[Webkit-unassigned] [Bug 210184] [GTK][WPE] Enable resource load statistics

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 15 01:37:46 PDT 2020


https://bugs.webkit.org/show_bug.cgi?id=210184

--- Comment #11 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to John Wilander from comment #8)
> Sorry for dropping the ball on this. Excited to see you’re enabling ITP!
> 
> (In reply to Carlos Garcia Campos from comment #2)
> > So, I have a few questions for John/Youenn/Alex:
> > 
> >  - What's the expected behavior of isolated sessions? They start with an
> > empty cookie storage and only allow first-party? Why is there a limit of
> > isolated sessions?
> 
> Isolated sessions are about the network layer below HTTP. A new session gets
> a new TLS connection for instance. But you can hang all kinds of things on
> the session to isolate it such as an individual DNS cache.

But when is an isolated session used? why is there a limit? I need to understand the expected behavior to see how to implement it in libsoup. For example, in libsoup we can ensure a new connection is always used for a particular request without having to use a different session, the same way we can disable cookies or other features.

> >  - There isn't HSTS tests, so I don't know what the expected behavior is
> > there either. Should we downgrade requests upgraded by HSTS when cokies
> > should be blocked?
> 
> Yes, when the original request is HTTP, the request will have its cookies
> blocked, and has been upgraded by the HSTS mechanism, downgrade back to
> HTTP, apply all other rules in WebKit that might again upgrade it such as
> Upgrade Insecure Requests or potential/future auto-upgrade of mixed content,
> and send out.

I'll open a new bug to do this.

> The reason for lack of tests is that HSTS requires real, trusted
> certificates and self-signed ones like the one in the test runner will not
> do.

Yes, I know, I just meant I couldn't figure out the expected behavior just by looking at cocoa implementation.

> >  - What API should we expose for ITP? is it enough to expose WebsiteData API
> > to set stats dir, fetch/delete website data and enable/disabled ITP?
> > Anything else?
> 
> If you want fine grained controls, you can offer more. I believe we offer
> the ability to exempt localhost for cases where a localhost server is used
> to create an stand-alone application with a UI rendered with web
> technologies.

How does itp afect the cookies acept policy? is it just ignored? what policy should we use in libsoup when itp is enabled?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200415/fc2975cc/attachment-0001.htm>


More information about the webkit-unassigned mailing list