204137 – [GTK][WPE] Add same-site cookie support

Bug 204137 - [GTK][WPE] Add same-site cookie support

Summary: [GTK][WPE] Add same-site cookie support

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Patrick Griffis

URL:
Keywords:

Duplicates (1):	184955 (view as bug list)
Depends on:
Blocks:

Reported:	2019-11-12 18:47 PST by Patrick Griffis
Modified:	2020-02-07 01:39 PST (History)
CC List:	15 users (show)

See Also:

Attachments
Patch (34.00 KB, patch) 2019-11-12 18:58 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (34.00 KB, patch) 2019-11-12 19:06 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (21.13 KB, patch) 2020-02-04 05:38 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (21.99 KB, patch) 2020-02-04 05:55 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (23.60 KB, patch) 2020-02-04 08:54 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (23.66 KB, patch) 2020-02-05 13:06 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Patch (23.66 KB, patch) 2020-02-06 06:21 PST, Patrick Griffis	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Griffis 2019-11-12 18:47:50 PST

[GTK][WPE] Add same-site cookie support

Comment 1 Patrick Griffis 2019-11-12 18:58:18 PST

Created attachment 383419 [details]
Patch

Comment 2 Patrick Griffis 2019-11-12 19:00:13 PST

Note that this requires libsoup to be merged: https://gitlab.gnome.org/GNOME/libsoup/merge_requests/36

Once merged do we build the development release in JHBuild?

Comment 3 Patrick Griffis 2019-11-12 19:06:33 PST

Created attachment 383420 [details]
Patch

Comment 4 Michael Catanzaro 2019-11-13 07:01:12 PST

(In reply to Patrick Griffis from comment #2)
> Once merged do we build the development release in JHBuild?

You'll want to update the jhbuild moduleset in your patch here to ensure you don't break the test expectations with your expectations changes.

Comment 5 Michael Catanzaro 2020-01-10 08:41:51 PST

*** Bug 184955 has been marked as a duplicate of this bug. ***

Comment 6 Carlos Garcia Campos 2020-01-27 05:37:33 PST

Comment on attachment 383420 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=383420&action=review

r- because tests will fail, we need to update the libsoup in jhbuild too.

> Source/WebCore/ChangeLog:11
> +        Added an httpMethod argument to cookie lookup functions for the
> +        soup API to use. Modified other backends to simply ignore this.

Do you know why other ports don't need the http method?

> Source/WebCore/loader/CookieJar.cpp:84
> +        result = session->cookiesForDOM(document.firstPartyForCookies(), sameSiteInfo(document), url, frameID, pageID, includeSecureCookies, httpMethod);

We only need the http method to determine whether it's safe, right? and it's only used by same site cookies, right? If that's the case maybe it would be easier to add bool isSafeHTTPMethod to SameSitoInfo and we don't need to add a new parameter. We still have time to change the libsoup API or we can use any safe HTTP method when it's safe, since it's only used for that.

> Source/WebCore/platform/network/soup/CookieSoup.cpp:35
> +#if SOUP_CHECK_VERSION(2, 69, 0)

Better use the first version including the new api, even if it's an unstable release. That way we don't need to wait until the next stable release to test this.

> Source/WebCore/platform/network/soup/NetworkStorageSessionSoup.cpp:486
> +        httpMethodStr = httpMethod->ascii().data();

This is a temporary, either cache the CString returned by ascii() or do httpMethod ? httpMethod->ascii().data() : nullptr directly in the call to soup_cookie_jar_get_cookie_list_with_same_site_info().

> Source/WebCore/platform/network/soup/ResourceRequestSoup.cpp:187
> +        URL cookieURL = soupURIToURL(siteForCookies);
> +        setIsSameSite(areRegistrableDomainsEqual(cookieURL, m_url));

This could be one line.

> LayoutTests/ChangeLog:9
> +        Updated GTK/WPE test expectations to pass most same-site cookie tests
> +        matching the Apple ports.

To do this, we need to wait for the next libsoup unstable release and use it in out jhbuild, otherwise the tests will fail in the bots that use a previous version.

Comment 7 Patrick Griffis 2020-02-04 05:38:32 PST

Created attachment 389653 [details]
Patch

Comment 8 Patrick Griffis 2020-02-04 05:41:57 PST

GNOME ftp doesn't have the tarball yet, not sure how long that is cached for.

Comment 9 Patrick Griffis 2020-02-04 05:55:03 PST

Created attachment 389654 [details]
Patch

Comment 10 Michael Catanzaro 2020-02-04 06:24:09 PST

Comment on attachment 389654 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389654&action=review

> Source/WebCore/platform/network/soup/ResourceRequestSoup.cpp:189
> +    else
> +#endif
> +        m_sameSiteDisposition = SameSiteDisposition::Unspecified;

I can tell you Carlos doesn't like to mix #if #endif and runtime conditionals like this. -Wmisleading-indentation won't like it either.

