RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 06:27:45 +00:00
Code Issues Activity Actions

Browser: Respect the HttpOnly flag when storing cookies

Browse source
This commit is contained in:
Timothy Flynn 2021-04-13 17:35:26 -04:00 committed by Andreas Kling
parent c00760c5f9
commit 858ba11aef
3 changed files with 9 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Base/res/html/misc/cookie.html
View file

@ -9,7 +9,7 @@
<br /><input id=invalid1 type=button onclick="setCookie(this.value)" value="cookie4=value4; domain=serenityos.org" /> <br /><input id=invalid1 type=button onclick="setCookie(this.value)" value="cookie4=value4; domain=serenityos.org" />
<label for=invalid1>The Domain attribute does not domain-match this page</label> <label for=invalid1>The Domain attribute does not domain-match this page</label>
<br /><input id=invalid2 type=button onclick="setCookie(this.value)" value="cookie5=value5; httponly" /> <br /><input id=invalid2 type=button onclick="setCookie(this.value)" value="cookie5=value5; httponly" />
<label for=invalid2>The cookie is HttpOnly thus cannot be set via JavaScript (*not yet implemented*)</label> <label for=invalid2>The cookie is HttpOnly thus cannot be set via JavaScript</label>
<br /><input id=invalid3 type=button onclick="setCookie(this.value)" value="cookie6=value6; max-age=-1" /> <br /><input id=invalid3 type=button onclick="setCookie(this.value)" value="cookie6=value6; max-age=-1" />
<label for=invalid3>The cookie expired in the past</label> <label for=invalid3>The cookie expired in the past</label>
<br /><input id=invalid4 type=button onclick="setCookie(this.value)" value="cookie7=value7; expires=Mon, 23 Jan 1989 08:10:36 GMT" /> <br /><input id=invalid4 type=button onclick="setCookie(this.value)" value="cookie7=value7; expires=Mon, 23 Jan 1989 08:10:36 GMT" />

12
Userland/Applications/Browser/CookieJar.cpp
View file

@ -55,7 +55,7 @@ String CookieJar::get_cookie(const URL& url, Web::Cookie::Source)
return builder.build(); return builder.build();
} }
void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source) void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source source)
{ {
auto domain = canonicalize_domain(url); auto domain = canonicalize_domain(url);
if (!domain.has_value()) if (!domain.has_value())
@ -65,7 +65,7 @@ void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Coo
if (!parsed_cookie.has_value()) if (!parsed_cookie.has_value())
return; return;
store_cookie(parsed_cookie.value(), url, move(domain.value())); store_cookie(parsed_cookie.value(), url, move(domain.value()), source);
purge_expired_cookies(); purge_expired_cookies();
} }
@ -152,7 +152,7 @@ String CookieJar::default_path(const URL& url)
return uri_path.substring(0, last_separator); return uri_path.substring(0, last_separator);
} }
void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain) void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source)
{ {
// https://tools.ietf.org/html/rfc6265#section-5.3 // https://tools.ietf.org/html/rfc6265#section-5.3
@ -215,7 +215,8 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL
cookie.http_only = parsed_cookie.http_only_attribute_present; cookie.http_only = parsed_cookie.http_only_attribute_present;
// 10. If the cookie was received from a "non-HTTP" API and the cookie's http-only-flag is set, abort these steps and ignore the cookie entirely. // 10. If the cookie was received from a "non-HTTP" API and the cookie's http-only-flag is set, abort these steps and ignore the cookie entirely.
// FIXME: Update CookieJar to track where the cookie originated (an HTTP request vs document.cookie). if (source != Web::Cookie::Source::Http && cookie.http_only)
return;
// 11. If the cookie store contains a cookie with the same name, domain, and path as the newly created cookie: // 11. If the cookie store contains a cookie with the same name, domain, and path as the newly created cookie:
CookieStorageKey key { cookie.name, cookie.domain, cookie.path }; CookieStorageKey key { cookie.name, cookie.domain, cookie.path };
@ -223,7 +224,8 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL
if (auto old_cookie = m_cookies.find(key); old_cookie != m_cookies.end()) { if (auto old_cookie = m_cookies.find(key); old_cookie != m_cookies.end()) {
// If the newly created cookie was received from a "non-HTTP" API and the old-cookie's http-only-flag is set, abort these // If the newly created cookie was received from a "non-HTTP" API and the old-cookie's http-only-flag is set, abort these
// steps and ignore the newly created cookie entirely. // steps and ignore the newly created cookie entirely.
// FIXME: Similar to step 10, CookieJar needs to track where the cookie originated. if (source != Web::Cookie::Source::Http && old_cookie->value.http_only)
return;
// Update the creation-time of the newly created cookie to match the creation-time of the old-cookie. // Update the creation-time of the newly created cookie to match the creation-time of the old-cookie.
cookie.creation_time = old_cookie->value.creation_time; cookie.creation_time = old_cookie->value.creation_time;

2
Userland/Applications/Browser/CookieJar.h
View file

@ -55,7 +55,7 @@ private:
static bool domain_matches(const String& string, const String& domain_string); static bool domain_matches(const String& string, const String& domain_string);
static String default_path(const URL& url); static String default_path(const URL& url);
void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain); void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source);
void purge_expired_cookies(); void purge_expired_cookies();
HashMap<CookieStorageKey, Web::Cookie::Cookie> m_cookies; HashMap<CookieStorageKey, Web::Cookie::Cookie> m_cookies;