Remove <meta http-equiv=set-cookie> support
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Dec 2018 19:17:15 +0000 (19:17 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Dec 2018 19:17:15 +0000 (19:17 +0000)
commitc65e67bf55426aba4c39fcb896a4d57fa186db39
tree88ab1a2dcdcc30cd55059dc023480367eb9cb933
parent6d2e3dc96fefc35b6818697d1690f5f49fdaf22b
Remove <meta http-equiv=set-cookie> support
https://bugs.webkit.org/show_bug.cgi?id=185077
<rdar://problem/41791397>

Reviewed by Brent Fulgham.

Source/WebCore:

Remove support for the HTTP-equiv. pragma Set-Cookie to set a cookie. In <https://github.com/whatwg/html/pull/3649>
the HTML living standard was ammended to define this pragma as no-op. Chrome and Edge have also
removed support for this pragma and Firefox has an open bug to remove it.

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Emit a message that the Set-Cookie pragma is obsolete and
was ignored instead of setting the cookie.
* html/parser/XSSAuditor.cpp:
(WebCore::isDangerousHTTPEquiv): We no longer need to consider the Set-Cookie pragma
as dangerous and erase attribute http-equiv when we find it because we no longer honor
this pragma.

LayoutTests:

Update test now that we no longer consider the HTTP equiv. pragma Set-Cookie as
dangerous (since it is ignored).

* http/tests/security/xssAuditor/cookie-injection-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239342 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/html/parser/XSSAuditor.cpp