Browser+LibWeb+WebContent: Track the source of document.cookie requests

To implement the HttpOnly attribute, the CookieJar needs to know where a request originated from. Namely, it needs to distinguish between HTTP / non-HTTP (i.e. JavaScript) requests. When the HttpOnly attribute is set, requests from JavaScript are to be blocked.
2025-07-27 01:47:35 +00:00 · 2021-04-13 17:30:41 -04:00 · 2021-04-13 17:30:41 -04:00 · c00760c5f9
commit c00760c5f9
parent 7193e518d1
20 changed files with 54 additions and 47 deletions
--- a/Userland/Applications/Browser/CookieJar.cpp
+++ b/Userland/Applications/Browser/CookieJar.cpp
@ -33,7 +33,7 @@

 namespace Browser {

-String CookieJar::get_cookie(const URL& url)
+String CookieJar::get_cookie(const URL& url, Web::Cookie::Source)
 {
    purge_expired_cookies();

@ -55,7 +55,7 @@ String CookieJar::get_cookie(const URL& url)
    return builder.build();
 }

-void CookieJar::set_cookie(const URL& url, const String& cookie_string)
+void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source)
 {
    auto domain = canonicalize_domain(url);
    if (!domain.has_value())
--- a/Userland/Applications/Browser/CookieJar.h
+++ b/Userland/Applications/Browser/CookieJar.h
@ -46,8 +46,8 @@ struct CookieStorageKey {

 class CookieJar {
 public:
-    String get_cookie(const URL& url);
-    void set_cookie(const URL& url, const String& cookie);
+    String get_cookie(const URL& url, Web::Cookie::Source source);
+    void set_cookie(const URL& url, const String& cookie, Web::Cookie::Source source);
    void dump_cookies() const;

 private:
--- a/Userland/Applications/Browser/Tab.cpp
+++ b/Userland/Applications/Browser/Tab.cpp
@ -242,15 +242,15 @@ Tab::Tab(Type type)
            on_favicon_change(icon);
    };

-    hooks().on_get_cookie = [this](auto& url) -> String {
+    hooks().on_get_cookie = [this](auto& url, auto source) -> String {
        if (on_get_cookie)
-            return on_get_cookie(url);
+            return on_get_cookie(url, source);
        return {};
    };

-    hooks().on_set_cookie = [this](auto& url, auto& cookie) {
+    hooks().on_set_cookie = [this](auto& url, auto& cookie, auto source) {
        if (on_set_cookie)
-            on_set_cookie(url, cookie);
+            on_set_cookie(url, cookie, source);
    };

    hooks().on_get_source = [this](auto& url, auto& source) {
--- a/Userland/Applications/Browser/Tab.h
+++ b/Userland/Applications/Browser/Tab.h
@ -70,8 +70,8 @@ public:
    Function<void(const URL&)> on_tab_open_request;
    Function<void(Tab&)> on_tab_close_request;
    Function<void(const Gfx::Bitmap&)> on_favicon_change;
-    Function<String(const URL& url)> on_get_cookie;
-    Function<void(const URL& url, const String& cookie)> on_set_cookie;
+    Function<String(const URL& url, Web::Cookie::Source source)> on_get_cookie;
+    Function<void(const URL& url, const String& cookie, Web::Cookie::Source source)> on_set_cookie;
    Function<void()> on_dump_cookies;

    const String& title() const { return m_title; }
--- a/Userland/Applications/Browser/main.cpp
+++ b/Userland/Applications/Browser/main.cpp
@ -219,12 +219,12 @@ int main(int argc, char** argv)
            });
        };

-        new_tab.on_get_cookie = [&](auto& url) -> String {
-            return cookie_jar.get_cookie(url);
+        new_tab.on_get_cookie = [&](auto& url, auto source) -> String {
+            return cookie_jar.get_cookie(url, source);
        };

-        new_tab.on_set_cookie = [&](auto& url, auto& cookie) {
-            cookie_jar.set_cookie(url, cookie);
+        new_tab.on_set_cookie = [&](auto& url, auto& cookie, auto source) {
+            cookie_jar.set_cookie(url, cookie, source);
        };

        new_tab.on_dump_cookies = [&]() {