1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 00:37:45 +00:00

Browser+LibWeb+WebContent: Track the source of document.cookie requests

To implement the HttpOnly attribute, the CookieJar needs to know where a
request originated from. Namely, it needs to distinguish between HTTP /
non-HTTP (i.e. JavaScript) requests. When the HttpOnly attribute is set,
requests from JavaScript are to be blocked.
This commit is contained in:
Timothy Flynn 2021-04-13 17:30:41 -04:00 committed by Andreas Kling
parent 7193e518d1
commit c00760c5f9
20 changed files with 54 additions and 47 deletions

View file

@ -31,6 +31,11 @@
namespace Web::Cookie {
enum class Source {
NonHttp,
Http,
};
struct Cookie {
String name;
String value;

View file

@ -821,17 +821,17 @@ void Document::completely_finish_loading()
dispatch_event(DOM::Event::create(HTML::EventNames::load));
}
String Document::cookie()
String Document::cookie(Cookie::Source source)
{
if (auto* page = this->page())
return page->client().page_did_request_cookie(m_url);
return page->client().page_did_request_cookie(m_url, source);
return {};
}
void Document::set_cookie(String cookie)
void Document::set_cookie(String cookie, Cookie::Source source)
{
if (auto* page = this->page())
page->client().page_did_set_cookie(m_url, cookie);
page->client().page_did_set_cookie(m_url, cookie, source);
}
}

View file

@ -40,6 +40,7 @@
#include <LibWeb/CSS/CSSStyleSheet.h>
#include <LibWeb/CSS/StyleResolver.h>
#include <LibWeb/CSS/StyleSheetList.h>
#include <LibWeb/Cookie/Cookie.h>
#include <LibWeb/DOM/DOMImplementation.h>
#include <LibWeb/DOM/ExceptionOr.h>
#include <LibWeb/DOM/NonElementParentNode.h>
@ -73,8 +74,8 @@ public:
virtual ~Document() override;
String cookie();
void set_cookie(String);
String cookie(Cookie::Source = Cookie::Source::NonHttp);
void set_cookie(String, Cookie::Source = Cookie::Source::NonHttp);
bool should_invalidate_styles_on_attribute_changes() const { return m_should_invalidate_styles_on_attribute_changes; }
void set_should_invalidate_styles_on_attribute_changes(bool b) { m_should_invalidate_styles_on_attribute_changes = b; }

View file

@ -30,6 +30,7 @@
namespace Web::Cookie {
struct Cookie;
struct ParsedCookie;
enum class Source;
}
namespace Web::CSS {

View file

@ -433,17 +433,17 @@ String InProcessWebView::page_did_request_prompt(const String& message, const St
return {};
}
String InProcessWebView::page_did_request_cookie(const URL& url)
String InProcessWebView::page_did_request_cookie(const URL& url, Cookie::Source source)
{
if (on_get_cookie)
return on_get_cookie(url);
return on_get_cookie(url, source);
return {};
}
void InProcessWebView::page_did_set_cookie(const URL& url, const String& cookie)
void InProcessWebView::page_did_set_cookie(const URL& url, const String& cookie, Cookie::Source source)
{
if (on_set_cookie)
on_set_cookie(url, cookie);
on_set_cookie(url, cookie, source);
}
}

View file

@ -111,8 +111,8 @@ private:
virtual void page_did_request_alert(const String&) override;
virtual bool page_did_request_confirm(const String&) override;
virtual String page_did_request_prompt(const String&, const String&) override;
virtual String page_did_request_cookie(const URL&) override;
virtual void page_did_set_cookie(const URL&, const String&) override;
virtual String page_did_request_cookie(const URL&, Cookie::Source) override;
virtual void page_did_set_cookie(const URL&, const String&, Cookie::Source) override;
void layout_and_sync_size();

View file

@ -277,7 +277,7 @@ void FrameLoader::resource_did_load()
// FIXME: Support multiple instances of the Set-Cookie response header.
auto set_cookie = resource()->response_headers().get("Set-Cookie");
if (set_cookie.has_value())
document->set_cookie(set_cookie.value());
document->set_cookie(set_cookie.value(), Cookie::Source::Http);
if (!url.fragment().is_empty())
frame().scroll_to_anchor(url.fragment());

View file

@ -365,17 +365,17 @@ void OutOfProcessWebView::notify_server_did_change_favicon(const Gfx::Bitmap& fa
on_favicon_change(favicon);
}
String OutOfProcessWebView::notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url)
String OutOfProcessWebView::notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url, Cookie::Source source)
{
if (on_get_cookie)
return on_get_cookie(url);
return on_get_cookie(url, source);
return {};
}
void OutOfProcessWebView::notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie)
void OutOfProcessWebView::notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie, Cookie::Source source)
{
if (on_set_cookie)
on_set_cookie(url, cookie);
on_set_cookie(url, cookie, source);
}
void OutOfProcessWebView::did_scroll()

View file

@ -79,8 +79,8 @@ public:
void notify_server_did_get_source(const URL& url, const String& source);
void notify_server_did_js_console_output(const String& method, const String& line);
void notify_server_did_change_favicon(const Gfx::Bitmap& favicon);
String notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url);
void notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie);
String notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url, Cookie::Source source);
void notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie, Cookie::Source source);
private:
OutOfProcessWebView();

View file

@ -111,8 +111,8 @@ public:
virtual void page_did_request_alert(const String&) { }
virtual bool page_did_request_confirm(const String&) { return false; }
virtual String page_did_request_prompt(const String&, const String&) { return {}; }
virtual String page_did_request_cookie(const URL&) { return {}; }
virtual void page_did_set_cookie(const URL&, const String&) { }
virtual String page_did_request_cookie(const URL&, Cookie::Source) { return {}; }
virtual void page_did_set_cookie(const URL&, const String&, Cookie::Source) { }
};
}

View file

@ -199,13 +199,13 @@ void WebContentClient::handle(const Messages::WebContentClient::DidChangeFavicon
OwnPtr<Messages::WebContentClient::DidRequestCookieResponse> WebContentClient::handle(const Messages::WebContentClient::DidRequestCookie& message)
{
auto result = m_view.notify_server_did_request_cookie({}, message.url());
auto result = m_view.notify_server_did_request_cookie({}, message.url(), static_cast<Cookie::Source>(message.source()));
return make<Messages::WebContentClient::DidRequestCookieResponse>(result);
}
void WebContentClient::handle(const Messages::WebContentClient::DidSetCookie& message)
{
m_view.notify_server_did_set_cookie({}, message.url(), message.cookie());
m_view.notify_server_did_set_cookie({}, message.url(), message.cookie(), static_cast<Cookie::Source>(message.source()));
}
}

View file

@ -48,8 +48,8 @@ public:
Function<void(DOM::Document*)> on_set_document;
Function<void(const URL&, const String&)> on_get_source;
Function<void(const String& method, const String& line)> on_js_console_output;
Function<String(const URL& url)> on_get_cookie;
Function<void(const URL& url, const String& cookie)> on_set_cookie;
Function<String(const URL& url, Cookie::Source source)> on_get_cookie;
Function<void(const URL& url, const String& cookie, Cookie::Source source)> on_set_cookie;
};
}