Source/WebCore/ChangeLog

 12020-02-04 Patrick Griffis <pgriffis@igalia.com>
 2
 3 [GTK][WPE] Add same-site cookie support
 4 https://bugs.webkit.org/show_bug.cgi?id=204137
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 Implements same-site cookie support in the soup backend.
 9
 10 * platform/network/HTTPParsers.cpp:
 11 (WebCore::isSafeMethod):
 12 * platform/network/HTTPParsers.h:
 13 * platform/network/SameSiteInfo.cpp:
 14 (WebCore::SameSiteInfo::create):
 15 * platform/network/SameSiteInfo.h:
 16 (WebCore::SameSiteInfo::encode const):
 17 (WebCore::SameSiteInfo::decode):
 18 * platform/network/soup/CookieSoup.cpp:
 19 (WebCore::coreSameSitePolicy):
 20 (WebCore::soupSameSitePolicy):
 21 (WebCore::Cookie::Cookie):
 22 (WebCore::Cookie::toSoupCookie const):
 23 * platform/network/soup/NetworkStorageSessionSoup.cpp:
 24 (WebCore::NetworkStorageSession::getRawCookies const):
 25 (WebCore::cookiesForSession):
 26 (WebCore::NetworkStorageSession::cookiesForDOM const):
 27 (WebCore::NetworkStorageSession::cookieRequestHeaderFieldValue const):
 28 * platform/network/soup/ResourceRequestSoup.cpp:
 29 (WebCore::ResourceRequest::updateSoupMessageMembers const):
 30 (WebCore::ResourceRequest::updateFromSoupMessage):
 31
1322020-02-04 youenn fablet <youenn@apple.com>
233
334 MediaDevices should handle changes of iframe allow attribute value

Source/WebKit/ChangeLog

 12020-02-04 Patrick Griffis <pgriffis@igalia.com>
 2
 3 [GTK][WPE] Add same-site cookie support
 4 https://bugs.webkit.org/show_bug.cgi?id=204137
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 Implements same-site cookie support in the soup backend.
 9
 10 * NetworkProcess/soup/NetworkDataTaskSoup.cpp:
 11 (WebKit::NetworkDataTaskSoup::continueHTTPRedirection):
 12
1132020-02-04 Fujii Hironori <Hironori.Fujii@sony.com>
214
315 [Win][Clang] WebProcessMain.h(28,14): error: token is not a valid binary operator in a preprocessor subexpression

Source/WebCore/platform/network/HTTPParsers.cpp

@@String normalizeHTTPMethod(const String& method)
985985 return method;
986986}
987987
 988// Defined by https://tools.ietf.org/html/rfc7231#section-4.2.1
 989bool isSafeMethod(const String& method)
 990{
 991 const ASCIILiteral safeMethods[] = { "GET"_s, "HEAD"_s, "OPTIONS"_s, "TRACE"_s };
 992 for (auto value : safeMethods) {
 993 if (equalIgnoringASCIICase(method, value.characters()))
 994 return true;
 995 }
 996 return false;
 997}
 998
988999CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView header)
9891000{
9901001 auto strippedHeader = stripLeadingAndTrailingHTTPSpaces(header);

Source/WebCore/platform/network/HTTPParsers.h

@@bool isCrossOriginSafeHeader(const String&, const HTTPHeaderSet&);
108108bool isCrossOriginSafeRequestHeader(HTTPHeaderName, const String&);
109109
110110String normalizeHTTPMethod(const String&);
 111bool isSafeMethod(const String&);
111112
112113WEBCORE_EXPORT CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView);
113114

Source/WebCore/platform/network/SameSiteInfo.cpp

2626#include "config.h"
2727#include "SameSiteInfo.h"
2828
 29#include "HTTPParsers.h"
2930#include "ResourceRequest.h"
3031
3132namespace WebCore {
3233
3334SameSiteInfo SameSiteInfo::create(const ResourceRequest& request)
3435{
35  return { request.isSameSite(), request.isTopSite() };
 36 return { request.isSameSite(), request.isTopSite(), isSafeMethod(request.httpMethod()) };
3637}
3738
3839} // namespace WebCore

