https://bugs.webkit.org/show_bug.cgi?id=157053
<rdar://problem/
11290808>
Patch by Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com> on 2017-08-22
Reviewed by Dan Bates.
Source/WebCore:
Tests: http/tests/security/mixedContent/insecure-css-with-secure-cookies.html
http/tests/security/mixedContent/insecure-image-with-securecookie-block.html
http/tests/security/mixedContent/insecure-image-with-securecookie.html
http/tests/security/mixedContent/insecure-script-with-secure-cookies.html
http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html
http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html
* dom/SecurityContext.h:
(WebCore::SecurityContext::secureCookiesAccessed): Added.
(WebCore::SecurityContext::setSecureCookiesAccessed): Added.
* loader/CookieJar.cpp:
(WebCore::cookies): Pass Document as non-const so we can call 'setSecureCookiesAccessed' if necessary.
* loader/CookieJar.h:
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canRunInsecureContent): Updated checks to avoid running insecure content
if secure cookies were accessed.
* platform/CookiesStrategy.h:
(WebCore::CookiesStrategy::cookiesForDOM): Pass new argument indicating whether secure cookies should be included in the response.
* platform/network/PlatformCookieJar.h:
* platform/network/cf/CookieJarCFNet.cpp:
(copyCookiesForURLWithFirstPartyURL): Revise to accept new 'IncludeSecureCookiesOrNot' argument.
(WebCore::cookiesForSession): Updated to accept new 'IncludeSecureCookiesOrNot' argument. Also determine if secure cookies were
included in the response, and return this to the caller.
(WebCore::cookieRequestHeaderFieldValue): Revise for new 'copyCookiesForURLWithFirstPartyURL' signature.
(WebCore::getRawCookies): Ditto.
* platform/network/mac/CookieJarMac.mm:
(WebCore::cookiesForSession): Updated checks to keep track of secure cookies and filter out secure cookies if insecure content
was accessed.
(WebCore::cookiesForDOM): Update for new arguments and to return a pair.
(WebCore::cookieRequestHeaderFieldValue): Ditto.
Source/WebKit:
* NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::cookiesForDOM): Pass new arguments needed by WebCore.
* NetworkProcess/NetworkConnectionToWebProcess.h:
* NetworkProcess/NetworkConnectionToWebProcess.messages.in: Updated the CookiesForDOM message with the new foundMixedContent
argument and the new didAccessSecureCookies reply.
* Shared/mac/CookieStorageShim.mm:
(WebKit::webKitCookieStorageCopyRequestHeaderFieldsForURL): Drive-by fix to use the right message.
* WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
(WebKit::WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
indicating whether secure cookies should be included in the response.
* WebProcess/WebCoreSupport/WebPlatformStrategies.h:
Source/WebKitLegacy/mac:
* WebCoreSupport/WebPlatformStrategies.h:
* WebCoreSupport/WebPlatformStrategies.mm:
(WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
indicating whether secure cookies should be included in the response.
LayoutTests:
* http/tests/security/mixedContent/insecure-css-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-block-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-block.html: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie-expected.txt: Added.
* http/tests/security/mixedContent/insecure-image-with-securecookie.html: Added.
* http/tests/security/mixedContent/insecure-script-with-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/insecure-script-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-expected.txt: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt: Added.
* http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-executable-css-with-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html: Added.
* http/tests/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html: Added.
* http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html: Added.
* http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html: Added.
* http/tests/security/mixedContent/resources/insecure-executable.css: Added.
* http/tests/security/mixedContent/resources/insecure.css: Added.
* http/tests/security/resources/greenbox-hotspot5-4.cur: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221017
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content
+ https://bugs.webkit.org/show_bug.cgi?id=157053
+ <rdar://problem/11290808>
+
+ Reviewed by Dan Bates.
+
+ * http/tests/security/mixedContent/insecure-css-with-secure-cookies-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-css-with-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/insecure-executable-css-with-secure-cookies-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-image-with-securecookie-block-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-image-with-securecookie-block.html: Added.
+ * http/tests/security/mixedContent/insecure-image-with-securecookie-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-image-with-securecookie.html: Added.
