[Webkit-unassigned] [Bug 200165] WebSockets: response Set-Cookie header not handled when using platform APIs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 28 05:38:31 PDT 2019


--- Comment #23 from youenn fablet <youennf at gmail.com> ---
(In reply to Carlos Garcia Campos from comment #20)
> (In reply to Alex Christensen from comment #17)
> > Comment on attachment 375407 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=375407&action=review
> > 
> > >> Source/WebKit/NetworkProcess/NetworkSocketChannel.cpp:111
> > >> +    m_session->networkStorageSession()->setCookiesFromDOM(m_request.firstPartyForCookies(), SameSiteInfo::create(m_request),
> > > 
> > > The call to setCookiesFromDOM seems strange to me since this is a regular HTTP response processing code path.
> > > Looking at MacOS setCookiesFromDOM implementation, this is mostly ok except that we are doing client-side cookie checks to validate the duration.
> > > If we compare to the WebProcess handshake implementation, this is status quo but I wonder if there is something better we could do here.
> > 
> > setCookiesFromDOM is for document.cookie=something. That should not be used
> > here because an HTTP-only cookie sent to a web socket handshake should not
> > be accessible from document.cookie. Could you add a test that verifies that?
> hmm, isn't this what
> imported/w3c/web-platform-tests/websockets/cookies/007.html does? It's
> checking that document.cookie is indeed set after the handshake, no?

Is the cookie HttpOnly? If so, document.cookie should not allow accessing it.
It would be a good test to add if there is no HttpOnly cookie in ws handshake.

> > Also, your code in NetworkSocketChannel::setCookies should be in a
> > soup-specific file because the NSURLSession-based implementation will not
> > have CFNetwork give WebKit cookies to tell CFNetwork to store. It will just
> > do that for us.
> It's only called from soup implementation, it could also be used by curl as
> well  eventually, I think.

How are cookies handled in soup and curl?
If soup is handling cookies internally for regular http responses, it should also do so for the handshake response.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190828/5956deca/attachment.html>

More information about the webkit-unassigned mailing list