Source/WebCore/platform/network/SameSiteInfo.h

@@struct SameSiteInfo {
3434
3535 bool isSameSite { false };
3636 bool isTopSite { false };
 37 bool isSafeHTTPMethod { false };
3738
3839 template <class Encoder> void encode(Encoder&) const;
3940 template <class Decoder> static bool decode(Decoder&, SameSiteInfo&);

@@void SameSiteInfo::encode(Encoder& encoder) const
4445{
4546 encoder << isSameSite;
4647 encoder << isTopSite;
 48 encoder << isSafeHTTPMethod;
4749}
4850
4951template <class Decoder>

@@bool SameSiteInfo::decode(Decoder& decoder, SameSiteInfo& info)
5355 return false;
5456 if (!decoder.decode(info.isTopSite))
5557 return false;
 58 if (!decoder.decode(info.isSafeHTTPMethod))
 59 return false;
5660 return true;
5761}
5862

Source/WebCore/platform/network/soup/CookieSoup.cpp

3232
3333namespace WebCore {
3434
 35#if SOUP_CHECK_VERSION(2, 69, 90)
 36static Cookie::SameSitePolicy coreSameSitePolicy(SoupSameSitePolicy policy)
 37{
 38 switch (policy) {
 39 case SOUP_SAME_SITE_POLICY_NONE:
 40 return Cookie::SameSitePolicy::None;
 41 case SOUP_SAME_SITE_POLICY_LAX:
 42 return Cookie::SameSitePolicy::Lax;
 43 case SOUP_SAME_SITE_POLICY_STRICT:
 44 return Cookie::SameSitePolicy::Strict;
 45 }
 46
 47 ASSERT_NOT_REACHED();
 48 return Cookie::SameSitePolicy::None;
 49}
 50
 51static SoupSameSitePolicy soupSameSitePolicy(Cookie::SameSitePolicy policy)
 52{
 53 switch (policy) {
 54 case Cookie::SameSitePolicy::None:
 55 return SOUP_SAME_SITE_POLICY_NONE;
 56 case Cookie::SameSitePolicy::Lax:
 57 return SOUP_SAME_SITE_POLICY_LAX;
 58 case Cookie::SameSitePolicy::Strict:
 59 return SOUP_SAME_SITE_POLICY_STRICT;
 60 }
 61
 62 ASSERT_NOT_REACHED();
 63 return SOUP_SAME_SITE_POLICY_NONE;
 64}
 65#endif
 66
3567Cookie::Cookie(SoupCookie* cookie)
3668 : name(String::fromUTF8(cookie->name))
3769 , value(String::fromUTF8(cookie->value))

@@Cookie::Cookie(SoupCookie* cookie)
4375 , session(!cookie->expires)
4476
4577{
 78#if SOUP_CHECK_VERSION(2, 69, 90)
 79 sameSite = coreSameSitePolicy(soup_cookie_get_same_site_policy(cookie));
 80#endif
4681}
4782
4883static SoupDate* msToSoupDate(double ms)

@@SoupCookie* Cookie::toSoupCookie() const
66101
67102 soup_cookie_set_http_only(soupCookie, httpOnly);
68103 soup_cookie_set_secure(soupCookie, secure);
 104#if SOUP_CHECK_VERSION(2, 69, 90)
 105 soup_cookie_set_same_site_policy(soupCookie, soupSameSitePolicy(sameSite));
 106#endif
69107
70108 if (!session) {
71109 SoupDate* date = msToSoupDate(expires);

