Bug 145734 - [GTK] setting document.cookie from same domain in private mode overwrites previous value set in another webview
Summary: [GTK] setting document.cookie from same domain in private mode overwrites pre...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-07 02:09 PDT by Jérémy Lal
Modified: 2017-03-11 10:55 PST (History)
7 users (show)

See Also:


Attachments
test.cc and server.js to reproduce (1.96 KB, application/octet-stream)
2015-06-07 02:09 PDT, Jérémy Lal
no flags Details
client test with a new context (3.56 KB, application/octet-stream)
2016-07-11 07:30 PDT, Jérémy Lal
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jérémy Lal 2015-06-07 02:09:14 PDT
Created attachment 254434 [details]
test.cc and server.js to reproduce

Hi,

if i do this:

```
load blank page in private webview http://localhost:40001/one
page change http://localhost:40001/one 0 
page change http://localhost:40001/one 2 
page change http://localhost:40001/one 3 
set cookie by running script on page http://localhost:40001/one
document.cookie = 'sid=firstcookie; Path=/';
loading blank page in another private webview http://localhost:40001/two
page change http://localhost:40001/two 0 
page change http://localhost:40001/two 2 
page change http://localhost:40001/two 3 
set cookie by running script on page http://localhost:40001/two
document.cookie = 'sid=secondcookie; Path=/';
load actual page1 content with script that do a xhr GET request to /xhr (need a http server)
page change http://localhost:40001/one 0 
page change http://localhost:40001/one 2 
page change http://localhost:40001/one 3 
```

then the HTTP server receives a request to http://localhost:40001/xhr with these headers:

```
{ host: 'localhost:40001',
  referer: 'http://localhost:40001/one',
  'user-agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/601.1 (KHTML, like Gecko) Version/8.0 Safari/601.1',
  accept: '*/*',
  'accept-encoding': 'gzip, deflate',
  'accept-language': 'fr-fr',
  connection: 'Keep-Alive',
  cookie: 'sid=secondcookie' }
```

I expected cookie to be 'sid=firstcookie', especially in private mode.
Am i wrong ?

I attach actual code to reproduce with webkit2gtk 2.8 or 2.9 (and probably 2.6 too).
The server part is a nodejs script but any other server is good.
Comment 1 Michael Catanzaro 2015-06-07 05:23:04 PDT
> I expected cookie to be 'sid=firstcookie', especially in private mode.
> Am i wrong ?

I think cookies should never leak out of private mode. :(
Comment 2 Jérémy Lal 2015-10-27 03:13:40 PDT
Still happening with webkit2gtk up to 2.10.3
Comment 3 Michael Catanzaro 2015-10-27 09:37:58 PDT
Oh, you're using the enable-private-browsing setting... Carlos, is that setting supposed to be exposed? In Epiphany we implement private browsing by using a separate profile directory and deleting the directory when we're done. I'm rather concerned that we have this setting if it doesn't work reliably.

I've seen private browsing-related bugs fixed in Mac-specific ways in the past, which I thought was fine because I didn't realize we exposed this mode.
Comment 4 Jérémy Lal 2015-10-27 09:41:40 PDT
I thought someone would come and tell me "you did not enable private browsing so it's not a bug" - so i enabled the option, but you'll get the same result without it.
Comment 5 Jérémy Lal 2016-07-11 07:30:08 PDT
Created attachment 283316 [details]
client test with a new context

There was a bug in the test itself (the second view was used to load the first page). However, fixing that bug without setting a new context on each view does not isolate cookies.
Comment 6 Jérémy Lal 2016-07-11 07:32:04 PDT
So i finally understood how to isolate cookies by setting a new context for each new view.
So the only "bug" left is the fact "private mode" setting is misleading, and should be dropped and replaced by proper use of context (?).