[Webkit-unassigned] [Bug 168912] [GTK] "Only from websites I visit" cookie policy is broken

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 20 11:46:00 PDT 2017


Sergio Villar Senin <svillar at igalia.com> changed:

           What    |Removed                     |Added
                 CC|                            |cgarcia at igalia.com

--- Comment #4 from Sergio Villar Senin <svillar at igalia.com> ---
OK so I finally found the culprit. It's in NetworkDataTaskSoup::continuteHTTPRedirection(). I am not sure what's the relationship with ResourceHandleSoup but they look pretty much the same. The problem is that we're setting the firstPartyForCookies to the URL of the redirected message meaning that any redirection will successfully bypass the "no third party cookies" policy.

That call is already present in ResourceHandleSoup and has been there for ages. I am almost sure that we can safely remove that call (the cocoa code does not do that BTW) as it does not correct. Setting the first party for cookies is handled by the FrameLoader and we should not overwrite that.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170320/1bdda0bc/attachment.html>

More information about the webkit-unassigned mailing list