Bug 195196 - Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration
Summary: Resource Load Statistics: Further restrict client-side cookie persistence aft...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: John Wilander
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-02-28 19:13 PST by John Wilander
Modified: 2019-03-01 14:11 PST (History)
4 users (show)

See Also:

Attachments
Patch (59.91 KB, patch)
2019-02-28 19:29 PST, John Wilander 		no flags Details | Formatted Diff | Diff
Patch for landing (59.91 KB, patch)
2019-03-01 13:33 PST, John Wilander 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Wilander 2019-02-28 19:13:12 PST 
Trackers abuse link query parameters to transport user identifiers cross-site. We should flag such navigations and apply further restrictions to client-site cookies on the destination page.
Comment 1 John Wilander 2019-02-28 19:13:27 PST 
<rdar://problem/48006419>
Comment 2 John Wilander 2019-02-28 19:29:13 PST 
Created attachment 363290 [details]
Patch
Comment 3 Brent Fulgham 2019-03-01 10:43:13 PST 
Comment on attachment 363290 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review

The debug failures exist without this patch, so are unrelated.

r=me

> Source/WebCore/platform/network/NetworkStorageSession.h:183
> +    Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const;

Optional<PageID>?
Comment 4 Chris Dumez 2019-03-01 10:46:57 PST 
Comment on attachment 363290 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=363290&action=review

> Source/WebCore/platform/network/NetworkStorageSession.cpp:103
> +    m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds;

Do we really need this ternary? 0/7. is 0.
Comment 5 John Wilander 2019-03-01 13:30:03 PST 
(In reply to Brent Fulgham from comment #3)
> Comment on attachment 363290 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=363290&action=review
> 
> The debug failures exist without this patch, so are unrelated.
> 
> r=me

Thanks!

> > Source/WebCore/platform/network/NetworkStorageSession.h:183
> > +    Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const;
> 
> Optional<PageID>?

There is no existing typedef of using for PageID in this header and I'd rather not add it for this one instance. Better to fix them all in a separate patch.
Comment 6 John Wilander 2019-03-01 13:30:57 PST 
(In reply to Chris Dumez from comment #4)
> Comment on attachment 363290 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=363290&action=review
> 
> > Source/WebCore/platform/network/NetworkStorageSession.cpp:103
> > +    m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds;
> 
> Do we really need this ternary? 0/7. is 0.

seconds is optional, that's why. If it's nullopt I want to set it to just nullopt.
Comment 7 John Wilander 2019-03-01 13:33:02 PST 
Created attachment 363367 [details]
Patch for landing
Comment 8 WebKit Commit Bot 2019-03-01 14:11:39 PST 
Comment on attachment 363367 [details]
Patch for landing

Clearing flags on attachment: 363367

Committed r242288: <https://trac.webkit.org/changeset/242288>
Comment 9 WebKit Commit Bot 2019-03-01 14:11:41 PST 
All reviewed patches have been landed.  Closing bug.