Bug 145734

Summary: [GTK] setting document.cookie from same domain in private mode overwrites previous value set in another webview
Product: WebKit Reporter: Jérémy Lal <kapouer>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bugs-noreply, cgarcia, danw, dbates, gustavo, mcatanzaro, svillar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Linux   
Attachments:
Description Flags
test.cc and server.js to reproduce
none
client test with a new context none

Description Jérémy Lal 2015-06-07 02:09:14 PDT
Created attachment 254434 [details]
test.cc and server.js to reproduce

Hi,

if i do this:

```
load blank page in private webview http://localhost:40001/one
page change http://localhost:40001/one 0 
page change http://localhost:40001/one 2 
page change http://localhost:40001/one 3 
set cookie by running script on page http://localhost:40001/one
document.cookie = 'sid=firstcookie; Path=/';
loading blank page in another private webview http://localhost:40001/two
page change http://localhost:40001/two 0 
page change http://localhost:40001/two 2 
page change http://localhost:40001/two 3 
set cookie by running script on page http://localhost:40001/two
document.cookie = 'sid=secondcookie; Path=/';
load actual page1 content with script that do a xhr GET request to /xhr (need a http server)
page change http://localhost:40001/one 0 
page change http://localhost:40001/one 2 
page change http://localhost:40001/one 3 
```

then the HTTP server receives a request to http://localhost:40001/xhr with these headers:

```
{ host: 'localhost:40001',
  referer: 'http://localhost:40001/one',
  'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/601.1 (KHTML, like Gecko) Version/8.0 Safari/601.1',
  accept: '*/*',
  'accept-encoding': 'gzip, deflate',
  'accept-language': 'fr-fr',
  connection: 'Keep-Alive',
  cookie: 'sid=secondcookie' }
```

I expected cookie to be 'sid=firstcookie', especially in private mode.
Am i wrong ?

I attach actual code to reproduce with webkit2gtk 2.8 or 2.9 (and probably 2.6 too).
The server part is a nodejs script but any other server is good.
Comment 1 Michael Catanzaro 2015-06-07 05:23:04 PDT
> I expected cookie to be 'sid=firstcookie', especially in private mode.
> Am i wrong ?

I think cookies should never leak out of private mode. :(
Comment 2 Jérémy Lal 2015-10-27 03:13:40 PDT
Still happening with webkit2gtk up to 2.10.3
Comment 3 Michael Catanzaro 2015-10-27 09:37:58 PDT
Oh, you're using the enable-private-browsing setting... Carlos, is that setting supposed to be exposed? In Epiphany we implement private browsing by using a separate profile directory and deleting the directory when we're done. I'm rather concerned that we have this setting if it doesn't work reliably.

I've seen private browsing-related bugs fixed in Mac-specific ways in the past, which I thought was fine because I didn't realize we exposed this mode.
Comment 4 Jérémy Lal 2015-10-27 09:41:40 PDT
I thought someone would come and tell me "you did not enable private browsing so it's not a bug" - so i enabled the option, but you'll get the same result without it.
Comment 5 Jérémy Lal 2016-07-11 07:30:08 PDT
Created attachment 283316 [details]
client test with a new context

There was a bug in the test itself (the second view was used to load the first page). However, fixing that bug without setting a new context on each view does not isolate cookies.
Comment 6 Jérémy Lal 2016-07-11 07:32:04 PDT
So i finally understood how to isolate cookies by setting a new context for each new view.
So the only "bug" left is the fact "private mode" setting is misleading, and should be dropped and replaced by proper use of context (?).