RESOLVED FIXED 182559
Restrict Referer to just the origin for third parties in private mode and third parties ITP blocks cookies for in regular mode 
https://bugs.webkit.org/show_bug.cgi?id=182559
Summary Restrict Referer to just the origin for third parties in private mode and thi...
John Wilander
Reported 2018-02-06 16:57:16 PST
We should restrict the Referer header to just the origin for: 1. All third party requests in private mode. 2. Third party requests to domains that ITP blocks cookies for.
Attachments
Patch (30.68 KB, patch)
2018-02-06 17:26 PST, John Wilander 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
John Wilander
Comment 1 2018-02-06 16:57:41 PST
<rdar://problem/36990337>
Radar WebKit Bug Importer
Comment 2 2018-02-06 16:58:12 PST
<rdar://problem/37295032>
John Wilander
Comment 3 2018-02-06 17:26:41 PST
Created attachment 333238 [details] Patch
Andy Estes
Comment 4 2018-02-07 11:55:08 PST
Comment on attachment 333238 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=333238&action=review > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146 > + return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host()); It's weird that partitionName() is a member function considering its implementation doesn't rely on any private information in ResourceRequestBase. Seems like isThirdPartyRequest() should be a member function of ResourceRequestBase since it relies entirely on internal state (m_url and m_firstPartyForCookies). I don't think you need to fix this right now, though.
John Wilander
Comment 5 2018-02-07 11:57:51 PST
(In reply to Andy Estes from comment #4) > Comment on attachment 333238 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333238&action=review > > > Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:146 > > + return request.partitionName(request.url().host()) != request.partitionName(request.firstPartyForCookies().host()); > > It's weird that partitionName() is a member function considering its > implementation doesn't rely on any private information in > ResourceRequestBase. Seems like isThirdPartyRequest() should be a member > function of ResourceRequestBase since it relies entirely on internal state > (m_url and m_firstPartyForCookies). I don't think you need to fix this right > now, though. I totally agree about partitionName(). Moving isThirdPartyRequest() to ResourceRequestBase or a Cocoa-specific subclass makes this definition of 3rd-party a little risky. Some mean cross-origin whereas our definition is doesn't share partition, formally, doesn't share public suffix + 1. We should do something about this to make it convenient but I'll leave it as is for now. Thanks for the review, Andy!
WebKit Commit Bot
Comment 6 2018-02-07 12:09:57 PST
Comment on attachment 333238 [details] Patch Clearing flags on attachment: 333238 Committed r228239: <https://trac.webkit.org/changeset/228239>
WebKit Commit Bot
Comment 7 2018-02-07 12:09:58 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.