Bug 182559 - Restrict Referer to just the origin for third parties in private mode and third parties ITP blocks cookies for in regular mode
Summary: Restrict Referer to just the origin for third parties in private mode and thi...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: John Wilander
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-02-06 16:57 PST by John Wilander
Modified: 2018-02-07 12:09 PST (History)
5 users (show)

See Also:


Attachments
Patch (30.68 KB, patch)
2018-02-06 17:26 PST, John Wilander
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Wilander 2018-02-06 16:57:16 PST
We should restrict the Referer header to just the origin for:
1. All third party requests in private mode.
2. Third party requests to domains that ITP blocks cookies for.
Comment 1 John Wilander 2018-02-06 16:57:41 PST
<rdar://problem/36990337>
Comment 2 Radar WebKit Bug Importer 2018-02-06 16:58:12 PST
<rdar://problem/37295032>
Comment 3 John Wilander 2018-02-06 17:26:41 PST
Created attachment 333238 [details]
Patch
Comment 4 Andy Estes 2018-02-07 11:55:08 PST
Comment on attachment 333238 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333238&action=review

> Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146
> +    return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host());

It's weird that partitionName() is a member function considering its implementation doesn't rely on any private information in ResourceRequestBase. Seems like isThirdPartyRequest() should be a member function of ResourceRequestBase since it relies entirely on internal state (m_url and m_firstPartyForCookies). I don't think you need to fix this right now, though.
Comment 5 John Wilander 2018-02-07 11:57:51 PST
(In reply to Andy Estes from comment #4)
> Comment on attachment 333238 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=333238&action=review
> 
> > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146
> > +    return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host());
> 
> It's weird that partitionName() is a member function considering its
> implementation doesn't rely on any private information in
> ResourceRequestBase. Seems like isThirdPartyRequest() should be a member
> function of ResourceRequestBase since it relies entirely on internal state
> (m_url and m_firstPartyForCookies). I don't think you need to fix this right
> now, though.

I totally agree about partitionName().

Moving isThirdPartyRequest() to ResourceRequestBase or a Cocoa-specific subclass makes this definition of 3rd-party a little risky. Some mean cross-origin whereas our definition is doesn't share partition, formally, doesn't share public suffix + 1. We should do something about this to make it convenient but I'll leave it as is for now.

Thanks for the review, Andy!
Comment 6 WebKit Commit Bot 2018-02-07 12:09:57 PST
Comment on attachment 333238 [details]
Patch

Clearing flags on attachment: 333238

Committed r228239: <https://trac.webkit.org/changeset/228239>
Comment 7 WebKit Commit Bot 2018-02-07 12:09:58 PST
All reviewed patches have been landed.  Closing bug.