Deny third-party cookie creation for prevalent resources without interaction
[WebKit-https.git] / Source / WebCore / ChangeLog
index 23d99a4..00e370f 100644 (file)
@@ -1,3 +1,32 @@
+2017-09-06  Brent Fulgham  <bfulgham@apple.com>
+
+        Deny third-party cookie creation for prevalent resources without interaction
+        https://bugs.webkit.org/show_bug.cgi?id=175232
+        <rdar://problem/33709386>
+
+        Reviewed by Alex Christensen.
+
+        Prior to Intelligent Tracking Prevention, WebKit would deny the ability to create a third party cookie if the user's
+        settings prohibited it. Due to the internal mechanics of cookie partitioning, we now accept the third party cookie,
+        but destroy it at some arbitrary moment which is difficult for websites to work with.
+        
+        This patch revises WebKit so that attempts to set third party cookies without user interaction fails immediately,
+        which is what sites are expecting from Safari.
+
+        Tests: http/tests/loading/resourceLoadStatistics/third-party-cookie-with-and-without-user-interaction.html
+
+        * platform/network/NetworkStorageSession.h:
+        * platform/network/cf/NetworkStorageSessionCFNet.cpp:
+        (WebCore::NetworkStorageSession::shouldPartitionCookies const): Revise for new naming.
+        (WebCore::NetworkStorageSession::shouldAllowThirdPartyCookies const): Allow third party cookies when the
+        user interaction property applies.
+        (WebCore::NetworkStorageSession::shouldBlockCookies const): Deny cookies for origins that are not allowed by
+        user interaction, and that are not being partitioned.
+        (WebCore::NetworkStorageSession::setPrevalentDomainsWithAndWithoutInteraction): Revise for new naming, and
+        to track prevalent origins with and without user interaction.
+        (WebCore::NetworkStorageSession::setShouldPartitionCookiesForHosts): Renamed to setPrevalentDomainsWithAndWithoutInteraction.
+        (WebCore::NetworkStorageSession::removePrevalentDomains): New helper function for testing.
+
 2017-09-06  Tomas Popela  <tpopela@redhat.com>
 
         Missing break in URLParser