[Webkit-unassigned] [Bug 200165] WebSockets: response Set-Cookie header not handled when using platform APIs

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 28 05:52:24 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200165

--- Comment #24 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to youenn fablet from comment #23)
> (In reply to Carlos Garcia Campos from comment #20)
> > (In reply to Alex Christensen from comment #17)
> > > Comment on attachment 375407 [details]
> > > Patch
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=375407&action=review
> > > 
> > > >> Source/WebKit/NetworkProcess/NetworkSocketChannel.cpp:111
> > > >> +    m_session->networkStorageSession()->setCookiesFromDOM(m_request.firstPartyForCookies(), SameSiteInfo::create(m_request),
> > > > 
> > > > The call to setCookiesFromDOM seems strange to me since this is a regular HTTP response processing code path.
> > > > Looking at MacOS setCookiesFromDOM implementation, this is mostly ok except that we are doing client-side cookie checks to validate the duration.
> > > > If we compare to the WebProcess handshake implementation, this is status quo but I wonder if there is something better we could do here.
> > > 
> > > setCookiesFromDOM is for document.cookie=something. That should not be used
> > > here because an HTTP-only cookie sent to a web socket handshake should not
> > > be accessible from document.cookie. Could you add a test that verifies that?
> > 
> > hmm, isn't this what
> > imported/w3c/web-platform-tests/websockets/cookies/007.html does? It's
> > checking that document.cookie is indeed set after the handshake, no?
> 
> Is the cookie HttpOnly? If so, document.cookie should not allow accessing it.
> It would be a good test to add if there is no HttpOnly cookie in ws
> handshake.

I don't know, I'll have to look in detail to understand the test.

> > > Also, your code in NetworkSocketChannel::setCookies should be in a
> > > soup-specific file because the NSURLSession-based implementation will not
> > > have CFNetwork give WebKit cookies to tell CFNetwork to store. It will just
> > > do that for us.
> > 
> > It's only called from soup implementation, it could also be used by curl as
> > well  eventually, I think.
> 
> How are cookies handled in soup and curl?
> If soup is handling cookies internally for regular http responses, it should
> also do so for the handshake response.

hmm, good point, I'll investigate. Thanks for your help!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190828/c0ce27dc/attachment-0001.html>

More information about the webkit-unassigned mailing list