[Webkit-unassigned] [Bug 200165] WebSockets: response Set-Cookie header not handled when using platform APIs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 2 11:32:08 PDT 2019


Alex Christensen <achristensen at apple.com> changed:

           What    |Removed                     |Added
 Attachment #375407|review+, commit-queue?      |review-, commit-queue-
              Flags|                            |

--- Comment #17 from Alex Christensen <achristensen at apple.com> ---
Comment on attachment 375407
  --> https://bugs.webkit.org/attachment.cgi?id=375407

View in context: https://bugs.webkit.org/attachment.cgi?id=375407&action=review

>> Source/WebKit/NetworkProcess/NetworkSocketChannel.cpp:111
>> +    m_session->networkStorageSession()->setCookiesFromDOM(m_request.firstPartyForCookies(), SameSiteInfo::create(m_request),
> The call to setCookiesFromDOM seems strange to me since this is a regular HTTP response processing code path.
> Looking at MacOS setCookiesFromDOM implementation, this is mostly ok except that we are doing client-side cookie checks to validate the duration.
> If we compare to the WebProcess handshake implementation, this is status quo but I wonder if there is something better we could do here.

setCookiesFromDOM is for document.cookie=something. That should not be used here because an HTTP-only cookie sent to a web socket handshake should not be accessible from document.cookie. Could you add a test that verifies that?

Also, your code in NetworkSocketChannel::setCookies should be in a soup-specific file because the NSURLSession-based implementation will not have CFNetwork give WebKit cookies to tell CFNetwork to store. It will just do that for us.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190802/c5bb22df/attachment.html>

More information about the webkit-unassigned mailing list