[Webkit-unassigned] [Bug 168912] [GTK] "Only from websites I visit" cookie policy is broken

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=168912

--- Comment #6 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to comment #4)
> OK so I finally found the culprit.

\o/ Thanks for investigating this.

> It's in
> NetworkDataTaskSoup::continuteHTTPRedirection().

No recent regression then . . .

> I am not sure what's the
> relationship with ResourceHandleSoup but they look pretty much the same.

NetworkDataTask is the new ResourceHandle. The latter is only used in the web process now for the few bits that hasn't been moved to the network process yet.

> The
> problem is that we're setting the firstPartyForCookies to the URL of the
> redirected message meaning that any redirection will successfully bypass the
> "no third party cookies" policy.

Actually, I think the problem is that we are assuming that all redirections are main resource loads. It's amazing that this problem has always been there!

> That call is already present in ResourceHandleSoup and has been there for
> ages.

Exactly, this is copied from ResourceHandle.

> I am almost sure that we can safely remove that call (the cocoa code
> does not do that BTW) as it does not correct. Setting the first party for
> cookies is handled by the FrameLoader and we should not overwrite that.

Right. In case of main resource, DocumentLoader::willSendRequest sets the first party for cookies after the redirection, and in case of subresources, the initial request first party for cookies is copied to the new one, so it's the right one too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170321/24c6f7f4/attachment.html>