NEW 145734
[GTK] setting document.cookie from same domain in private mode overwrites previous value set in another webview 
https://bugs.webkit.org/show_bug.cgi?id=145734
Summary [GTK] setting document.cookie from same domain in private mode overwrites pre...
Jérémy Lal
Reported 2015-06-07 02:09:14 PDT
Created attachment 254434 [details] test.cc and server.js to reproduce Hi, if i do this: ``` load blank page in private webview http://localhost:40001/one page change http://localhost:40001/one 0 page change http://localhost:40001/one 2 page change http://localhost:40001/one 3 set cookie by running script on page http://localhost:40001/one document.cookie = 'sid=firstcookie; Path=/'; loading blank page in another private webview http://localhost:40001/two page change http://localhost:40001/two 0 page change http://localhost:40001/two 2 page change http://localhost:40001/two 3 set cookie by running script on page http://localhost:40001/two document.cookie = 'sid=secondcookie; Path=/'; load actual page1 content with script that do a xhr GET request to /xhr (need a http server) page change http://localhost:40001/one 0 page change http://localhost:40001/one 2 page change http://localhost:40001/one 3 ``` then the HTTP server receives a request to http://localhost:40001/xhr with these headers: ``` { host: 'localhost:40001', referer: 'http://localhost:40001/one', 'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/601.1 (KHTML, like Gecko) Version/8.0 Safari/601.1', accept: '*/*', 'accept-encoding': 'gzip, deflate', 'accept-language': 'fr-fr', connection: 'Keep-Alive', cookie: 'sid=secondcookie' } ``` I expected cookie to be 'sid=firstcookie', especially in private mode. Am i wrong ? I attach actual code to reproduce with webkit2gtk 2.8 or 2.9 (and probably 2.6 too). The server part is a nodejs script but any other server is good.
Attachments
test.cc and server.js to reproduce (1.96 KB, application/octet-stream)
2015-06-07 02:09 PDT, Jérémy Lal 		no flags
Details
client test with a new context (3.56 KB, application/octet-stream)
2016-07-11 07:30 PDT, Jérémy Lal 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2015-06-07 05:23:04 PDT
> I expected cookie to be 'sid=firstcookie', especially in private mode. > Am i wrong ? I think cookies should never leak out of private mode. :(
Jérémy Lal
Comment 2 2015-10-27 03:13:40 PDT
Still happening with webkit2gtk up to 2.10.3
Michael Catanzaro
Comment 3 2015-10-27 09:37:58 PDT
Oh, you're using the enable-private-browsing setting... Carlos, is that setting supposed to be exposed? In Epiphany we implement private browsing by using a separate profile directory and deleting the directory when we're done. I'm rather concerned that we have this setting if it doesn't work reliably. I've seen private browsing-related bugs fixed in Mac-specific ways in the past, which I thought was fine because I didn't realize we exposed this mode.
Jérémy Lal
Comment 4 2015-10-27 09:41:40 PDT
I thought someone would come and tell me "you did not enable private browsing so it's not a bug" - so i enabled the option, but you'll get the same result without it.
Jérémy Lal
Comment 5 2016-07-11 07:30:08 PDT
Created attachment 283316 [details] client test with a new context There was a bug in the test itself (the second view was used to load the first page). However, fixing that bug without setting a new context on each view does not isolate cookies.
Jérémy Lal
Comment 6 2016-07-11 07:32:04 PDT
So i finally understood how to isolate cookies by setting a new context for each new view. So the only "bug" left is the fact "private mode" setting is misleading, and should be dropped and replaced by proper use of context (?).
Note You need to log in before you can comment on or make changes to this bug.