[Webkit-unassigned] [Bug 175848] New: Update cURL cookie jar implementation to filter out secure cookies
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 22 13:46:48 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=175848
Bug ID: 175848
Summary: Update cURL cookie jar implementation to filter out
secure cookies
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bfulgham at webkit.org
The changeset r221017 filters helps ensure proper HTTPS behavior for mixed content by blocking secure cookie access for sites that accessed insecure content, and for blocking insecure content loads after a secure cookie is read.
The cURL backend currently has a stub that only serves to let it build. It does not provide the security benefit of the change.
The following updates are needed in CookieJarCurl:
1. cookiesForSession needs to be updated to:
(a) accept an IncludeSecureCookies flag.
(b) Return a std::pair containing the cookie string, and a boolean that indicates if secure cookies were read (didAccessSecureCookies, below).
2. addMatchingCurlCookie needs to be updated to:
(a) accept an IncludeSecureCookies flag.
(b) accept a boolean reference (e.g., didAccessSecureCookies) that can be set to true if the read process encountered a secure cookie.
(c) At Line 121, where you read the 'strSecure' flag:
(I) If 'strSecure' matches TRUE:
(i) If 'IncludeSecureCookies' flag is set to NO, return. didAccessSecureCookies should be set to false.
(ii) Otherwise, set didAccessSecureCookies to true and continue.
(II) Otherwise, continue.
I think that should do it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170822/0cb5fcf8/attachment.html>
More information about the webkit-unassigned
mailing list