[webkit-changes] [WebKit/WebKit] 2cc95f: [cocoa] Restrict access to unpartitioned third-par...

[Commit Queue]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2cc95f03a409847211d270cc46d4bddceb09d26f
      https://github.com/WebKit/WebKit/commit/2cc95f03a409847211d270cc46d4bddceb09d26f
  Author: Matthew Finkel <m_finkel at apple.com>
  Date:   2024-12-09 (Mon, 09 Dec 2024)

  Changed paths:
    M LayoutTests/http/tests/cookies/resources/echo-http-and-dom-cookies-and-notify-done.py
    M LayoutTests/http/tests/cookies/resources/set-cookie-and-redirect-back.py
    A LayoutTests/http/tests/storageAccess/grant-with-prompt-under-general-third-party-cookie-blocking-with-partitioned-cookies.https-expected.txt
    A LayoutTests/http/tests/storageAccess/grant-with-prompt-under-general-third-party-cookie-blocking-with-partitioned-cookies.https.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/ios/TestExpectations
    M LayoutTests/platform/mac-wk2/TestExpectations
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WTF/wtf/PlatformHave.h
    M Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h
    M Source/WebCore/platform/network/NetworkStorageSession.cpp
    M Source/WebCore/platform/network/NetworkStorageSession.h
    M Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm
    M Source/WebKit/NetworkProcess/NetworkProcess.cpp
    M Source/WebKit/NetworkProcess/NetworkProcess.h
    M Source/WebKit/NetworkProcess/NetworkProcess.messages.in
    M Source/WebKit/NetworkProcess/NetworkSession.cpp
    M Source/WebKit/NetworkProcess/NetworkSession.h
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm
    M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
    M Source/WebKit/NetworkProcess/cocoa/NetworkTaskCocoa.h
    M Source/WebKit/NetworkProcess/cocoa/NetworkTaskCocoa.mm
    M Source/WebKit/NetworkProcess/cocoa/WebSocketTaskCocoa.mm
    M Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.h
    M Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.mm
    M Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.serialization.in
    M Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp

  Log Message:
  -----------
  [cocoa] Restrict access to unpartitioned third-party cookies
https://bugs.webkit.org/show_bug.cgi?id=283540
rdar://140386768

Reviewed by Sihui Liu.

In the current implementation of partitioned cookies, all cookies associated
with a domain are included by default (i.e., both partitioned and
unpartitioned). This change restricts access to unpartitioned cookies and only
allows access when the request should have "storage access". An example is a
third party iframe that was granted storage access,

This patch adopts an experimental SPI on NSMutableURLRequest
_setAllowOnlyPartitionedCookies that controls whether or not unpartitioned
cookies should be included in a request.

When accessing cookies from JavaScript, by default we get all cookies
associated with a domain. We now take an additional step an filter all cookies
that are not in the specified partition, if the response should only included
partitioned cookies.

* LayoutTests/TestExpectations:
* LayoutTests/http/tests/cookies/resources/echo-http-and-dom-cookies-and-notify-done.py:

Add new query parameter

* LayoutTests/http/tests/cookies/resources/set-cookie-and-redirect-back.py:

Specify cookie path.

* LayoutTests/http/tests/storageAccess/grant-with-prompt-under-general-third-party-cookie-blocking-with-partitioned-cookies.https-expected.txt: Added.
* LayoutTests/http/tests/storageAccess/grant-with-prompt-under-general-third-party-cookie-blocking-with-partitioned-cookies.https.html: Added.

New test

* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WTF/wtf/PlatformHave.h:

Add build flag

* Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h:

Declare new SPI.

* Source/WebCore/platform/network/NetworkStorageSession.cpp:
(WebCore::NetworkStorageSession::thirdPartyCookieBlockingDecisionForRequest const):
* Source/WebCore/platform/network/NetworkStorageSession.h:
* Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm:
(WebCore::cookiesForURL):
(WebCore::NetworkStorageSession::httpCookiesForURL const):
(WebCore::NetworkStorageSession::cookiesForURL const):
(WebCore::NetworkStorageSession::deleteCookie const):
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(WebKit::NetworkSessionCocoa::createWebSocketTask):

Restrict access to unpartitioned cookies, if necessary.

* Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.h:
* Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.mm:
(WebKit::CoreIPCNSURLRequest::CoreIPCNSURLRequest):
(WebKit::CoreIPCNSURLRequest::toID const):
* Source/WebKit/Shared/Cocoa/CoreIPCNSURLRequest.serialization.in:

Add new attribute.

Canonical link: https://commits.webkit.org/287558@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications