175848 2017-08-22 13:46:48 -0700 [Curl] Update cookie jar implementation to filter out secure cookies 2018-03-12 11:08:55 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified NEW P2 Normal --- 157053 175846 1 bfulgham chris.reid achristensen bfulgham don.olmstead fujii mcatanzaro oldest_to_newest 1341230 0 bfulgham 2017-08-22 13:46:48 -0700 The changeset r221017 filters helps ensure proper HTTPS behavior for mixed content by blocking secure cookie access for sites that accessed insecure content, and for blocking insecure content loads after a secure cookie is read. The cURL backend currently has a stub that only serves to let it build. It does not provide the security benefit of the change. The following updates are needed in CookieJarCurl: 1. cookiesForSession needs to be updated to: (a) accept an IncludeSecureCookies flag. (b) Return a std::pair containing the cookie string, and a boolean that indicates if secure cookies were read (didAccessSecureCookies, below). 2. addMatchingCurlCookie needs to be updated to: (a) accept an IncludeSecureCookies flag. (b) accept a boolean reference (e.g., didAccessSecureCookies) that can be set to true if the read process encountered a secure cookie. (c) At Line 121, where you read the 'strSecure' flag: (I) If 'strSecure' matches TRUE: (i) If 'IncludeSecureCookies' flag is set to NO, return. didAccessSecureCookies should be set to false. (ii) Otherwise, set didAccessSecureCookies to true and continue. (II) Otherwise, continue. I think that should do it. 1341236 1 mcatanzaro 2017-08-22 13:49:41 -0700 *** Bug 175849 has been marked as a duplicate of this bug. ***