176 } 168 177 169 178 String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 170 179 { 171 return cookiesForSession(session, firstParty, url, IncludeHTTPOnly); 180 bool ignore = false; 181 return cookiesForSession(session, firstParty, url, IncludeHTTPOnly, IncludeSecureCookies::No, ignore); 172 182 } 173 183 -
trunk/Source/WebKit/ChangeLog
r221007 r221017 1 2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> 2 3 Disable access to secure cookies if an HTTPS site loads mixed content 4 https://bugs.webkit.org/show_bug.cgi?id=157053 5 <rdar://problem/11290808> 6 7 Reviewed by Dan Bates. 8 9 * NetworkProcess/NetworkConnectionToWebProcess.cpp: 10 (WebKit::NetworkConnectionToWebProcess::cookiesForDOM): Pass new arguments needed by WebCore. 11 * NetworkProcess/NetworkConnectionToWebProcess.h: 12 * NetworkProcess/NetworkConnectionToWebProcess.messages.in: Updated the CookiesForDOM message with the new foundMixedContent 13 argument and the new didAccessSecureCookies reply. 14 * Shared/mac/CookieStorageShim.mm: 15 (WebKit::webKitCookieStorageCopyRequestHeaderFieldsForURL): Drive-by fix to use the right message. 16 * WebProcess/WebCoreSupport/WebPlatformStrategies.cpp: 17 (WebKit::WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument 18 indicating whether secure cookies should be included in the response. 19 * WebProcess/WebCoreSupport/WebPlatformStrategies.h: 20 1 21 2017-08-22 Zan Dobersek <zdobersek@igalia.com> 2 22 -
trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
r221005 r221017 1 1 /* 2 * Copyright (C) 2012-201 6Apple Inc. All rights reserved.2 * Copyright (C) 2012-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 324 324 } 325 325 326 void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, String& result)327 { 328 result = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url);326 void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies, String& result, bool& secureCookiesAccessed) 327 { 328 std::tie(result, secureCookiesAccessed) = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url, includeSecureCookies); 329 329 } 330 330 -
trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
r221005 r221017 1 1 /* 2 * Copyright (C) 2012-201 6Apple Inc. All rights reserved.2 * Copyright (C) 2012-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 41 41 class ResourceError; 42 42 class ResourceRequest; 43 44 enum class IncludeSecureCookies; 43 45 } 44 46 … … 96 98 void convertMainResourceLoadToDownload(PAL::SessionID, uint64_t mainResourceLoadIdentifier, DownloadID, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&); 97 99 98 void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, String& result);100 void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies, String& result, bool& secureCookiesAccessed); 99 101 void setCookiesFromDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, const String&); 100 102 void cookiesEnabled(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, bool& result); -
trunk/Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
r221005 r221017 1 # Copyright (C) 2012 Apple Inc. All rights reserved.1 # Copyright (C) 2012-2017 Apple Inc. All rights reserved. 2 2 # 3 3 # Redistribution and use in source and binary forms, with or without … … 33 33 ConvertMainResourceLoadToDownload(PAL::SessionID sessionID, uint64_t mainResourceLoadIdentifier, WebKit::DownloadID downloadID, WebCore::ResourceRequest request, WebCore::ResourceResponse response) 34 34 35 CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url ) -> (String result)35 CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, enum WebCore::IncludeSecureCookies includeSecureCookies) -> (String result, bool didAccessSecureCookies) 36 36 SetCookiesFromDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, String cookieString) 37 37 CookiesEnabled(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (bool enabled) -
trunk/Source/WebKit/Scripts/webkit/messages.py
r220887 r221017 360 360 'WebCore::HasInsecureContent': ['<WebCore/FrameLoaderTypes.h>'], 361 361 'WebCore::Highlight': ['<WebCore/InspectorOverlay.h>'], 362 'WebCore::IncludeSecureCookies': ['<WebCore/CookiesStrategy.h>'], 362 363 'WebCore::KeyframeValueList': ['<WebCore/GraphicsLayer.h>'], 363 364 'WebCore::KeypressCommand': ['<WebCore/KeyboardEvent.h>'], … … 391 392 'struct WebKit::WebScriptMessageHandlerData': ['"WebUserContentControllerDataTypes.h"'], 392 393 'std::chrono::system_clock::time_point': ['<chrono>'], 393 'WebKit::LayerHostingMode': ['"LayerTreeContext.h"'],394 394 } 395 395 -