Source/WebCore/platform/network/soup/NetworkStorageSessionSoup.cpp

@@void NetworkStorageSession::hasCookies(const RegistrableDomain&, CompletionHandl
439439 completionHandler(false);
440440}
441441
442 bool NetworkStorageSession::getRawCookies(const URL& firstParty, const SameSiteInfo&, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, ShouldAskITP, Vector<Cookie>& rawCookies) const
 442bool NetworkStorageSession::getRawCookies(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, ShouldAskITP, Vector<Cookie>& rawCookies) const
443443{
444  UNUSED_PARAM(firstParty);
 444 rawCookies.clear();
 445
 446#if ENABLE(RESOURCE_LOAD_STATISTICS)
 447 if (shouldBlockCookies(firstParty, url, frameID, pageID))
 448 return true;
 449#else
445450 UNUSED_PARAM(frameID);
446451 UNUSED_PARAM(pageID);
447  rawCookies.clear();
 452#endif
 453
448454 GUniquePtr<SoupURI> uri = urlToSoupURI(url);
449455 if (!uri)
450456 return false;
451457
 458#if SOUP_CHECK_VERSION(2, 69, 90)
 459 GUniquePtr<SoupURI> firstPartyURI = urlToSoupURI(sameSiteInfo.isSameSite ? url : firstParty);
 460 if (!firstPartyURI)
 461 return false;
 462
 463 GUniquePtr<SoupURI> cookieURI = sameSiteInfo.isSameSite ? urlToSoupURI(url) : nullptr;
 464 GUniquePtr<GSList> cookies(soup_cookie_jar_get_cookie_list_with_same_site_info(cookieStorage(), uri.get(), firstPartyURI.get(), cookieURI.get(), TRUE, sameSiteInfo.isSafeHTTPMethod, sameSiteInfo.isTopSite));
 465#else
452466 GUniquePtr<GSList> cookies(soup_cookie_jar_get_cookie_list(cookieStorage(), uri.get(), TRUE));
 467 UNUSED_PARAM(sameSiteInfo);
 468#endif
453469 if (!cookies)
454470 return false;
455471
456472 for (GSList* iter = cookies.get(); iter; iter = g_slist_next(iter)) {
457473 SoupCookie* soupCookie = static_cast<SoupCookie*>(iter->data);
458  Cookie cookie;
459  cookie.name = String::fromUTF8(soupCookie->name);
460  cookie.value = String::fromUTF8(soupCookie->value);
461  cookie.domain = String::fromUTF8(soupCookie->domain);
462  cookie.path = String::fromUTF8(soupCookie->path);
463  cookie.created = 0;
464  cookie.expires = soupCookie->expires ? static_cast<double>(soup_date_to_time_t(soupCookie->expires)) * 1000 : 0;
465  cookie.httpOnly = soupCookie->http_only;
466  cookie.secure = soupCookie->secure;
467  cookie.session = !soupCookie->expires;
468  rawCookies.append(WTFMove(cookie));
 474 rawCookies.append(Cookie(soupCookie));
469475 soup_cookie_free(soupCookie);
470476 }
471477
472478 return true;
473479}
474480
475 static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& session, const URL& url, bool forHTTPHeader, IncludeSecureCookies includeSecureCookies)
 481static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, const SameSiteInfo& sameSiteInfo, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, bool forHTTPHeader, IncludeSecureCookies includeSecureCookies)
476482{
 483#if ENABLE(RESOURCE_LOAD_STATISTICS)
 484 if (session.shouldBlockCookies(firstParty, url, frameID, pageID))
 485 return { { }, false };
 486#else
 487 UNUSED_PARAM(frameID);
 488 UNUSED_PARAM(pageID);
 489#endif
 490
477491 GUniquePtr<SoupURI> uri = urlToSoupURI(url);
478492 if (!uri)
479493 return { { }, false };
480494
 495#if SOUP_CHECK_VERSION(2, 69, 90)
 496 GUniquePtr<SoupURI> firstPartyURI = urlToSoupURI(firstParty);
 497 if (!firstPartyURI)
 498 return { { }, false };
 499
 500 GUniquePtr<SoupURI> cookieURI = sameSiteInfo.isSameSite ? urlToSoupURI(url) : nullptr;
 501 GSList* cookies = soup_cookie_jar_get_cookie_list_with_same_site_info(session.cookieStorage(), uri.get(), firstPartyURI.get(), cookieURI.get(), forHTTPHeader, sameSiteInfo.isSafeHTTPMethod, sameSiteInfo.isTopSite);
 502#else
481503 GSList* cookies = soup_cookie_jar_get_cookie_list(session.cookieStorage(), uri.get(), forHTTPHeader);
 504 UNUSED_PARAM(firstParty);
 505 UNUSED_PARAM(sameSiteInfo);
 506#endif
482507 bool didAccessSecureCookies = false;
483508
484509 // libsoup should omit secure cookies itself if the protocol is not https.

