Bug 175848
| Summary: | [Curl] Update cookie jar implementation to filter out secure cookies | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brent Fulgham <bfulgham> |
| Component: | WebKit Misc. | Assignee: | Christopher Reid <chris.reid> |
| Status: | NEW | ||
| Severity: | Normal | CC: | achristensen, bfulgham, don.olmstead, Hironori.Fujii, mcatanzaro |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | 157053, 175846 | ||
| Bug Blocks: | |||
Brent Fulgham
The changeset r221017 filters helps ensure proper HTTPS behavior for mixed content by blocking secure cookie access for sites that accessed insecure content, and for blocking insecure content loads after a secure cookie is read.
The cURL backend currently has a stub that only serves to let it build. It does not provide the security benefit of the change.
The following updates are needed in CookieJarCurl:
1. cookiesForSession needs to be updated to:
(a) accept an IncludeSecureCookies flag.
(b) Return a std::pair containing the cookie string, and a boolean that indicates if secure cookies were read (didAccessSecureCookies, below).
2. addMatchingCurlCookie needs to be updated to:
(a) accept an IncludeSecureCookies flag.
(b) accept a boolean reference (e.g., didAccessSecureCookies) that can be set to true if the read process encountered a secure cookie.
(c) At Line 121, where you read the 'strSecure' flag:
(I) If 'strSecure' matches TRUE:
(i) If 'IncludeSecureCookies' flag is set to NO, return. didAccessSecureCookies should be set to false.
(ii) Otherwise, set didAccessSecureCookies to true and continue.
(II) Otherwise, continue.
I think that should do it.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Michael Catanzaro
*** Bug 175849 has been marked as a duplicate of this bug. ***