Summary: | Web Inspector: Storage: can see third-party cookies | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Devin Rousso <hi> | ||||||
Component: | Web Inspector | Assignee: | Devin Rousso <hi> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | bfulgham, cdumez, darin, eric.carlson, hi, inspector-bugzilla-changes, jer.noble, mjs, product-security, webkit-bug-importer, wilander | ||||||
Priority: | P1 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Devin Rousso
2020-04-27 14:41:19 PDT
Created attachment 397741 [details]
Patch
No test? (In reply to Darin Adler from comment #3) > No test? I'm working on that now :) Whether media elements get cookies in a third party context is probably tricky to test but definitely not impossible to test, and we certainly want to avoid similar bugs in the future. Comment on attachment 397741 [details]
Patch
r- for lack of test for now
(In reply to Maciej Stachowiak from comment #5) > Whether media elements get cookies in a third party context is probably > tricky to test but definitely not impossible to test, and we certainly want > to avoid similar bugs in the future. I added Jer & Eric for advice. If I remember correctly, this is used by AirPlay on macOS only (and Web Inspector but I guess we are more concerned about the media case). Comment on attachment 397741 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=397741&action=review > Source/WebKit/ChangeLog:9 > + The early return if the given `WebFrame` is the main frame means that if a third-party s/is the main frame/in the main frame/ (In reply to Chris Dumez from comment #7) > > I added Jer & Eric for advice. If I remember correctly, this is used by > AirPlay on macOS only (and Web Inspector but I guess we are more concerned > about the media case). getRawCookies is used for media on iOS only, see MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL. MediaPlayerPrivateAVFoundationObjC ultimately gets the cookies from HTMLMediaElement::mediaPlayerGetRawCookies, so you could add something to Internals similar to what we did for response sources in Internals::mediaResponseSources. Created attachment 397755 [details]
Patch
Comment on attachment 397755 [details]
Patch
r=me
Committed r260807: <https://trac.webkit.org/changeset/260807> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397755 [details]. |