Browser+LibWebView+WebContent: Do not domain match on cookie updates

Updating cookies through these hooks happens in one of two manners: 1. Through the Browser's storage inspector. 2. Through WebDriver's delete-cookies operation. In (1), we should not restrict ourselves to being able to delete cookies for the current page. For example, it's handy to open the inspector from the welcome page and be able to delete cookies for any domain. In (2), we already are only interacting with cookies that have been matched against the document URL.
2025-07-26 23:47:45 +00:00 · 2022-11-28 11:24:04 -05:00 · 2022-11-28 11:24:04 -05:00 · bf060adcf9
commit bf060adcf9
parent 949f5460fb
15 changed files with 22 additions and 30 deletions
--- a/Userland/Applications/Browser/CookieJar.cpp
+++ b/Userland/Applications/Browser/CookieJar.cpp
@ -51,16 +51,8 @@ void CookieJar::set_cookie(const URL& url, Web::Cookie::ParsedCookie const& pars

 // This is based on https://www.rfc-editor.org/rfc/rfc6265#section-5.3 as store_cookie() below
 // however the whole ParsedCookie->Cookie conversion is skipped.
-void CookieJar::update_cookie(URL const& url, Web::Cookie::Cookie cookie)
+void CookieJar::update_cookie(Web::Cookie::Cookie cookie)
 {
-    auto domain = canonicalize_domain(url);
-    if (!domain.has_value())
-        return;
-
-    // 6. If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps.
-    if (!domain_matches(domain.value(), cookie.domain))
-        return;
-
    // 11. If the cookie store contains a cookie with the same name, domain, and path as the newly created cookie:
    CookieStorageKey key { cookie.name, cookie.domain, cookie.path };