[Webkit-unassigned] [Bug 200165] WebSockets: response Set-Cookie header not handled when using platform APIs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 28 05:38:31 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=200165

--- Comment #23 from youenn fablet <youennf at gmail.com> ---
(In reply to Carlos Garcia Campos from comment #20)
> (In reply to Alex Christensen from comment #17)
> > Comment on attachment 375407 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=375407&action=review
> > 
> > >> Source/WebKit/NetworkProcess/NetworkSocketChannel.cpp:111
> > >> +    m_session->networkStorageSession()->setCookiesFromDOM(m_request.firstPartyForCookies(), SameSiteInfo::create(m_request),
> > > 
> > > The call to setCookiesFromDOM seems strange to me since this is a regular HTTP response processing code path.
> > > Looking at MacOS setCookiesFromDOM implementation, this is mostly ok except that we are doing client-side cookie checks to validate the duration.
> > > If we compare to the WebProcess handshake implementation, this is status quo but I wonder if there is something better we could do here.
> > 
> > setCookiesFromDOM is for document.cookie=something. That should not be used
> > here because an HTTP-only cookie sent to a web socket handshake should not
> > be accessible from document.cookie. Could you add a test that verifies that?
> 
> hmm, isn't this what
> imported/w3c/web-platform-tests/websockets/cookies/007.html does? It's
> checking that document.cookie is indeed set after the handshake, no?

Is the cookie HttpOnly? If so, document.cookie should not allow accessing it.
It would be a good test to add if there is no HttpOnly cookie in ws handshake.

> > Also, your code in NetworkSocketChannel::setCookies should be in a
> > soup-specific file because the NSURLSession-based implementation will not
> > have CFNetwork give WebKit cookies to tell CFNetwork to store. It will just
> > do that for us.
> 
> It's only called from soup implementation, it could also be used by curl as
> well  eventually, I think.

How are cookies handled in soup and curl?
If soup is handling cookies internally for regular http responses, it should also do so for the handshake response.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190828/5956deca/attachment.html>


More information about the webkit-unassigned mailing list