Changeset 239342 in webkit
- Timestamp:
- Dec 18, 2018 11:17:15 AM (5 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt (modified) (1 diff)
-
Source/WebCore/ChangeLog (modified) (1 diff)
-
Source/WebCore/dom/Document.cpp (modified) (1 diff)
-
Source/WebCore/html/parser/XSSAuditor.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r239341 r239342 1 2018-12-18 Daniel Bates <dabates@apple.com> 2 3 Remove <meta http-equiv=set-cookie> support 4 https://bugs.webkit.org/show_bug.cgi?id=185077 5 <rdar://problem/41791397> 6 7 Reviewed by Brent Fulgham. 8 9 Update test now that we no longer consider the HTTP equiv. pragma Set-Cookie as 10 dangerous (since it is ignored). 11 12 * http/tests/security/xssAuditor/cookie-injection-expected.txt: 13 1 14 2018-12-18 Justin Michaud <justin_michaud@apple.com> 2 15 -
trunk/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
r199525 r239342 1 CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.1 CONSOLE MESSAGE: line 4: The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead. 2 2 ALERT: PASS 3 3 -
trunk/Source/WebCore/ChangeLog
r239341 r239342 1 2018-12-18 Daniel Bates <dabates@apple.com> 2 3 Remove <meta http-equiv=set-cookie> support 4 https://bugs.webkit.org/show_bug.cgi?id=185077 5 <rdar://problem/41791397> 6 7 Reviewed by Brent Fulgham. 8 9 Remove support for the HTTP-equiv. pragma Set-Cookie to set a cookie. In <https://github.com/whatwg/html/pull/3649> 10 the HTML living standard was ammended to define this pragma as no-op. Chrome and Edge have also 11 removed support for this pragma and Firefox has an open bug to remove it. 12 13 * dom/Document.cpp: 14 (WebCore::Document::processHttpEquiv): Emit a message that the Set-Cookie pragma is obsolete and 15 was ignored instead of setting the cookie. 16 * html/parser/XSSAuditor.cpp: 17 (WebCore::isDangerousHTTPEquiv): We no longer need to consider the Set-Cookie pragma 18 as dangerous and erase attribute http-equiv when we find it because we no longer honor 19 this pragma. 20 1 21 2018-12-18 Justin Michaud <justin_michaud@apple.com> 2 22 -
trunk/Source/WebCore/dom/Document.cpp
r239160 r239342 3500 3500 3501 3501 case HTTPHeaderName::SetCookie: 3502 // FIXME: make setCookie work on XML documents too; e.g. in case of <html:meta .....> 3503 if (is<HTMLDocument>(*this)) { 3504 // Exception (for sandboxed documents) ignored. 3505 downcast<HTMLDocument>(*this).setCookie(content); 3506 } 3502 if (is<HTMLDocument>(*this)) 3503 addConsoleMessage(MessageSource::Security, MessageLevel::Error, "The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead."_s); 3507 3504 break; 3508 3505 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r239273 r239342 150 150 { 151 151 String equiv = value.stripWhiteSpace(); 152 return equalLettersIgnoringASCIICase(equiv, "refresh") || equalLettersIgnoringASCIICase(equiv, "set-cookie");152 return equalLettersIgnoringASCIICase(equiv, "refresh"); 153 153 } 154 154
Note: See TracChangeset
for help on using the changeset viewer.
