Trackers abuse link query parameters to transport user identifiers cross-site. We should flag such navigations and apply further restrictions to client-site cookies on the destination page.
<rdar://problem/48006419>
Created attachment 363290 [details] Patch
Comment on attachment 363290 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review The debug failures exist without this patch, so are unrelated. r=me > Source/WebCore/platform/network/NetworkStorageSession.h:183 > + Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const; Optional<PageID>?
Comment on attachment 363290 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review > Source/WebCore/platform/network/NetworkStorageSession.cpp:103 > + m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds; Do we really need this ternary? 0/7. is 0.
(In reply to Brent Fulgham from comment #3) > Comment on attachment 363290 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=363290&action=review > > The debug failures exist without this patch, so are unrelated. > > r=me Thanks! > > Source/WebCore/platform/network/NetworkStorageSession.h:183 > > + Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const; > > Optional<PageID>? There is no existing typedef of using for PageID in this header and I'd rather not add it for this one instance. Better to fix them all in a separate patch.
(In reply to Chris Dumez from comment #4) > Comment on attachment 363290 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=363290&action=review > > > Source/WebCore/platform/network/NetworkStorageSession.cpp:103 > > + m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds; > > Do we really need this ternary? 0/7. is 0. seconds is optional, that's why. If it's nullopt I want to set it to just nullopt.
Created attachment 363367 [details] Patch for landing
Comment on attachment 363367 [details] Patch for landing Clearing flags on attachment: 363367 Committed r242288: <https://trac.webkit.org/changeset/242288>
All reviewed patches have been landed. Closing bug.