trunk/Source/WebKit/Shared/mac/CookieStorageShim.mm
r220887 r221017 1 1 /* 2 * Copyright (C) 2013 Apple Inc. All rights reserved.2 * Copyright (C) 2013-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 58 58 String cookies; 59 59 URL firstPartyForCookiesURL; 60 if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL), Messages::NetworkConnectionToWebProcess::Cookie sForDOM::Reply(cookies), 0))60 if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(cookies), 0)) 61 61 return 0; 62 62 -
trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.cpp
r220887 r221017 1 1 /* 2 * Copyright (C) 2010 , 2011, 2012, 2015, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2010-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 110 110 // CookiesStrategy 111 111 112 String WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url) 113 { 114 String result; 115 if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookiesForDOM(session.sessionID(), firstParty, url), Messages::NetworkConnectionToWebProcess::CookiesForDOM::Reply(result), 0)) 116 return String(); 117 return result; 112 std::pair<String, bool> WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies) 113 { 114 String cookieString; 115 bool secureCookiesAccessed = false; 116 if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookiesForDOM(session.sessionID(), firstParty, url, includeSecureCookies), Messages::NetworkConnectionToWebProcess::CookiesForDOM::Reply(cookieString, secureCookiesAccessed), 0)) 117 return { String(), false }; 118 119 return { cookieString, secureCookiesAccessed }; 118 120 } 119 121 -
trunk/Source/WebKit/WebProcess/WebCoreSupport/WebPlatformStrategies.h
r220857 r221017 1 1 /* 2 * Copyright (C) 2010 , 2012, 2016Apple Inc. All rights reserved.2 * Copyright (C) 2010-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 48 48 49 49 // WebCore::CookiesStrategy 50 String cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;50 std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override; 51 51 void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override; 52 52 bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override; -
trunk/Source/WebKitLegacy/mac/ChangeLog
r220979 r221017 1 2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> 2 3 Disable access to secure cookies if an HTTPS site loads mixed content 4 https://bugs.webkit.org/show_bug.cgi?id=157053 5 <rdar://problem/11290808> 6 7 Reviewed by Dan Bates. 8 9 * WebCoreSupport/WebPlatformStrategies.h: 10 * WebCoreSupport/WebPlatformStrategies.mm: 11 (WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument 12 indicating whether secure cookies should be included in the response. 13 1 14 2017-08-21 Yoshiaki Jitsukawa <Yoshiaki.Jitsukawa@sony.com> 2 15 -
trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.h
r220857 r221017 1 1 /* 2 * Copyright (C) 2010 , 2016Apple Inc. All rights reserved.2 * Copyright (C) 2010-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 24 24 */ 25 25 26 #ifndef WebPlatformStrategies_h 27 #define WebPlatformStrategies_h 26 #pragma once 28 27 29 28 #include <WebCore/CookiesStrategy.h> … … 49 48 50 49 // WebCore::CookiesStrategy 51 String cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;50 std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override; 52 51 void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override; 53 52 bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override; … … 89 88 }; 90 89 91 #endif // WebPlatformStrategies_h -
trunk/Source/WebKitLegacy/mac/WebCoreSupport/WebPlatformStrategies.mm
r220857 r221017 1 1 /* 2 * Copyright (C) 2010 Apple Inc. All rights reserved.2 * Copyright (C) 2010-2017 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 74 74 } 75 75 76 String WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url)77 { 78 return WebCore::cookiesForDOM(session, firstParty, url );76 std::pair<String, bool> WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies) 77 { 78 return WebCore::cookiesForDOM(session, firstParty, url, includeSecureCookies); 79 79 } 80 80
Note: See TracChangeset
for help on using the changeset viewer.