+ * http/tests/security/mixedContent/insecure-script-with-secure-cookies-expected.txt: Added.
+ * http/tests/security/mixedContent/insecure-script-with-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block-expected.txt: Added.
+ * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html: Added.
+ * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-expected.txt: Added.
+ * http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-executable-css-with-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html: Added.
+ * http/tests/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html: Added.
+ * http/tests/security/mixedContent/resources/insecure-executable.css: Added.
+ * http/tests/security/mixedContent/resources/insecure.css: Added.
+ * http/tests/security/resources/greenbox-hotspot5-4.cur: Added.
+
2017-08-22 Jer Noble <jer.noble@apple.com>
Autoplay Muted Videos Don't Play When Outside Viewport
--- /dev/null
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: line 6: secureCookie=yes
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html was allowed to display insecure content from http://127.0.0.1:8080/security/resources/greenbox-hotspot5-4.cur.
+
+didDisplayInsecureContent
+main frame - didFinishDocumentLoadForFrame
+This test opens a window that loads a secure style sheet with insecure cursor content after reading secure cookies. This should be allowed because loading of the insecure cursor does not pose a security risk since it can only affect the display.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that loads a secure style sheet with insecure cursor content after reading secure cookies. This should be allowed because loading of the insecure cursor does not pose a security risk since it can only affect the display.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-css-secure-cookies.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that loads a secure style sheet with insecure content after reading secure cookies. This should block loading of the insecure content since secure cookie was read.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-executable-css-with-secure-cookies.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: line 4: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html was allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+CONSOLE MESSAGE: line 6:
+This test opens a window that tries to read a secure cookie after an insecure image has been loaded. This should block reading of the secure cookie since insecure content was loaded on this page.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that tries to read a secure cookie after an insecure image has been loaded. This should block reading of the secure cookie since insecure content was loaded on this page.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-secure-cookie-block.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: line 3: secureCookie=yes
+CONSOLE MESSAGE: line 5: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html was allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+This test opens a window that tries to read a secure cookie and then load an insecure image. This should not block loading of the insecure image, even though a secure cookie was accessed on this page, because insecure images can only affect pixels on the screen, not expose private data.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+<p>This test opens a window that tries to read a secure cookie and then load an insecure image. This should not block loading of the insecure image, even though a secure cookie was accessed on this page, because insecure images can only affect pixels on the screen, not expose private data.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image-secure-cookie.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: line 3: secureCookie=yes
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js.
+
+This test loads a secure iframe that reads secure cookies and then tries to load an insecure script. This should block the insecure script since secure cookies were read.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<p>This test loads a secure iframe that reads secure cookies and then tries to load an insecure script. This should block the insecure script since secure cookies were read.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script-secure-cookies.html"></iframe>
+</body>
+</html>
--- /dev/null
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html was allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+didDisplayInsecureContent
+CONSOLE MESSAGE: line 8:
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that loads an insecure image (via a tricky redirect) and then tries to read a secure cookie. This should block the secure cookie from being read because insecure content was loaded while loading a main frame.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone()
+}, false);
+</script>
+<p>This test opens a window that loads an insecure image (via a tricky redirect) and then tries to read a secure cookie. This should block the secure cookie from being read because insecure content was loaded while loading a main frame.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie-block.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+main frame - didFinishDocumentLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: line 4: secureCookie=yes
+main frame - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html was allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+didDisplayInsecureContent
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window that reads a secure cookie and then loads an insecure image (via a tricky redirect). This should not block the insecure image from loading even though a secure cookie was accessed, because an insecure image can only affect pixels on screen, not expose private data.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+window.addEventListener("message", function (e) {
+ if (e.data != "done")
+ alert("should have loaded the insecure content");
+ if (window.testRunner)
+ testRunner.notifyDone()
+}, false);
+</script>
+<p>This test opens a window that reads a secure cookie and then loads an insecure image (via a tricky redirect). This should not block the insecure image from loading even though a secure cookie was accessed, because an insecure image can only affect pixels on screen, not expose private data.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/mixedContent/resources/frame-with-redirect-https-to-http-image-secure-cookie.html");
+}
+</script>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ document.cookie = "secureCookie=yes;secure";
+ console.log(document.cookie);
+</script>
+<link rel="stylesheet" href="https://127.0.0.1:8443/security/mixedContent/resources/insecure.css">
+</head>
+<body>
+Loading css cursor from insecure source.
+<script>
+if (window.opener)
+ window.opener.postMessage('done', '*');
+</script>
+</body>
+</html>
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+ document.cookie = "secureCookie=yes;secure";
+ console.log(document.cookie);
+</script>
+<link rel="stylesheet" href="https://127.0.0.1:8443/security/mixedContent/resources/insecure-executable.css">
+</head>
+<body id="test">
+Loading css document from insecure source.
+<script>
+if (window.opener)
+ window.opener.postMessage('done', '*');
+</script>
+</body>
+</html>
+
--- /dev/null
+<script>
+ document.cookie = "secureCookie=yes;secure";
+</script>
+<img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+<script>
+console.log(document.cookie);
+window.onload = function() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+};
+</script>
--- /dev/null
+<script>
+ document.cookie = "secureCookie=yes;secure";
+ console.log(document.cookie);
+</script>
+<img src="http://127.0.0.1:8080/security/resources/compass.jpg">
+<script>
+window.onload = function() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+};
+</script>
--- /dev/null
+<script>
+document.cookie = "secureCookie=yes;secure";
+console.log(document.cookie);
+</script>
+<script src="http://127.0.0.1:8080/security/mixedContent/resources/script.js"></script>
+<script>
+window.onload = function() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+};
+</script>
--- /dev/null
+<script>
+var frameDidLoad = false;
+document.cookie = "secureCookie=yes;secure";
+if (window.testRunner)
+ internals.settings.setAllowRunningOfInsecureContent(true);
+onload = function()
+{
+ console.log(document.cookie);
+ if (window.opener)
+ window.opener.postMessage(frameDidLoad ? 'done' : 'blocked', '*');
+}
+</script>
+<img onload="window.frameDidLoad = true" src="https://127.0.0.1:8443/resources/redirect.php?url=http://127.0.0.1:8080/security/resources/compass.jpg">
--- /dev/null
+<script>
+var frameDidLoad = false;
+document.cookie = "secureCookie=yes;secure";
+console.log(document.cookie);
+onload = function()
+{
+ if (window.opener)
+ window.opener.postMessage(frameDidLoad ? 'done' : 'blocked', '*');
+}
+</script>
+<img onload="window.frameDidLoad = true" src="https://127.0.0.1:8443/resources/redirect.php?url=http://127.0.0.1:8080/security/resources/compass.jpg">
--- /dev/null
+@import url(http://127.0.0.1:8080/security/resources/insecure.css);
+body {
+ background-color: yellow, default;
+}
--- /dev/null
+html {
+ cursor: url(http://127.0.0.1:8080/security/resources/greenbox-hotspot5-4.cur), default;
+}
+2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content
+ https://bugs.webkit.org/show_bug.cgi?id=157053
+ <rdar://problem/11290808>
+
+ Reviewed by Dan Bates.
+
+ Tests: http/tests/security/mixedContent/insecure-css-with-secure-cookies.html
+ http/tests/security/mixedContent/insecure-image-with-securecookie-block.html
+ http/tests/security/mixedContent/insecure-image-with-securecookie.html
+ http/tests/security/mixedContent/insecure-script-with-secure-cookies.html
+ http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies-block.html
+ http/tests/security/mixedContent/redirect-https-to-http-image-secure-cookies.html
+
+ * dom/SecurityContext.h:
+ (WebCore::SecurityContext::secureCookiesAccessed): Added.
+ (WebCore::SecurityContext::setSecureCookiesAccessed): Added.
+ * loader/CookieJar.cpp:
+ (WebCore::cookies): Pass Document as non-const so we can call 'setSecureCookiesAccessed' if necessary.
+ * loader/CookieJar.h:
+ * loader/MixedContentChecker.cpp:
+ (WebCore::MixedContentChecker::canRunInsecureContent): Updated checks to avoid running insecure content
+ if secure cookies were accessed.
+ * platform/CookiesStrategy.h:
+ (WebCore::CookiesStrategy::cookiesForDOM): Pass new argument indicating whether secure cookies should be included in the response.
+ * platform/network/PlatformCookieJar.h:
+ * platform/network/cf/CookieJarCFNet.cpp:
+ (copyCookiesForURLWithFirstPartyURL): Revise to accept new 'IncludeSecureCookiesOrNot' argument.
+ (WebCore::cookiesForSession): Updated to accept new 'IncludeSecureCookiesOrNot' argument. Also determine if secure cookies were
+ included in the response, and return this to the caller.
+ (WebCore::cookieRequestHeaderFieldValue): Revise for new 'copyCookiesForURLWithFirstPartyURL' signature.
+ (WebCore::getRawCookies): Ditto.
+ * platform/network/mac/CookieJarMac.mm:
+ (WebCore::cookiesForSession): Updated checks to keep track of secure cookies and filter out secure cookies if insecure content
+ was accessed.
+ (WebCore::cookiesForDOM): Update for new arguments and to return a pair.
+ (WebCore::cookieRequestHeaderFieldValue): Ditto.
+
2017-08-22 Jer Noble <jer.noble@apple.com>
Autoplay Muted Videos Don't Play When Outside Viewport
/*
* Copyright (C) 2011 Google Inc. All Rights Reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
void setFoundMixedContent() { m_foundMixedContent = true; }
bool geolocationAccessed() const { return m_geolocationAccessed; }
void setGeolocationAccessed() { m_geolocationAccessed = true; }
+ bool secureCookiesAccessed() const { return m_secureCookiesAccessed; }
+ void setSecureCookiesAccessed() { m_secureCookiesAccessed = true; }
bool isStrictMixedContentMode() const { return m_isStrictMixedContentMode; }
void setStrictMixedContentMode(bool strictMixedContentMode) { m_isStrictMixedContentMode = strictMixedContentMode; }
bool m_haveInitializedSecurityOrigin { false };
bool m_foundMixedContent { false };
bool m_geolocationAccessed { false };
+ bool m_secureCookiesAccessed { false };
bool m_isStrictMixedContentMode { false };
};
/*
- * Copyright (C) 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
return context ? context->storageSession() : NetworkStorageSession::defaultStorageSession();
}
-String cookies(const Document& document, const URL& url)
+String cookies(Document& document, const URL& url)
{
TraceScope scope(FetchCookiesStart, FetchCookiesEnd);
- return platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url);
+ auto includeSecureCookiesOrNot = (url.protocolIs("https") && !document.foundMixedContent()) ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+ auto result = platformStrategies()->cookiesStrategy()->cookiesForDOM(storageSession(document), document.firstPartyForCookies(), url, includeSecureCookiesOrNot);
+ if (result.second)
+ document.setSecureCookiesAccessed();
+
+ return result.first;
}
void setCookies(Document& document, const URL& url, const String& cookieString)
/*
- * Copyright (C) 2003, 2006, 2008, 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
// Functions in this file take a Document pointer to determine which cookie storage to use. We should merge that into call sites, and use PlatformCookieJar directly.
// These two functions implement document.cookie API, with special rules for HttpOnly cookies.
-WEBCORE_EXPORT String cookies(const Document&, const URL&);
+WEBCORE_EXPORT String cookies(Document&, const URL&);
WEBCORE_EXPORT void setCookies(Document&, const URL&, const String& cookieString);
WEBCORE_EXPORT bool cookiesEnabled(const Document&);
/*
* Copyright (C) 2012 Google Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
if (!m_frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
return false;
- bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed();
+ bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed() && !m_frame.document()->secureCookiesAccessed();
logWarning(allowed, "run", url);
if (allowed) {
/*
- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifndef CookiesStrategy_h
-#define CookiesStrategy_h
+#pragma once
#include <pal/SessionID.h>
+#include <wtf/EnumTraits.h>
#include <wtf/Vector.h>
#include <wtf/text/WTFString.h>
namespace WebCore {
-class URL;
class NetworkStorageSession;
+class URL;
+
struct Cookie;
+enum class IncludeSecureCookies { No, Yes };
+
class CookiesStrategy {
public:
- virtual String cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
+ virtual std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies) = 0;
virtual void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String& cookieString) = 0;
virtual bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
virtual String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&) = 0;
} // namespace WebCore
-#endif // CookiesStrategy_h
+namespace WTF {
+
+template<> struct EnumTraits<WebCore::IncludeSecureCookies> {
+ using values = EnumValues<
+ WebCore::IncludeSecureCookies,
+ WebCore::IncludeSecureCookies::No,
+ WebCore::IncludeSecureCookies::Yes
+ >;
+};
+
+} // namespace WTF
+
/*
- * Copyright (C) 2003, 2006, 2008, 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
class URL;
class NetworkStorageSession;
+
struct Cookie;
+enum class IncludeSecureCookies;
+
// FIXME: These should probably be NetworkStorageSession member functions.
-WEBCORE_EXPORT String cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&);
+WEBCORE_EXPORT std::pair<String, bool> cookiesForDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, IncludeSecureCookies);
WEBCORE_EXPORT void setCookiesFromDOM(const NetworkStorageSession&, const URL& firstParty, const URL&, const String&);
WEBCORE_EXPORT bool cookiesEnabled(const NetworkStorageSession&, const URL& firstParty, const URL&);
WEBCORE_EXPORT String cookieRequestHeaderFieldValue(const NetworkStorageSession&, const URL& firstParty, const URL&);
/*
- * Copyright (C) 2006, 2007, 2008, 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#include <CoreFoundation/CoreFoundation.h>
#include <pal/spi/cf/CFNetworkSPI.h>
#include <wtf/SoftLinking.h>
+#include <wtf/TypeCastsCF.h>
#include <wtf/text/WTFString.h>
#if PLATFORM(WIN)
};
#endif
+namespace WTF {
+
+#define DECLARE_CF_TYPE_TRAIT(ClassName) \
+template <> \
+struct CFTypeTrait<ClassName##Ref> { \
+static inline CFTypeID typeID() { return ClassName##GetTypeID(); } \
+};
+
+DECLARE_CF_TYPE_TRAIT(CFHTTPCookieRef);
+
+#undef DECLARE_CF_TYPE_TRAIT
+} // namespace WTF
+
namespace WebCore {
static const CFStringRef s_setCookieKeyCF = CFSTR("Set-Cookie");
return filteredCookies;
}
-static RetainPtr<CFArrayRef> copyCookiesForURLWithFirstPartyURL(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+static RetainPtr<CFArrayRef> copyCookiesForURLWithFirstPartyURL(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- bool secure = url.protocolIs("https");
+ bool secure = includeSecureCookies == IncludeSecureCookies::Yes;
+
+ ASSERT(!secure || (secure && url.protocolIs("https")));
#if PLATFORM(COCOA)
return adoptCF(_CFHTTPCookieStorageCopyCookiesForURLWithMainDocumentURL(session.cookieStorage().get(), url.createCFURL().get(), firstParty.createCFURL().get(), secure));
CFHTTPCookieStorageSetCookies(session.cookieStorage().get(), filterCookies(unfilteredCookies.get()).get(), urlCF.get(), firstPartyForCookiesCF.get());
}
-String cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url);
- RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, filterCookies(cookiesCF.get()).get()));
- return (CFStringRef)CFDictionaryGetValue(headerCF.get(), s_cookieCF);
+ RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
+
+ auto filteredCookies = filterCookies(cookiesCF.get());
+
+ bool didAccessSecureCookies = false;
+
+ CFIndex cookieCount = CFArrayGetCount(filteredCookies.get());
+ while (cookieCount--) {
+ if (CFHTTPCookieIsSecure(checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(filteredCookies.get(), cookieCount)))) {
+ didAccessSecureCookies = true;
+ break;
+ }
+ }
+
+ RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, filteredCookies.get()));
+ String cookieString = checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF));
+ return { cookieString, didAccessSecureCookies };
}
String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
{
- RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url);
+ auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+
+ RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
RetainPtr<CFDictionaryRef> headerCF = adoptCF(CFHTTPCookieCopyRequestHeaderFields(kCFAllocatorDefault, cookiesCF.get()));
- return (CFStringRef)CFDictionaryGetValue(headerCF.get(), s_cookieCF);
+ return checked_cf_cast<CFStringRef>(CFDictionaryGetValue(headerCF.get(), s_cookieCF));
}
bool cookiesEnabled(const NetworkStorageSession& session, const URL& /*firstParty*/, const URL& /*url*/)
{
rawCookies.clear();
- RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url);
+ auto includeSecureCookies = url.protocolIs("https") ? IncludeSecureCookies::Yes : IncludeSecureCookies::No;
+
+ RetainPtr<CFArrayRef> cookiesCF = copyCookiesForURLWithFirstPartyURL(session, firstParty, url, includeSecureCookies);
CFIndex count = CFArrayGetCount(cookiesCF.get());
rawCookies.reserveCapacity(count);
for (CFIndex i = 0; i < count; i++) {
- CFHTTPCookieRef cookie = (CFHTTPCookieRef)CFArrayGetValueAtIndex(cookiesCF.get(), i);
+ CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i));
String name = cookieName(cookie).get();
String value = cookieValue(cookie).get();
String domain = cookieDomain(cookie).get();
CFIndex count = CFArrayGetCount(cookiesCF.get());
for (CFIndex i = 0; i < count; i++) {
- CFHTTPCookieRef cookie = (CFHTTPCookieRef)CFArrayGetValueAtIndex(cookiesCF.get(), i);
+ CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i));
if (String(cookieName(cookie).get()) == name) {
CFHTTPCookieStorageDeleteCookie(cookieStorage.get(), cookie);
break;
CFIndex count = CFArrayGetCount(cookiesCF.get());
for (CFIndex i = 0; i < count; ++i) {
- CFHTTPCookieRef cookie = static_cast<CFHTTPCookieRef>(const_cast<void *>(CFArrayGetValueAtIndex(cookiesCF.get(), i)));
+ CFHTTPCookieRef cookie = checked_cf_cast<CFHTTPCookieRef>(CFArrayGetValueAtIndex(cookiesCF.get(), i));
RetainPtr<CFStringRef> domain = cookieDomain(cookie);
hostnames.add(domain.get());
}
/*
- * Copyright (C) 2003, 2006, 2008, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#import "config.h"
#import "PlatformCookieJar.h"
+#import "CookiesStrategy.h"
#import "NetworkStorageSession.h"
#import "WebCoreSystemInterface.h"
#import <pal/spi/cf/CFNetworkSPI.h>
}
enum IncludeHTTPOnlyOrNot { DoNotIncludeHTTPOnly, IncludeHTTPOnly };
-static String cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly)
+static String cookiesForSession(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeHTTPOnlyOrNot includeHTTPOnly, IncludeSecureCookies includeSecureCookies, bool& didAccessSecureCookies)
{
BEGIN_BLOCK_OBJC_EXCEPTIONS;
if (!includeHTTPOnly && [cookie isHTTPOnly])
continue;
+ if ([cookie isSecure]) {
+ didAccessSecureCookies = true;
+ if (includeSecureCookies == IncludeSecureCookies::No)
+ continue;
+ }
+
if (!cookiesBuilder.isEmpty())
cookiesBuilder.appendLiteral("; ");
return String();
}
-String cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- return cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly);
+ bool didAccessSecureCookies = false;
+ auto cookieString = cookiesForSession(session, firstParty, url, DoNotIncludeHTTPOnly, includeSecureCookies, didAccessSecureCookies);
+ return { cookieString, didAccessSecureCookies };
}
String cookieRequestHeaderFieldValue(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
{
- return cookiesForSession(session, firstParty, url, IncludeHTTPOnly);
+ bool ignore = false;
+ return cookiesForSession(session, firstParty, url, IncludeHTTPOnly, IncludeSecureCookies::No, ignore);
}
void setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, const String& cookieStr)
+2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content
+ https://bugs.webkit.org/show_bug.cgi?id=157053
+ <rdar://problem/11290808>
+
+ Reviewed by Dan Bates.
+
+ * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+ (WebKit::NetworkConnectionToWebProcess::cookiesForDOM): Pass new arguments needed by WebCore.
+ * NetworkProcess/NetworkConnectionToWebProcess.h:
+ * NetworkProcess/NetworkConnectionToWebProcess.messages.in: Updated the CookiesForDOM message with the new foundMixedContent
+ argument and the new didAccessSecureCookies reply.
+ * Shared/mac/CookieStorageShim.mm:
+ (WebKit::webKitCookieStorageCopyRequestHeaderFieldsForURL): Drive-by fix to use the right message.
+ * WebProcess/WebCoreSupport/WebPlatformStrategies.cpp:
+ (WebKit::WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
+ indicating whether secure cookies should be included in the response.
+ * WebProcess/WebCoreSupport/WebPlatformStrategies.h:
+
2017-08-22 Zan Dobersek <zdobersek@igalia.com>
[GTK][WPE] Rename StorageProcessMainGtk.cpp to StorageProcessMainGLib.cpp
/*
- * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
loader->convertToDownload(downloadID, request, response);
}
-void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, String& result)
+void NetworkConnectionToWebProcess::cookiesForDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies, String& result, bool& secureCookiesAccessed)
{
- result = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url);
+ std::tie(result, secureCookiesAccessed) = WebCore::cookiesForDOM(storageSession(sessionID), firstParty, url, includeSecureCookies);
}
void NetworkConnectionToWebProcess::setCookiesFromDOM(PAL::SessionID sessionID, const URL& firstParty, const URL& url, const String& cookieString)
/*
- * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
class HTTPHeaderMap;
class ResourceError;
class ResourceRequest;
+
+enum class IncludeSecureCookies;
}
namespace WebKit {
void startDownload(PAL::SessionID, DownloadID, const WebCore::ResourceRequest&, const String& suggestedName = { });
void convertMainResourceLoadToDownload(PAL::SessionID, uint64_t mainResourceLoadIdentifier, DownloadID, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&);
- void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, String& result);
+ void cookiesForDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies, String& result, bool& secureCookiesAccessed);
void setCookiesFromDOM(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, const String&);
void cookiesEnabled(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, bool& result);
void cookieRequestHeaderFieldValue(PAL::SessionID, const WebCore::URL& firstParty, const WebCore::URL&, String& result);
-# Copyright (C) 2012 Apple Inc. All rights reserved.
+# Copyright (C) 2012-2017 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
StartDownload(PAL::SessionID sessionID, WebKit::DownloadID downloadID, WebCore::ResourceRequest request, String suggestedName)
ConvertMainResourceLoadToDownload(PAL::SessionID sessionID, uint64_t mainResourceLoadIdentifier, WebKit::DownloadID downloadID, WebCore::ResourceRequest request, WebCore::ResourceResponse response)
- CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (String result)
+ CookiesForDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, enum WebCore::IncludeSecureCookies includeSecureCookies) -> (String result, bool didAccessSecureCookies)
SetCookiesFromDOM(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url, String cookieString)
CookiesEnabled(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (bool enabled)
CookieRequestHeaderFieldValue(PAL::SessionID sessionID, WebCore::URL firstParty, WebCore::URL url) -> (String result)
'WebCore::GrammarDetail': ['<WebCore/TextCheckerClient.h>'],
'WebCore::HasInsecureContent': ['<WebCore/FrameLoaderTypes.h>'],
'WebCore::Highlight': ['<WebCore/InspectorOverlay.h>'],
+ 'WebCore::IncludeSecureCookies': ['<WebCore/CookiesStrategy.h>'],
'WebCore::KeyframeValueList': ['<WebCore/GraphicsLayer.h>'],
'WebCore::KeypressCommand': ['<WebCore/KeyboardEvent.h>'],
'WebCore::MediaConstraints': ['<WebCore/MediaConstraints.h>'],
'struct WebKit::WebUserStyleSheetData': ['"WebUserContentControllerDataTypes.h"'],
'struct WebKit::WebScriptMessageHandlerData': ['"WebUserContentControllerDataTypes.h"'],
'std::chrono::system_clock::time_point': ['<chrono>'],
- 'WebKit::LayerHostingMode': ['"LayerTreeContext.h"'],
}
headers = []
/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
{
String cookies;
URL firstPartyForCookiesURL;
- if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL), Messages::NetworkConnectionToWebProcess::CookiesForDOM::Reply(cookies), 0))
+ if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue(PAL::SessionID::defaultSessionID(), firstPartyForCookiesURL, inRequestURL), Messages::NetworkConnectionToWebProcess::CookieRequestHeaderFieldValue::Reply(cookies), 0))
return 0;
if (cookies.isNull())
/*
- * Copyright (C) 2010, 2011, 2012, 2015, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
// CookiesStrategy
-String WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- String result;
- if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookiesForDOM(session.sessionID(), firstParty, url), Messages::NetworkConnectionToWebProcess::CookiesForDOM::Reply(result), 0))
- return String();
- return result;
+ String cookieString;
+ bool secureCookiesAccessed = false;
+ if (!WebProcess::singleton().networkConnection().connection().sendSync(Messages::NetworkConnectionToWebProcess::CookiesForDOM(session.sessionID(), firstParty, url, includeSecureCookies), Messages::NetworkConnectionToWebProcess::CookiesForDOM::Reply(cookieString, secureCookiesAccessed), 0))
+ return { String(), false };
+
+ return { cookieString, secureCookiesAccessed };
}
void WebPlatformStrategies::setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, const String& cookieString)
/*
- * Copyright (C) 2010, 2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
WebCore::BlobRegistry* createBlobRegistry() override;
// WebCore::CookiesStrategy
- String cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
+ std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override;
bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
String cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
+2017-08-22 Brent Fulgham <bfulgham@apple.com> and Pranjal Jumde <pjumde@apple.com>
+
+ Disable access to secure cookies if an HTTPS site loads mixed content
+ https://bugs.webkit.org/show_bug.cgi?id=157053
+ <rdar://problem/11290808>
+
+ Reviewed by Dan Bates.
+
+ * WebCoreSupport/WebPlatformStrategies.h:
+ * WebCoreSupport/WebPlatformStrategies.mm:
+ (WebPlatformStrategies::cookiesForDOM): Check and return whether secure cookies were accessed. Accept a new argument
+ indicating whether secure cookies should be included in the response.
+
2017-08-21 Yoshiaki Jitsukawa <Yoshiaki.Jitsukawa@sony.com>
[PAL] Move spi/mac directory into PAL
/*
- * Copyright (C) 2010, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifndef WebPlatformStrategies_h
-#define WebPlatformStrategies_h
+#pragma once
#include <WebCore/CookiesStrategy.h>
#include <WebCore/LoaderStrategy.h>
WebCore::BlobRegistry* createBlobRegistry() override;
// WebCore::CookiesStrategy
- String cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
+ std::pair<String, bool> cookiesForDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, WebCore::IncludeSecureCookies) override;
void setCookiesFromDOM(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&, const String&) override;
bool cookiesEnabled(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
String cookieRequestHeaderFieldValue(const WebCore::NetworkStorageSession&, const WebCore::URL& firstParty, const WebCore::URL&) override;
long setStringForType(const String&, const String& pasteboardType, const String& pasteboardName) override;
};
-#endif // WebPlatformStrategies_h
/*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
return new WebCore::BlobRegistryImpl;
}
-String WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url)
+std::pair<String, bool> WebPlatformStrategies::cookiesForDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, IncludeSecureCookies includeSecureCookies)
{
- return WebCore::cookiesForDOM(session, firstParty, url);
+ return WebCore::cookiesForDOM(session, firstParty, url, includeSecureCookies);
}
void WebPlatformStrategies::setCookiesFromDOM(const NetworkStorageSession& session, const URL& firstParty, const URL& url, const String& cookieString)