[Webkit-unassigned] [Bug 191645] [Curl] Implement Cookie Accept Policy.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 28 13:36:24 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=191645

--- Comment #57 from Christopher Reid <chris.reid at sony.com> ---
Comment on attachment 363211
  --> https://bugs.webkit.org/attachment.cgi?id=363211
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363211&action=review

>> Source/WebCore/platform/network/curl/CookieJarDB.cpp:390
>>      pstmt->bindText(4, requestHost);
> 
> Is this right to specify 'requestHost'?
> For example, you visited "http://host1.example.com", that response set a cookie with 'Domain=example.com' parameter.
> Then, you visit "http://example.com".
> In this time you should send the cookie. However SQL query is:
> domain = host1.example.com OR domain GLOB "*.example.com"
> this query doesn't match "example.com".

If host1.example.com sets a cookie with "domain=example.com", the domain attribute parser enforces a leading dot and the domain value would become ".example.com". RFC6265 explains that if the domain attribute is specified, then the cookie must apply to all sub-domains and if the cookie isn't specified then it must apply only to the same origin https://tools.ietf.org/html/rfc6265#section-4.1.2.3.

To support that requirement, in CookieUtil::parseCookieAttributes we enforce a leading dot on specified domain attribute values and the leading dot means the cookie will apply to all sub domains.
In this case the cookie domain value would become ".example.com". That matches what other major browsers do.
If there isn't a domain attribute specified, the cookie domain would be set without a leading dot i.e. "host1.example.com".

>> Source/WebCore/platform/network/curl/CookieJarDB.cpp:395
>> +        pstmt->bindText(5, String("*.") + registrableDomain.string());
> 
> Why do you need to search all cookies for the eTLD+1?
> For example, cookies from http://host1.example.com which doesn't specify Domain parameter shouldn't be passes to http://host2.example.com.

This query can return too many domains but there's domain matching that should filter those out later on in this function with `if (!CookieUtil::domainMatch(cookieDomain, requestHost))`.
"host1.host2.example.com" needs to match cookies for host1.host2.example.com, ".host2.example.com", and ".example.com". I'm not sure if there's a good way to do that domain matching purely in SQL.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190228/4b373922/attachment-0001.html>


More information about the webkit-unassigned mailing list