<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:svillar@igalia.com" title="Sergio Villar Senin <svillar@igalia.com>"> <span class="fn">Sergio Villar Senin</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - [GTK] "Only from websites I visit" cookie policy is broken"
href="https://bugs.webkit.org/show_bug.cgi?id=168912">bug 168912</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>cgarcia@igalia.com
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - [GTK] "Only from websites I visit" cookie policy is broken"
href="https://bugs.webkit.org/show_bug.cgi?id=168912#c4">Comment # 4</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - [GTK] "Only from websites I visit" cookie policy is broken"
href="https://bugs.webkit.org/show_bug.cgi?id=168912">bug 168912</a>
from <span class="vcard"><a class="email" href="mailto:svillar@igalia.com" title="Sergio Villar Senin <svillar@igalia.com>"> <span class="fn">Sergio Villar Senin</span></a>
</span></b>
<pre>OK so I finally found the culprit. It's in NetworkDataTaskSoup::continuteHTTPRedirection(). I am not sure what's the relationship with ResourceHandleSoup but they look pretty much the same. The problem is that we're setting the firstPartyForCookies to the URL of the redirected message meaning that any redirection will successfully bypass the "no third party cookies" policy.
That call is already present in ResourceHandleSoup and has been there for ages. I am almost sure that we can safely remove that call (the cocoa code does not do that BTW) as it does not correct. Setting the first party for cookies is handled by the FrameLoader and we should not overwrite that.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>