Bug 182559

Summary: Restrict Referer to just the origin for third parties in private mode and third parties ITP blocks cookies for in regular mode
Product: WebKit Reporter: John Wilander <wilander>
Component: WebKit Misc.Assignee: John Wilander <wilander>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, aestes, bfulgham, commit-queue, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description John Wilander 2018-02-06 16:57:16 PST 
We should restrict the Referer header to just the origin for:
1. All third party requests in private mode.
2. Third party requests to domains that ITP blocks cookies for.
Comment 1 John Wilander 2018-02-06 16:57:41 PST 
<rdar://problem/36990337>
Comment 2 Radar WebKit Bug Importer 2018-02-06 16:58:12 PST 
<rdar://problem/37295032>
Comment 3 John Wilander 2018-02-06 17:26:41 PST 
Created attachment 333238 [details]
Patch
Comment 4 Andy Estes 2018-02-07 11:55:08 PST 
Comment on attachment 333238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333238&action=review

> Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146
> +    return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host());

It's weird that partitionName() is a member function considering its implementation doesn't rely on any private information in ResourceRequestBase. Seems like isThirdPartyRequest() should be a member function of ResourceRequestBase since it relies entirely on internal state (m_url and m_firstPartyForCookies). I don't think you need to fix this right now, though.
Comment 5 John Wilander 2018-02-07 11:57:51 PST 
(In reply to Andy Estes from comment #4)
> Comment on attachment 333238 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=333238&action=review
> 
> > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146
> > +    return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host());
> 
> It's weird that partitionName() is a member function considering its
> implementation doesn't rely on any private information in
> ResourceRequestBase. Seems like isThirdPartyRequest() should be a member
> function of ResourceRequestBase since it relies entirely on internal state
> (m_url and m_firstPartyForCookies). I don't think you need to fix this right
> now, though.

I totally agree about partitionName().

Moving isThirdPartyRequest() to ResourceRequestBase or a Cocoa-specific subclass makes this definition of 3rd-party a little risky. Some mean cross-origin whereas our definition is doesn't share partition, formally, doesn't share public suffix + 1. We should do something about this to make it convenient but I'll leave it as is for now.

Thanks for the review, Andy!
Comment 6 WebKit Commit Bot 2018-02-07 12:09:57 PST 
Comment on attachment 333238 [details]
Patch

Clearing flags on attachment: 333238

Committed r228239: <https://trac.webkit.org/changeset/228239>
Comment 7 WebKit Commit Bot 2018-02-07 12:09:58 PST 
All reviewed patches have been landed.  Closing bug.