Bug 169356

Summary:

[SOUP] Implement strict secure cookies specification

Product:

WebKit

Reporter:

Michael Catanzaro <mcatanzaro>

Component:

WebKitGTK

Assignee:

Patrick Griffis <pgriffis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

agomez, aperez, berto, bugs-noreply, cgarcia, clopez, commit-queue, ews-watchlist, gustavo, ltilve, mcatanzaro, pgriffis, psaavedra, rniwa

Priority:

Version:

WebKit Nightly Build

Hardware:

OS:

Linux

See Also:

https://bugs.webkit.org/show_bug.cgi?id=184955

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from ews107 for mac-highsierra-wk2	none
Patch	none

Michael Catanzaro

Reported 2017-03-08 07:13:08 PST

Insecure webpages should be prevented from setting secure cookies. See: https://bugzilla.mozilla.org/show_bug.cgi?id=976073

Attachments
Patch (2.56 KB, patch) 2019-06-01 16:07 PDT, Patrick Griffis	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews107 for mac-highsierra-wk2 (2.85 MB, application/zip) 2019-06-01 17:53 PDT, EWS Watchlist	no flags	Details
Patch (7.87 KB, patch) 2019-12-11 19:24 PST, Patrick Griffis	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Patrick Griffis

Comment 1 2018-11-08 11:48:57 PST

This appears to already be implemented if I'm reading it right: https://github.com/WebKit/webkit/commit/ca55797f9037f4655f6f673b3ebb91b904899a5c#diff-0260b688ce1742d2664124764a517056R503 I don't know if there are any tests we have for this to ensure they run with Soup.

Patrick Griffis

Comment 2 2018-11-08 11:51:59 PST

Hmm, I guess that snippet is only accessing cookies not setting them.

Michael Catanzaro

Comment 3 2018-11-08 12:57:43 PST

Yeah. Basically this eature boils down to an if statement somewhere to make sure it's impossible for an http:// connection to set secure cookies. Just block the cookie if so. Taking a quick look at the code, I guess that needs handled inside NetworkStorageSession::setCookies and NetworkStorageSession::setCookiesFromDOM, then audit all calls to NetworkStorageSession::setCookie.... Then there's a change to ensure existing secure cookies can't be replaced with insecure cookies, and a bit about expiration policy: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01. All that needs to be tested. Writing tests will probably be harder than implementing the change itself. I think they need to go under LayoutTests/http/tests/ssl as those are the only tests that run under an HTTPS server. You could add a directory LayoutTests/http/tests/ssl/cookies. Alternatively, instead of writing your own, it might be better to try importing the relevant WPT tests like https://github.com/web-platform-tests/wpt/blob/master/cookies/secure/set-from-http.sub.html and its friends, although I've never done this before and I'm not certain whether all these tests are actually compatible with our infrastructure....

Patrick Griffis

Comment 4 2019-02-28 13:36:56 PST

Initial work in libsoup: https://gitlab.gnome.org/GNOME/libsoup/merge_requests/47

Patrick Griffis

Comment 5 2019-06-01 16:07:09 PDT

Created attachment 371127 [details] Patch

Michael Catanzaro

Comment 6 2019-06-01 16:22:14 PDT

Tests?

EWS Watchlist

Comment 7 2019-06-01 17:53:26 PDT Comment hidden (spam)

Comment on attachment 371127 [details] Patch Attachment 371127 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/12352027 New failing tests: http/wpt/service-workers/service-worker-networkprocess-crash.html

EWS Watchlist

Comment 8 2019-06-01 17:53:28 PDT Comment hidden (spam)

Created attachment 371135 [details] Archive of layout-test-results from ews107 for mac-highsierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-highsierra-wk2 Platform: Mac OS X 10.13.6

Patrick Griffis

Comment 9 2019-11-13 03:13:16 PST

This is covered by tests from WPT, considering how simple this is would that be acceptable or should I import them over?

Michael Catanzaro

Comment 10 2019-11-13 06:55:41 PST

They should be imported under LayoutTests/imported/w3c/web-platform-tests.

Carlos Alberto Lopez Perez

Comment 11 2019-11-13 07:11:45 PST

BTW, don't import the test by manually copying them. Instead use the importer script that does the required rewrites of resources. Something like this should work: $ Tools/Scripts/import-w3c-tests -t web-platform-tests/cookies/samesite See also: https://trac.webkit.org/wiki/WebKitW3CTesting

Carlos Alberto Lopez Perez

Comment 12 2019-11-13 07:17:03 PST

I also find this easier for everybody doing the process of importing tests and implementing a feature in two steps (two different bugs): 1. First import the WPT tests in another bug and mark the new imported tests as failing on the TestExpectation. 2. Then land the bug with the implementation and remove the failures from the TestExpectation file that now pass and/or adjusting test expectation results. See for example r251163 and r251182

Patrick Griffis

Comment 13 2019-12-11 19:24:37 PST

Created attachment 385472 [details] Patch

Michael Catanzaro

Comment 14 2019-12-12 09:07:12 PST

Comment on attachment 385472 [details] Patch Nice.

WebKit Commit Bot

Comment 15 2019-12-12 09:51:36 PST

Comment on attachment 385472 [details] Patch Clearing flags on attachment: 385472 Committed r253431: <https://trac.webkit.org/changeset/253431>

WebKit Commit Bot

Comment 16 2019-12-12 09:51:38 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.