RESOLVED FIXED 195196
Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration 
https://bugs.webkit.org/show_bug.cgi?id=195196
Summary Resource Load Statistics: Further restrict client-side cookie persistence aft...
John Wilander
Reported 2019-02-28 19:13:12 PST
Trackers abuse link query parameters to transport user identifiers cross-site. We should flag such navigations and apply further restrictions to client-site cookies on the destination page.
Attachments
Patch (59.91 KB, patch)
2019-02-28 19:29 PST, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch for landing (59.91 KB, patch)
2019-03-01 13:33 PST, John Wilander 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
John Wilander
Comment 1 2019-02-28 19:13:27 PST
<rdar://problem/48006419>
John Wilander
Comment 2 2019-02-28 19:29:13 PST
Created attachment 363290 [details] Patch
Brent Fulgham
Comment 3 2019-03-01 10:43:13 PST
Comment on attachment 363290 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review The debug failures exist without this patch, so are unrelated. r=me > Source/WebCore/platform/network/NetworkStorageSession.h:183 > + Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const; Optional<PageID>?
Chris Dumez
Comment 4 2019-03-01 10:46:57 PST
Comment on attachment 363290 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review > Source/WebCore/platform/network/NetworkStorageSession.cpp:103 > + m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds; Do we really need this ternary? 0/7. is 0.
John Wilander
Comment 5 2019-03-01 13:30:03 PST
(In reply to Brent Fulgham from comment #3) > Comment on attachment 363290 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=363290&action=review > > The debug failures exist without this patch, so are unrelated. > > r=me Thanks! > > Source/WebCore/platform/network/NetworkStorageSession.h:183 > > + Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const; > > Optional<PageID>? There is no existing typedef of using for PageID in this header and I'd rather not add it for this one instance. Better to fix them all in a separate patch.
John Wilander
Comment 6 2019-03-01 13:30:57 PST
(In reply to Chris Dumez from comment #4) > Comment on attachment 363290 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=363290&action=review > > > Source/WebCore/platform/network/NetworkStorageSession.cpp:103 > > + m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds; > > Do we really need this ternary? 0/7. is 0. seconds is optional, that's why. If it's nullopt I want to set it to just nullopt.
John Wilander
Comment 7 2019-03-01 13:33:02 PST
Created attachment 363367 [details] Patch for landing
WebKit Commit Bot
Comment 8 2019-03-01 14:11:39 PST
Comment on attachment 363367 [details] Patch for landing Clearing flags on attachment: 363367 Committed r242288: <https://trac.webkit.org/changeset/242288>
WebKit Commit Bot
Comment 9 2019-03-01 14:11:41 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.