<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[214246] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/214246">214246</a></dd>
<dt>Author</dt> <dd>svillar@igalia.com</dd>
<dt>Date</dt> <dd>2017-03-22 03:09:23 -0700 (Wed, 22 Mar 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>[Soup] "Only from websites I visit" cookie policy is broken
https://bugs.webkit.org/show_bug.cgi?id=168912
Reviewed by Carlos Garcia Campos.
Source/WebCore:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since <a href="http://trac.webkit.org/projects/webkit/changeset/143931">r143931</a>).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
* platform/network/soup/ResourceHandleSoup.cpp:
(WebCore::doRedirect):
Source/WebKit2:
Do not reset the first party for cookies on redirects. That's properly done for the main
resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
wrong (which is what we were doing since <a href="http://trac.webkit.org/projects/webkit/changeset/143931">r143931</a>).
The most notable effect was that subresources loaded via redirects were effectively
bypassing the "no third party" policy for cookies.
* NetworkProcess/soup/NetworkDataTaskSoup.cpp:
(WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
LayoutTests:
* http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
* http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworksoupResourceHandleSoupcpp">trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcesssoupNetworkDataTaskSoupcpp">trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycookiesthirdpartycookieblockingredirectexpectedtxt">trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycookiesthirdpartycookieblockingredirecthtml">trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (214245 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/LayoutTests/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -1,5 +1,15 @@
</span><span class="cx"> 2017-03-21 Sergio Villar Senin <svillar@igalia.com>
</span><span class="cx">
</span><ins>+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt: Added.
+ * http/tests/security/cookies/third-party-cookie-blocking-redirect.html: Added.
+
+2017-03-21 Sergio Villar Senin <svillar@igalia.com>
+
</ins><span class="cx"> All http/ tests with PHP fail in Debian unstable with php7
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=169913
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycookiesthirdpartycookieblockingredirectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (0 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+Checks that subresources that got redirected do not circumvent third-party cookie rules.
+This test PASS if you can see the text "FAILED: Cookie not set".
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+FAILED: Cookie not set
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect-expected.txt
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<ins>+LF
</ins><span class="cx">\ No newline at end of property
</span><a id="trunkLayoutTestshttptestssecuritycookiesthirdpartycookieblockingredirecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (0 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<script>
+function test() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ if (testRunner.setPrivateBrowsingEnabled)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ testRunner.setAlwaysAcceptCookies(false);
+}
+</script>
+
+<p>Checks that subresources that got redirected do not circumvent third-party cookie rules.<br>This test PASS if you can see the text "FAILED: Cookie not set".</p>
+<iframe onload="test" src="http://localhost:8000/cookies/resources/set-cookie-on-redirect.php?step=1"></iframe>
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/cookies/third-party-cookie-blocking-redirect.html
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svneolstyle"></a>
<div class="addfile"><h4>Added: svn:eol-style</h4></div>
<ins>+LF
</ins><span class="cx">\ No newline at end of property
</span><a id="svnmimetype"></a>
<div class="addfile"><h4>Added: svn:mime-type</h4></div>
<ins>+text/html
</ins><span class="cx">\ No newline at end of property
</span><a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (214245 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebCore/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2017-03-21 Sergio Villar Senin <svillar@igalia.com>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ Test: http/tests/security/cookies/third-party-cookie-blocking-redirect.html
+
+ * platform/network/soup/ResourceHandleSoup.cpp:
+ (WebCore::doRedirect):
+
</ins><span class="cx"> 2017-03-22 Carlos Garcia Campos <cgarcia@igalia.com>
</span><span class="cx">
</span><span class="cx"> Make it possible to use WEB_UI_STRING macros to mark translatable strings in glib based ports
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworksoupResourceHandleSoupcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp (214245 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -322,7 +322,6 @@
</span><span class="cx"> URL newURL = URL(URL(soup_message_get_uri(message)), location);
</span><span class="cx"> bool crossOrigin = !protocolHostAndPortAreEqual(handle->firstRequest().url(), newURL);
</span><span class="cx"> newRequest.setURL(newURL);
</span><del>- newRequest.setFirstPartyForCookies(newURL);
</del><span class="cx">
</span><span class="cx"> if (newRequest.httpMethod() != "GET") {
</span><span class="cx"> // Change newRequest method to GET if change was made during a previous redirection
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (214245 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebKit2/ChangeLog 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2017-03-21 Sergio Villar Senin <svillar@igalia.com>
+
+ [Soup] "Only from websites I visit" cookie policy is broken
+ https://bugs.webkit.org/show_bug.cgi?id=168912
+
+ Reviewed by Carlos Garcia Campos.
+
+ Do not reset the first party for cookies on redirects. That's properly done for the main
+ resource in DocumentLoader::willSendRequest and, in the case of subresources, is absolutely
+ wrong (which is what we were doing since r143931).
+
+ The most notable effect was that subresources loaded via redirects were effectively
+ bypassing the "no third party" policy for cookies.
+
+ * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
+ (WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
+
</ins><span class="cx"> 2017-03-19 Wenson Hsieh <wenson_hsieh@apple.com>
</span><span class="cx">
</span><span class="cx"> Teach TextIndicator to estimate the background color of the given Range
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcesssoupNetworkDataTaskSoupcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp (214245 => 214246)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-03-22 10:07:14 UTC (rev 214245)
+++ trunk/Source/WebKit2/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2017-03-22 10:09:23 UTC (rev 214246)
</span><span class="lines">@@ -638,7 +638,6 @@
</span><span class="cx">
</span><span class="cx"> ResourceRequest request = m_firstRequest;
</span><span class="cx"> request.setURL(URL(m_response.url(), m_response.httpHeaderField(HTTPHeaderName::Location)));
</span><del>- request.setFirstPartyForCookies(request.url());
</del><span class="cx">
</span><span class="cx"> // Should not set Referer after a redirect from a secure resource to non-secure one.
</span><span class="cx"> if (m_shouldClearReferrerOnHTTPSToHTTPRedirect && !request.url().protocolIs("https") && protocolIs(request.httpReferrer(), "https"))
</span></span></pre>
</div>
</div>
</body>
</html>