161780 2016-09-08 17:39:59 -0700 REGRESSION(iOS 10): Video player does not send HttpOnly cookies; missing test coverage 2022-02-10 14:06:12 -0800 1 1 1 Unclassified WebKit Media Other iPhone / iPad Other RESOLVED MOVED InRadar P2 Major --- 1 fabian webkit-unassigned ap bfulgham eric.carlson jer.noble jonlee Mikefills nate s.rosse webkit-bug-importer oldest_to_newest 1227966 0 288370 fabian 2016-09-08 17:39:59 -0700 Created attachment 288370 Adds the missing test coverage for HttpOnly cookies. OS had a nasty bug in iOS 7.0.4, where cookies had been missing for requests send from VideoPlayers. (Original openradar: http://openradar.appspot.com/radar?id=5238098090786816; test script: https://www.bizify.me/test-if-your-ios-device-is-broken/) This bug is back in iOS 10 (Visit: https://www.bizify.me/test-if-your-ios-device-is-broken/), though neither Safari nightly nor Safari Technology preview are affected. This time however only the Javascript allowed cookies are send to the server, not the HttpOnly cookies. This test coverage is missing in WebKit as well, because it also does not specifically test for HttpOnly cookies, which usually are excluded from client side Javascript. Patch is attached to fix the test coverage at least, but should be fixed in iOS 10 ASAP as it makes authentication of users for Videos impossible again. 1228000 1 webkit-bug-importer 2016-09-08 19:27:09 -0700 <rdar://problem/28218873> 1232666 2 webkit-bug-importer 2016-09-22 15:26:59 -0700 <rdar://problem/28435896> 1237686 3 jonlee 2016-10-07 11:11:49 -0700 The underlying issue is a platform-related one, which is tracked in the Radars listed above. We'll have this bug represent the task of adding the test to LayoutTests. I can also update this bug once the platform bug is fixed and available to test. 1839921 4 bfulgham 2022-02-10 14:06:12 -0800 The fix for this issue was needed outside the WebKit project, therefore this is being resolved as 'Moved'. This should now be fixed in shipping software. 288370 2016-09-08 17:39:59 -0700 2016-09-08 17:39:59 -0700 Adds the missing test coverage for HttpOnly cookies. ios-test-coverage.diff application/octet-stream 3502 fabian ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVkaWEvcmVzb3VyY2VzL3NldENv b2tpZS5jZ2kgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL21lZGlhL3Jlc291cmNlcy9zZXRDb29r aWUuY2dpCmluZGV4IDk2NWJkOWQuLjRmMDFmYjEgMTAwNzU1Ci0tLSBhL0xheW91dFRlc3RzL2h0 dHAvdGVzdHMvbWVkaWEvcmVzb3VyY2VzL3NldENvb2tpZS5jZ2kKKysrIGIvTGF5b3V0VGVzdHMv aHR0cC90ZXN0cy9tZWRpYS9yZXNvdXJjZXMvc2V0Q29va2llLmNnaQpAQCAtOSw0ICs5LDUgQEAg cHJpbnQgIkNhY2hlLUNvbnRyb2w6IG5vLXN0b3JlXG4iOwogcHJpbnQgJ0NhY2hlLUNvbnRyb2w6 IG5vLWNhY2hlPSJzZXQtY29va2llIicgLiAiXG4iOwogCiAjIFdlIG9ubHkgbWFwIHRoZSBTRVRf Q09PS0lFIHJlcXVlc3QgaGVhZGVyIHRvICJTZXQtQ29va2llIgorcHJpbnQgIlNldC1Db29raWU6 IFRFU1RfSFRUUF9PTkxZPSR7bmFtZX07IEh0dHBPbmx5XG4iOwogcHJpbnQgIlNldC1Db29raWU6 IFRFU1Q9JHtuYW1lfVxuXG4iOwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9t ZWRpYS9yZXNvdXJjZXMvdmlkZW8tY29va2llLWNoZWNrLWh0dHBvbmx5LnBocCBiL0xheW91dFRl c3RzL2h0dHAvdGVzdHMvbWVkaWEvcmVzb3VyY2VzL3ZpZGVvLWNvb2tpZS1jaGVjay1odHRwb25s eS5waHAKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uOGY5OTk3MgotLS0gL2Rl di9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVkaWEvcmVzb3VyY2VzL3ZpZGVv LWNvb2tpZS1jaGVjay1odHRwb25seS5waHAKQEAgLTAsMCArMSwyMyBAQAorPD9waHAKKyAgICBp ZigkX0NPT0tJRVsiVEVTVF9IVFRQX09OTFkiXSkKKyAgICB7CisgICAgICAgICRleHRlbnNpb24g PSBwYXRoaW5mbygkX0NPT0tJRVsiVEVTVF9IVFRQX09OTFkiXSwgUEFUSElORk9fRVhURU5TSU9O