@@static std::pair<String, bool> cookiesForSession(const NetworkStorageSession& se
509534 return { String::fromUTF8(cookieHeader.get()), didAccessSecureCookies };
510535}
511536
512 std::pair<String, bool> NetworkStorageSession::cookiesForDOM(const URL& firstParty, const SameSiteInfo&, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, IncludeSecureCookies includeSecureCookies, ShouldAskITP) const
 537std::pair<String, bool> NetworkStorageSession::cookiesForDOM(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, IncludeSecureCookies includeSecureCookies, ShouldAskITP) const
513538{
514  UNUSED_PARAM(firstParty);
515  UNUSED_PARAM(frameID);
516  UNUSED_PARAM(pageID);
517  return cookiesForSession(*this, url, false, includeSecureCookies);
 539 return cookiesForSession(*this, firstParty, url, sameSiteInfo, frameID, pageID, false, includeSecureCookies);
518540}
519541
520 std::pair<String, bool> NetworkStorageSession::cookieRequestHeaderFieldValue(const URL& firstParty, const SameSiteInfo&, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, IncludeSecureCookies includeSecureCookies, ShouldAskITP) const
 542std::pair<String, bool> NetworkStorageSession::cookieRequestHeaderFieldValue(const URL& firstParty, const SameSiteInfo& sameSiteInfo, const URL& url, Optional<FrameIdentifier> frameID, Optional<PageIdentifier> pageID, IncludeSecureCookies includeSecureCookies, ShouldAskITP) const
521543{
522  UNUSED_PARAM(firstParty);
523  UNUSED_PARAM(frameID);
524  UNUSED_PARAM(pageID);
525544 // Secure cookies will still only be included if url's protocol is https.
526  return cookiesForSession(*this, url, true, includeSecureCookies);
 545 return cookiesForSession(*this, firstParty, url, sameSiteInfo, frameID, pageID, true, includeSecureCookies);
527546}
528547
529548std::pair<String, bool> NetworkStorageSession::cookieRequestHeaderFieldValue(const CookieRequestHeaderFieldProxy& headerFieldProxy) const

Source/WebCore/platform/network/soup/ResourceRequestSoup.cpp

@@void ResourceRequest::updateSoupMessageMembers(SoupMessage* soupMessage) const
110110 if (firstParty)
111111 soup_message_set_first_party(soupMessage, firstParty.get());
112112
 113#if SOUP_CHECK_VERSION(2, 69, 90)
 114 if (m_sameSiteDisposition == ResourceRequest::SameSiteDisposition::SameSite) {
 115 GUniquePtr<SoupURI> siteForCookies = urlToSoupURI(m_url);
 116 soup_message_set_site_for_cookies(soupMessage, siteForCookies.get());
 117 }
 118
 119 soup_message_set_is_top_level_navigation(soupMessage, isTopSite());
 120#endif
 121
113122 soup_message_set_flags(soupMessage, m_soupFlags);
114123
115124 if (!acceptEncoding())

