[Webkit-unassigned] [Bug 169356] [SOUP] Implement strict secure cookies specification

Thu Nov 8 12:57:43 PST 2018

https://bugs.webkit.org/show_bug.cgi?id=169356

Michael Catanzaro <mcatanzaro at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at igalia.com

--- Comment #3 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Yeah. Basically this eature boils down to an if statement somewhere to make sure it's impossible for an http:// connection to set secure cookies. Just block the cookie if so. Taking a quick look at the code, I guess that needs handled inside NetworkStorageSession::setCookies and NetworkStorageSession::setCookiesFromDOM, then audit all calls to NetworkStorageSession::setCookie....

Then there's a change to ensure existing secure cookies can't be replaced with insecure cookies, and a bit about expiration policy: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01. All that needs to be tested.

Writing tests will probably be harder than implementing the change itself. I think they need to go under LayoutTests/http/tests/ssl as those are the only tests that run under an HTTPS server. You could add a directory LayoutTests/http/tests/ssl/cookies. Alternatively, instead of writing your own, it might be better to try importing the relevant WPT tests like https://github.com/web-platform-tests/wpt/blob/master/cookies/secure/set-from-http.sub.html and its friends, although I've never done this before and I'm not certain whether all these tests are actually compatible with our infrastructure....

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181108/15efbdb4/attachment.html>