Summary: | Restrict Referer to just the origin for third parties in private mode and third parties ITP blocks cookies for in regular mode | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | John Wilander <wilander> | ||||
Component: | WebKit Misc. | Assignee: | John Wilander <wilander> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | achristensen, aestes, bfulgham, commit-queue, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
John Wilander
2018-02-06 16:57:16 PST
Created attachment 333238 [details]
Patch
Comment on attachment 333238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=333238&action=review > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146 > + return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host()); It's weird that partitionName() is a member function considering its implementation doesn't rely on any private information in ResourceRequestBase. Seems like isThirdPartyRequest() should be a member function of ResourceRequestBase since it relies entirely on internal state (m_url and m_firstPartyForCookies). I don't think you need to fix this right now, though. (In reply to Andy Estes from comment #4) > Comment on attachment 333238 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333238&action=review > > > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146 > > + return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host()); > > It's weird that partitionName() is a member function considering its > implementation doesn't rely on any private information in > ResourceRequestBase. Seems like isThirdPartyRequest() should be a member > function of ResourceRequestBase since it relies entirely on internal state > (m_url and m_firstPartyForCookies). I don't think you need to fix this right > now, though. I totally agree about partitionName(). Moving isThirdPartyRequest() to ResourceRequestBase or a Cocoa-specific subclass makes this definition of 3rd-party a little risky. Some mean cross-origin whereas our definition is doesn't share partition, formally, doesn't share public suffix + 1. We should do something about this to make it convenient but I'll leave it as is for now. Thanks for the review, Andy! Comment on attachment 333238 [details] Patch Clearing flags on attachment: 333238 Committed r228239: <https://trac.webkit.org/changeset/228239> All reviewed patches have been landed. Closing bug. |