[webkit-changes] [WebKit/WebKit] 8a2b85: Ensure CookieStore uses the creation URL for setti...

Wed Sep 11 21:26:12 PDT 2024

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8a2b852c5d38ea4ecae01783031902f7a99d3a8b
      https://github.com/WebKit/WebKit/commit/8a2b852c5d38ea4ecae01783031902f7a99d3a8b
  Author: Rupin Mittal <rupin at apple.com>
  Date:   2024-09-11 (Wed, 11 Sep 2024)

  Changed paths:
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any.html
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any.js
    M LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_across_frames.https-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any-expected.txt
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any.html
    A LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any.js
    M LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_opaque_origin.https-expected.txt
    M Source/WebCore/Modules/cookie-store/CookieStore.cpp
    M Source/WebCore/dom/Document.h
    M Source/WebCore/dom/EmptyScriptExecutionContext.h
    M Source/WebCore/dom/ScriptExecutionContext.h
    M Source/WebCore/workers/WorkerGlobalScope.h
    M Source/WebCore/worklets/WorkletGlobalScope.h

  Log Message:
  -----------
  Ensure CookieStore uses the creation URL for setting/getting cookies
https://bugs.webkit.org/show_bug.cgi?id=279454
rdar://135730639

Reviewed by Brady Eidson.

Per the Cookie Store API spec, (https://wicg.github.io/cookie-store/), when setting or
getting cookies, the CookieStore should use the url passed in or setting's creation url.
Up till now, we were using setting's current url. This is a problem because the current
url can change--meaning that if the current url changes, then requests to get cookies
set using the preivous url will fail. The current WPT tests don't test this scenario.

This patch updates set(), get(), and getAll() to use the url passed in or the creation url.
We also add two layout tests to test the case where a cookie is set, the document's
current URL changes, and then there is a request to get the cookies. These tests fail
without the changes to set(), get(), and getAll().

There will be a future patch to the WPT repository to add the tests there.

Since the CookieStoreGetOptions passed into get() and getAll() are still sent over IPC
but their `url` field is not used, we set this field to a null string so that we are not
sending data unnecessarily. We still want to send the options because this object may
change in the future, so it's better practice to have the code sending it already.

Note that this causes the layout test cookieStore_opaque_origin.https.html to fail. This
test attempts to set a cookie from an iframe. Before this change, this succeeded because
CookieStore::get() was incorrectly using the host obtained from the iframe's security
origin. Since the iframe didn't have it's own security origin, it was given the security
origin of it's parent--so the test was able to obtain the correct host. But this is the
wrong method of obtaining the host. As per the spec, the host should be obtained from the
url. Now that we use the creation URL (which is about:srcdoc for this iframe), the host
is null, and the test fails.

This breakage in iframe (also occurring in cookieStore_get_set_across_frames.https.html)
will be fixed in the next patch that will travel up the parent tree until a valid creation
url is found. I didn't do this in this patch so that this patch could be small and focus
on switching set(), get(), and getAll() to using the creation url.

* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_getAll_set_creation_url.https.any.js: Added.
(promise_test.async testCase.async let):
(promise_test.async testCase):
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_across_frames.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any.html: Added.
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_get_set_creation_url.https.any.js: Added.
(promise_test.async testCase.async let):
(promise_test.async testCase):
* LayoutTests/imported/w3c/web-platform-tests/cookie-store/cookieStore_opaque_origin.https-expected.txt:
* Source/WebCore/Modules/cookie-store/CookieStore.cpp:
(WebCore::CookieStore::MainThreadBridge::get):
(WebCore::CookieStore::MainThreadBridge::set):
(WebCore::CookieStore::get):
(WebCore::CookieStore::getAll):
(WebCore::CookieStore::set):
* Source/WebCore/dom/Document.h:
(WebCore::Document::creationURL const): Deleted.
* Source/WebCore/dom/EmptyScriptExecutionContext.h:
* Source/WebCore/dom/ScriptExecutionContext.h:
* Source/WebCore/workers/WorkerGlobalScope.h:
* Source/WebCore/worklets/WorkletGlobalScope.h:

Canonical link: https://commits.webkit.org/283530@main

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications