… after a redirect from a third party site https://bugs.webkit.org/show_bug.cgi?id=208049 <rdar://problem/59701889> Reviewed by Chris Dumez. The HTTP WG has decided that SameSite=strict cookies should be returned in document.cookie even in cases where they are not sent in the HTTP request for the page. Chromium and Gecko now work according to those rules and the spec is being updated. See: - httpwg/http-extensions#769 - https://github.com/httpwg/http-extensions/pull/1428/files. Source/WebCore: Here's an excerpt from the spec change: 'If a user agent does return cookies for a given call to a "non-HTTP" API with an associated Document, then the user agent MUST compute the cookie-string following the algorithm defined in {{retrieval-algorithm}}, indicating that the retrieval is from a "non-HTTP" API. The retrieval-uri is the associated Document's cookie URL {{COOKIE-URL}}, and the retrieval is same-site if the Document's "site for cookies" is same-site with the top-level origin as defined in {{document-requests}}.' Existing layout tests changed and rebased. * loader/CookieJar.cpp: (WebCore::CookieJar::sameSiteInfo): Now takes a IsCookieAccessForDOM parameter and forwards it to SameSiteInfo::create(). (WebCore::CookieJar::cookies const): Now sends IsCookieAccessForDOM::Yes to CookieJar::sameSiteInfo(). (WebCore::CookieJar::setCookies): Now sends IsCookieAccessForDOM::Yes to CookieJar::sameSiteInfo(). * loader/CookieJar.h: * platform/network/SameSiteInfo.cpp: (WebCore::SameSiteInfo::create): Now takes a IsForDOMCookieAccess parameter and if it's IsForDOMCookieAccess::Yes and the site is top site, sets isSameSite. * platform/network/SameSiteInfo.h: Now has an enum IsForDOMCookieAccess. Source/WebKit: Here's an excerpt from the spec change: 'If a user agent does return cookies for a given call to a "non-HTTP" API with an associated Document, then the user agent MUST compute the cookie-string following the algorithm defined in {{retrieval-algorithm}}, indicating that the retrieval is from a "non-HTTP" API. The retrieval-uri is the associated Document's cookie URL {{COOKIE-URL}}, and the retrieval is same-site if the Document's "site for cookies" is same-site with the top-level origin as defined in {{document-requests}}.' Existing layout tests changed and rebased. * WebProcess/WebPage/WebCookieJar.cpp: (WebKit::WebCookieJar::cookies const): Now sends WebCore::IsCookieAccessForDOM::Yes to WebCore::CookieJar::sameSiteInfo(). (WebKit::WebCookieJar::setCookies): Now sends WebCore::IsCookieAccessForDOM::Yes to WebCore::CookieJar::sameSiteInfo(). LayoutTests: Tests changed and rebased accordingly. * http/tests/cookies/same-site/fetch-after-top-level-cross-origin-redirect-expected.txt: * http/tests/cookies/same-site/fetch-after-top-level-navigation-from-cross-origin-page-expected.txt: * http/tests/cookies/same-site/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page-expected.txt: * http/tests/cookies/same-site/popup-cross-site-post.html: * http/tests/cookies/same-site/popup-cross-site.html: * http/tests/cookies/same-site/popup-same-site-via-cross-site-redirect.html: * http/tests/cookies/same-site/resources/fetch-after-top-level-cross-origin-redirect.py: * http/tests/cookies/same-site/resources/fetch-after-top-level-navigation-from-cross-origin-page.py: * http/tests/cookies/same-site/resources/fetch-after-top-level-navigation-initiated-from-iframe-in-cross-origin-page.py: * http/tests/cookies/same-site/user-load-cross-site-redirect-expected.txt: * http/tests/cookies/same-site/user-load-cross-site-redirect.py: Canonical link: https://commits.webkit.org/237762@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@277534 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Clarify SameSite behavior for non-HTTP API #769

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions