Bug 195196

Summary: Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration
Product: WebKit Reporter: John Wilander <wilander>
Component: WebKit Misc.Assignee: John Wilander <wilander>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cdumez, commit-queue
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Description John Wilander 2019-02-28 19:13:12 PST 
Trackers abuse link query parameters to transport user identifiers cross-site. We should flag such navigations and apply further restrictions to client-site cookies on the destination page.
Comment 1 John Wilander 2019-02-28 19:13:27 PST 
<rdar://problem/48006419>
Comment 2 John Wilander 2019-02-28 19:29:13 PST 
Created attachment 363290 [details]
Patch
Comment 3 Brent Fulgham 2019-03-01 10:43:13 PST 
Comment on attachment 363290 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review

The debug failures exist without this patch, so are unrelated.

r=me

> Source/WebCore/platform/network/NetworkStorageSession.h:183
> +    Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const;

Optional<PageID>?
Comment 4 Chris Dumez 2019-03-01 10:46:57 PST 
Comment on attachment 363290 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review

> Source/WebCore/platform/network/NetworkStorageSession.cpp:103
> +    m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds;

Do we really need this ternary? 0/7. is 0.
Comment 5 John Wilander 2019-03-01 13:30:03 PST 
(In reply to Brent Fulgham from comment #3)
> Comment on attachment 363290 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=363290&action=review
> 
> The debug failures exist without this patch, so are unrelated.
> 
> r=me

Thanks!

> > Source/WebCore/platform/network/NetworkStorageSession.h:183
> > +    Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const;
> 
> Optional<PageID>?

There is no existing typedef of using for PageID in this header and I'd rather not add it for this one instance. Better to fix them all in a separate patch.
Comment 6 John Wilander 2019-03-01 13:30:57 PST 
(In reply to Chris Dumez from comment #4)
> Comment on attachment 363290 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=363290&action=review
> 
> > Source/WebCore/platform/network/NetworkStorageSession.cpp:103
> > +    m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds;
> 
> Do we really need this ternary? 0/7. is 0.

seconds is optional, that's why. If it's nullopt I want to set it to just nullopt.
Comment 7 John Wilander 2019-03-01 13:33:02 PST 
Created attachment 363367 [details]
Patch for landing
Comment 8 WebKit Commit Bot 2019-03-01 14:11:39 PST 
Comment on attachment 363367 [details]
Patch for landing

Clearing flags on attachment: 363367

Committed r242288: <https://trac.webkit.org/changeset/242288>
Comment 9 WebKit Commit Bot 2019-03-01 14:11:41 PST 
All reviewed patches have been landed.  Closing bug.