Look how much cleaner it is this way, with just one line of code duplication:

#if SOUP_CHECK_VERSION(2, 69, 90)
    setIsTopSite(soup_message_get_is_top_level_navigation(soupMessage));

    if (SoupURI* siteForCookies = soup_message_get_site_for_cookies(soupMessage))
        setIsSameSite(areRegistrableDomainsEqual(soupURIToURL(siteForCookies), m_url));
    else
        m_sameSiteDisposition = SameSiteDisposition::Unspecified;
#else
    m_sameSiteDisposition = SameSiteDisposition::Unspecified;
#endif

> Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp:688
> +    if (isTopLevelNavigation()) {
> +        request.setFirstPartyForCookies(request.url());
> +#if SOUP_CHECK_VERSION(2, 69, 90)
> +        soup_message_set_is_top_level_navigation(m_soupMessage.get(), true);
> +    }
> +
> +    if (request.isSameSite()) {
> +        GUniquePtr<SoupURI> requestURI = urlToSoupURI(request.url());
> +        soup_message_set_site_for_cookies(m_soupMessage.get(), requestURI.get());
> +#endif
> +    }

if (isTopLevelNavigation()) {
        request.setFirstPartyForCookies(request.url());
#if SOUP_CHECK_VERSION(2, 69, 90)
        soup_message_set_is_top_level_navigation(m_soupMessage.get(), true);
#endif
    }

#if SOUP_CHECK_VERSION(2, 69, 90)
    if (request.isSameSite()) {
        GUniquePtr<SoupURI> requestURI = urlToSoupURI(request.url());
        soup_message_set_site_for_cookies(m_soupMessage.get(), requestURI.get());
    }
#endif

> Tools/gtk/jhbuild.modules:56
>    <repository type="tarball" name="ftp.gnome.org"
>        href="http://ftp.gnome.org"/>

Future work: everything should switch to use download.gnome.org.

Comment 11 Carlos Garcia Campos 2020-02-04 07:36:41 PST

Comment on attachment 389654 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389654&action=review

> Source/WebCore/platform/network/SameSiteInfo.cpp:36
> +static bool httpMethodIsSafe(const String& method)
> +{
> +    return method == "GET" || method == "HEAD" || method == "OPTIONS" || method == "TRACE";
> +}

I think this could be moved to HTTPParsers.cpp as isSafeMethod(). We should also use equalLettersIgnoringASCIICase() instead of checking the uppercase method names directly.

> Source/WebCore/platform/network/soup/NetworkStorageSessionSoup.cpp:459
> +    GUniquePtr<SoupURI> cookieURI = sameSiteInfo.isSameSite ? urlToSoupURI(url) : nullptr;

Move this after the if (!firstPartyURI) because this is not needed if we return early.

Comment 12 Patrick Griffis 2020-02-04 08:54:47 PST

Created attachment 389666 [details]
Patch

Comment 13 Carlos Garcia Campos 2020-02-05 00:23:48 PST

Comment on attachment 389666 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389666&action=review

LGTM

> Source/WebCore/platform/network/HTTPParsers.cpp:988
> +bool isSafeMethod(const String& method)

Add a comment linking to https://tools.ietf.org/html/rfc7231#section-4.2.1

Comment 14 Patrick Griffis 2020-02-05 13:06:41 PST

Created attachment 389855 [details]
Patch

Comment 15 Carlos Garcia Campos 2020-02-05 23:55:43 PST

Has libsoup 2.69.90 been released? the tarball doesn't exist, at least in the url https://download.gnome.org/libsoup/2.69/libsoup-2.69.90.tar.xz

Comment 16 Carlos Garcia Campos 2020-02-05 23:56:52 PST

Ok, the right url is https://download.gnome.org/sources/libsoup/2.69/libsoup-2.69.90.tar.xz so the repo in the jhbuild moduleset is wrong

Comment 17 Carlos Garcia Campos 2020-02-05 23:59:01 PST

Comment on attachment 389855 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389855&action=review

> Tools/gtk/jhbuild.modules:58
> +  <repository type="tarball" name="download.gnome.org"
> +      href="https://download.gnome.org/sources"/>

Maybe thi needs a trailing slash? https://download.gnome.org/sources/

Comment 18 Patrick Griffis 2020-02-06 06:21:11 PST

Created attachment 389945 [details]
Patch

Comment 19 WebKit Commit Bot 2020-02-07 01:38:24 PST

The commit-queue encountered the following flaky tests while processing attachment 389945 [details]:

imported/w3c/web-platform-tests/web-animations/timing-model/timelines/update-and-send-events-replacement.html bug 207335 (author: graouts@apple.com)
The commit-queue is continuing to process your patch.

Comment 20 WebKit Commit Bot 2020-02-07 01:39:08 PST

Comment on attachment 389945 [details]
Patch

Clearing flags on attachment: 389945

Committed r256013: <https://trac.webkit.org/changeset/256013>

Comment 21 WebKit Commit Bot 2020-02-07 01:39:11 PST

All reviewed patches have been landed.  Closing bug.