[Webkit-unassigned] [Bug 34289] WebSocket ignores HttpOnly cookies, but should use in Handshake.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 11 19:42:45 PST 2010


Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
  Attachment #48608|review?                     |review+
               Flag|                            |

--- Comment #6 from Alexey Proskuryakov <ap at webkit.org>  2010-02-11 19:42:45 PST ---
(From update of attachment 48608)
     String cookies(const Document*, const KURL&);
+    String cookieRequestHeaderFieldValue(const Document*, const KURL&);

Looking at this, I think that there should be a comment explaining that
cookies() omits HttpOnly cookies.

+        "-x", "/websocket/tests/cookies",

Ideally, we should be able to set his to "/websocket/tests". That way, no one
will get surprised by trying to add a .pl test to another subdirectory. Of
course, pywebsocket would need to learn how to distinguish .html and .pl files.

>I think this is because these belong to different port.

Indeed, I keep forgetting about this!

> Do you think we should remove this warning?

It seems confusing, as we're passing a specific directory for CGIs.

This warning is not necessary for WebKit, since it's fairly clear that a
machine running Apache on LayoutTests/http/tests on an external interface is
vulnerable to attacks (by default, it only binds to loopback).
Websocket tests do not seem to add much to this.


Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list