KTsKKyAgICAgICAgaWYgKCRleHRlbnNpb24gPT0gJ21wNCcpIHsKKyAgICAgICAgICAgICAgIGhl YWRlcigiQ29udGVudC1UeXBlOiB2aWRlby9tcDQiKTsKKyAgICAgICAgICAgICAgICRmaWxlTmFt ZSA9ICJ0ZXN0Lm1wNCI7CisgICAgICAgIH0gZWxzZSBpZiAoJGV4dGVuc2lvbiA9PSAnb2d2Jykg eworICAgICAgICAgICAgICAgaGVhZGVyKCJDb250ZW50LVR5cGU6IHZpZGVvL29nZyIpOworICAg ICAgICAgICAgICAgJGZpbGVOYW1lID0gInRlc3Qub2d2IjsKKyAgICAgICAgfSBlbHNlIGlmICgk ZXh0ZW5zaW9uID09ICd0cycpIHsKKyAgICAgICAgICAgICAgIGhlYWRlcigiQ29udGVudC1UeXBl OiB2aWRlby9tcGVndHMiKTsKKyAgICAgICAgICAgICAgICRmaWxlTmFtZSA9ICJobHMvdGVzdC50 cyI7CisgICAgICAgIH0gZWxzZQorICAgICAgICAgICAgICAgZGllOworICAgICAgICBoZWFkZXIo IkNhY2hlLUNvbnRyb2w6IG5vLXN0b3JlIik7CisgICAgICAgIGhlYWRlcigiQ29ubmVjdGlvbjog Y2xvc2UiKTsKKyAgICAgICAgJGZuID0gZm9wZW4oJGZpbGVOYW1lLCAiciIpOworICAgICAgICBm cGFzc3RocnUoJGZuKTsKKyAgICAgICAgZmNsb3NlKCRmbik7CisgICAgICAgIGV4aXQ7CisgICAg fQorPz4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVkaWEvdmlkZW8tY29v a2llLWh0dHBvbmx5LWV4cGVjdGVkLnR4dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVkaWEv dmlkZW8tY29va2llLWh0dHBvbmx5LWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NApp bmRleCAwMDAwMDAwLi45ZTQ3M2MyCi0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9tZWRpYS92aWRlby1jb29raWUtaHR0cG9ubHktZXhwZWN0ZWQudHh0CkBAIC0wLDAg KzEsMiBAQAorRVZFTlQoY2FucGxheSkKK1Rlc3RzIHRoYXQgdGhlIG1lZGlhIHBsYXllciB3aWxs IHNlbmQgdGhlIHJlbGV2YW50IGh0dHBvbmx5IGNvb2tpZXMgd2hlbiByZXF1ZXN0aW5nIHRoZSBt ZWRpYSBmaWxlLgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9tZWRpYS92aWRl by1jb29raWUtaHR0cG9ubHkuaHRtbCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVkaWEvdmlk ZW8tY29va2llLWh0dHBvbmx5Lmh0bWwKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAw MC4uN2UxZGQyYwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvbWVk aWEvdmlkZW8tY29va2llLWh0dHBvbmx5Lmh0bWwKQEAgLTAsMCArMSwzNCBAQAorPGh0bWw+Cis8 aGVhZD4KKzwvaGVhZD4KKzxib2R5IG9ubG9hZD0ibG9hZENvb2tpZSgpIj4KKzx2aWRlbyBpZD0i dmlkZW8iPjwvdmlkZW8+Cis8c2NyaXB0IHNyYz0uLi8uLi9tZWRpYS1yZXNvdXJjZXMvdmlkZW8t dGVzdC5qcz48L3NjcmlwdD4KKzxzY3JpcHQgc3JjPS4uLy4uL21lZGlhLXJlc291cmNlcy9tZWRp YS1maWxlLmpzPjwvc2NyaXB0PgorPHNjcmlwdD4KKyAgICBpZiAod2luZG93LnRlc3RSdW5uZXIp IHsKKyAgICAgICAgdGVzdFJ1bm5lci5kdW1wQXNUZXh0KCk7CisgICAgICAgIHRlc3RSdW5uZXIu c2V0QWx3YXlzQWNjZXB0Q29va2llcyh0cnVlKTsKKyAgICAgICAgdGVzdFJ1bm5lci53YWl0VW50 aWxEb25lKCk7CisgICAgfQorICAgIGZ1bmN0aW9uIGxvYWRDb29raWUgKCkgeworICAgICAgICB2 YXIgbW92aWUgPSBmaW5kTWVkaWFGaWxlKCJ2aWRlbyIsICJyZXNvdXJjZXMvdGVzdCIpOworICAg ICAgICB2YXIgZnJhbWUgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKKyAgICAg ICAgZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChmcmFtZSk7CisgICAgICAgIGZyYW1lLmFkZEV2 ZW50TGlzdGVuZXIoJ2xvYWQnLCBmdW5jdGlvbiAoKSB7CisgICAgICAgICAgICAgICAgdmlkZW8g PSBkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgndmlkZW8nKTsKKyAgICAgICAgICAgICAgICB2aWRl by5zcmM9Imh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9tZWRpYS9yZXNvdXJjZXMvdmlkZW8tY29va2ll LWNoZWNrLWh0dHBvbmx5LnBocCI7CisgICAgICAgICAgICAgICAgdmlkZW8ucGxheSgpOworICAg ICAgICB9KTsKKyAgICAgICAgZnJhbWUud2lkdGggPSAwOworICAgICAgICBmcmFtZS5oZWlnaHQg PSAwOworICAgICAgICBmcmFtZS5zcmMgPSAiaHR0cDovLzEyNy4wLjAuMTo4MDAwL21lZGlhL3Jl c291cmNlcy9zZXRDb29raWUuY2dpP25hbWU9IiArIG1vdmllOworICAgIH0KKyAgICB3YWl0Rm9y RXZlbnQoImNhbnBsYXkiLCBmdW5jdGlvbiAoKSB7CisgICAgICAgIGlmICh3aW5kb3cudGVzdFJ1 bm5lcikKKyAgICAgICAgICAgIHdpbmRvdy50ZXN0UnVubmVyLm5vdGlmeURvbmUoKTsKKyAgICB9 ICk7Cis8L3NjcmlwdD4KK1Rlc3RzIHRoYXQgdGhlIG1lZGlhIHBsYXllciB3aWxsIHNlbmQgdGhl IHJlbGV2YW50IGh0dHBvbmx5IGNvb2tpZXMgd2hlbiByZXF1ZXN0aW5nIHRoZSBtZWRpYSBmaWxl Ljxici8+Cis8L2JvZHk+Cis8L2h0bWw+Cg==