@@void ResourceRequest::updateFromSoupMessage(SoupMessage* soupMessage)
170179 if (SoupURI* firstParty = soup_message_get_first_party(soupMessage))
171180 m_firstPartyForCookies = soupURIToURL(firstParty);
172181
 182#if SOUP_CHECK_VERSION(2, 69, 90)
 183 setIsTopSite(soup_message_get_is_top_level_navigation(soupMessage));
 184
 185 if (SoupURI* siteForCookies = soup_message_get_site_for_cookies(soupMessage))
 186 setIsSameSite(areRegistrableDomainsEqual(soupURIToURL(siteForCookies), m_url));
 187 else
 188 m_sameSiteDisposition = SameSiteDisposition::Unspecified;
 189#else
 190 m_sameSiteDisposition = SameSiteDisposition::Unspecified;
 191#endif
 192
173193 m_soupFlags = soup_message_get_flags(soupMessage);
174194
175195 // FIXME: m_allowCookies should probably be handled here and on

Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp

@@void NetworkDataTaskSoup::continueHTTPRedirection()
675675 m_lastHTTPMethod = request.httpMethod();
676676 request.removeCredentials();
677677
 678 if (isTopLevelNavigation()) {
 679 request.setFirstPartyForCookies(request.url());
 680#if SOUP_CHECK_VERSION(2, 69, 90)
 681 soup_message_set_is_top_level_navigation(m_soupMessage.get(), true);
 682#endif
 683 }
 684
 685#if SOUP_CHECK_VERSION(2, 69, 90)
 686 if (request.isSameSite()) {
 687 GUniquePtr<SoupURI> requestURI = urlToSoupURI(request.url());
 688 soup_message_set_site_for_cookies(m_soupMessage.get(), requestURI.get());
 689 }
 690#endif
 691
678692 if (isCrossOrigin) {
679693 // The network layer might carry over some headers from the original request that
680694 // we want to strip here because the redirect is cross-origin.

Tools/ChangeLog

 12020-02-04 Patrick Griffis <pgriffis@igalia.com>
 2
 3 [GTK][WPE] Add same-site cookie support
 4 https://bugs.webkit.org/show_bug.cgi?id=204137
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 Update libsoup to 2.69.90 in JHBuild.
 9
 10 * gtk/jhbuild.modules:
 11 * wpe/jhbuild.modules:
 12
1132020-02-03 Jiewen Tan <jiewen_tan@apple.com>
214
315 Pass a hint from the extension to decidePolicyForSOAuthorizationLoadWithCurrentPolicy

Tools/gtk/jhbuild.modules

5454 href="http://mirrors.kernel.org/sources.redhat.com/"/>
5555 <repository type="tarball" name="ftp.gnome.org"
5656 href="http://ftp.gnome.org"/>
 57 <repository type="tarball" name="download.gnome.org"
 58 href="https://download.gnome.org/sources"/>
5759 <repository type="git" name="git.gnome.org"
5860 href="https://git.gnome.org/browse/"/>
5961 <repository type="tarball" name="cairographics.org"

238240 <dep package="glib-networking"/>
239241 <dep package="libpsl"/>
240242 </dependencies>
241  <branch module="/pub/GNOME/sources/libsoup/2.68/libsoup-${version}.tar.xz" version="2.68.3"
242  repo="ftp.gnome.org"
243  hash="sha256:534bb08e35b0ff3702f3adfde87d3441e27c12f9f5ec351f056fe04cba02bafb">
 243 <branch module="/libsoup/2.69/libsoup-${version}.tar.xz" version="2.69.90"
 244 repo="download.gnome.org"
 245 hash="sha256:8ed18092cfb27d870a7c7c45992f3a216bd22dd6fd6d2c9fbf1adc2d6957cab8">
244246 </branch>
245247 </meson>
246248

Tools/wpe/jhbuild.modules

3737 href="http://mirrors.kernel.org/sources.redhat.com/"/>
3838 <repository type="tarball" name="ftp.gnome.org"
3939 href="http://ftp.gnome.org"/>
 40 <repository type="tarball" name="download.gnome.org"
 41 href="https://download.gnome.org/sources"/>
4042 <repository type="tarball" name="cairographics.org"
4143 href="http://cairographics.org"/>
4244 <repository type="tarball" name="freedesktop.org"

100102 <dep package="glib-networking"/>
101103 <dep package="libpsl"/>
102104 </dependencies>
103  <branch module="/pub/GNOME/sources/libsoup/2.68/libsoup-${version}.tar.xz" version="2.68.3"
104  repo="ftp.gnome.org"
105  hash="sha256:534bb08e35b0ff3702f3adfde87d3441e27c12f9f5ec351f056fe04cba02bafb">
 105 <branch module="/libsoup/2.69/libsoup-${version}.tar.xz" version="2.69.90"
 106 repo="download.gnome.org"
 107 hash="sha256:8ed18092cfb27d870a7c7c45992f3a216bd22dd6fd6d2c9fbf1adc2d6957cab8">
106108 </branch>
107109 </meson>
108110

LayoutTests/ChangeLog

 12020-02-04 Patrick Griffis <pgriffis@igalia.com>
 2
 3 [GTK][WPE] Add same-site cookie support
 4 https://bugs.webkit.org/show_bug.cgi?id=204137
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 Updated GTK/WPE test expectations to pass most same-site cookie tests
 9 matching the Apple ports.
 10
 11 * platform/gtk/TestExpectations:
 12 * platform/wpe/TestExpectations:
 13
1142020-02-04 youenn fablet <youenn@apple.com>
215
316 MediaDevices should handle changes of iframe allow attribute value

LayoutTests/platform/gtk/TestExpectations

@@webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/font-variant-n
41344134webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/font-variant-position.html [ ImageOnlyFailure ]
41354135webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/quoted-generic-ignored.html [ ImageOnlyFailure ]
41364136
 4137webkit.org/b/194933 http/tests/cookies/same-site/user-load-cross-site-redirect.php [ Failure ]
 4138
41374139#////////////////////////////////////////////////////////////////////////////////////////
41384140# End of non-crashing, non-flaky tests failing
41394141#////////////////////////////////////////////////////////////////////////////////////////

@@webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/standard-font-
43154317webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/standard-font-family-7.html [ Pass ]
43164318webkit.org/b/206885 imported/w3c/web-platform-tests/css/css-fonts/standard-font-family.html [ Pass ]
43174319
 4320http/tests/cookies/same-site [ Pass ]
 4321
43184322#////////////////////////////////////////////////////////////////////////////////////////
43194323# End of PASSING tests. See top of file where to put new expectations.
43204324#////////////////////////////////////////////////////////////////////////////////////////

LayoutTests/platform/wpe/TestExpectations

@@webkit.org/b/204115 imported/w3c/web-platform-tests/pointerevents/pointerevent_p
949949fast/gradients/conic-gradient-alpha.html [ Pass ]
950950imported/w3c/web-platform-tests/css/css-images/multiple-position-color-stop-conic.html [ Pass ]
951951
 952http/tests/cookies/same-site [ Pass ]
 953
952954#////////////////////////////////////////////////////////////////////////////////////////
953955# 5. TESTS CRASHING
954956#////////////////////////////////////////////////////////////////////////////////////////

@@webkit.org/b/204675 imported/w3c/web-platform-tests/offscreen-canvas/image-smoot
22032205webkit.org/b/204675 imported/w3c/web-platform-tests/offscreen-canvas/the-offscreen-canvas/initial.reset.pattern.html [ Failure ]
22042206webkit.org/b/204675 imported/w3c/web-platform-tests/offscreen-canvas/the-offscreen-canvas/initial.reset.pattern.worker.html [ Failure ]
22052207
 2208webkit.org/b/194933 http/tests/cookies/same-site/user-load-cross-site-redirect.php [ Failure ]
 2209
22062210#////////////////////////////////////////////////////////////////////////////////////////
22072211# >> NOTICE <<
22082212# Please see guidelines at the top of this file and place new test expectations