WebKit Bugzilla
Attachment 357576 Details for
Bug 185077
: Remove <meta http-equiv=set-cookie> support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
To Land
bug-185077-20181218100455.patch (text/plain), 4.79 KB, created by
Daniel Bates
on 2018-12-18 10:04:56 PST
(
hide
)
Description:
To Land
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2018-12-18 10:04:56 PST
Size:
4.79 KB
patch
obsolete
>Subversion Revision: 239338 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 979627908835a511fa6c904d8b2300da8c26221c..f135dc8694a96c061989ea290f99b7a4d07c14e5 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,23 @@ >+2018-12-18 Daniel Bates <dabates@apple.com> >+ >+ Remove <meta http-equiv=set-cookie> support >+ https://bugs.webkit.org/show_bug.cgi?id=185077 >+ <rdar://problem/41791397> >+ >+ Reviewed by Brent Fulgham. >+ >+ Remove support for the HTTP-equiv. pragma Set-Cookie to set a cookie. In <https://github.com/whatwg/html/pull/3649> >+ the HTML living standard was ammended to define this pragma as no-op. Chrome and Edge have also >+ removed support for this pragma and Firefox has an open bug to remove it. >+ >+ * dom/Document.cpp: >+ (WebCore::Document::processHttpEquiv): Emit a message that the Set-Cookie pragma is obsolete and >+ was ignored instead of setting the cookie. >+ * html/parser/XSSAuditor.cpp: >+ (WebCore::isDangerousHTTPEquiv): We no longer need to consider the Set-Cookie pragma >+ as dangerous and erase attribute http-equiv when we find it because we no longer honor >+ this pragma. >+ > 2018-12-18 Wenson Hsieh <wenson_hsieh@apple.com> > > Calling setValue() while typing should invoke -textDidChangeInTextField in the injected bundle >diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp >index d6be912b123ab17970e88b482146091383aabdda..b3ecbb01b970d8f31a2c12bd1d5302e3dad7805e 100644 >--- a/Source/WebCore/dom/Document.cpp >+++ b/Source/WebCore/dom/Document.cpp >@@ -3499,11 +3499,8 @@ void Document::processHttpEquiv(const String& equiv, const String& content, bool > } > > case HTTPHeaderName::SetCookie: >- // FIXME: make setCookie work on XML documents too; e.g. in case of <html:meta .....> >- if (is<HTMLDocument>(*this)) { >- // Exception (for sandboxed documents) ignored. >- downcast<HTMLDocument>(*this).setCookie(content); >- } >+ if (is<HTMLDocument>(*this)) >+ addConsoleMessage(MessageSource::Security, MessageLevel::Error, "The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead."_s); > break; > > case HTTPHeaderName::ContentLanguage: >diff --git a/Source/WebCore/html/parser/XSSAuditor.cpp b/Source/WebCore/html/parser/XSSAuditor.cpp >index d635747c1f0632ae345d65dd1a5e530fee70adec..5eedb440d2945e3d1a4e1212bc9c29baaf9cdbb6 100644 >--- a/Source/WebCore/html/parser/XSSAuditor.cpp >+++ b/Source/WebCore/html/parser/XSSAuditor.cpp >@@ -149,7 +149,7 @@ static bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name) > static bool isDangerousHTTPEquiv(const String& value) > { > String equiv = value.stripWhiteSpace(); >- return equalLettersIgnoringASCIICase(equiv, "refresh") || equalLettersIgnoringASCIICase(equiv, "set-cookie"); >+ return equalLettersIgnoringASCIICase(equiv, "refresh"); > } > > static inline String decode16BitUnicodeEscapeSequences(const String& string) >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index ee1f414ffb5c797ee963556c4aa6d21cba5bf67c..dbc9c60b04b49611241579cf1ba4bd0586506f3b 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,16 @@ >+2018-12-18 Daniel Bates <dabates@apple.com> >+ >+ Remove <meta http-equiv=set-cookie> support >+ https://bugs.webkit.org/show_bug.cgi?id=185077 >+ <rdar://problem/41791397> >+ >+ Reviewed by Brent Fulgham. >+ >+ Update test now that we no longer consider the HTTP equiv. pragma Set-Cookie as >+ dangerous (since it is ignored). >+ >+ * http/tests/security/xssAuditor/cookie-injection-expected.txt: >+ > 2018-12-18 Simon Fraser <simon.fraser@apple.com> > > Fix test failure after r239306. >diff --git a/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt b/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt >index 02b5878c311e5c3a86df7c7d748a86ff721c8ebc..d1ef8f548293c29f9cd8762102f4c55dc13fd853 100644 >--- a/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt >+++ b/LayoutTests/http/tests/security/xssAuditor/cookie-injection-expected.txt >@@ -1,3 +1,3 @@ >-CONSOLE MESSAGE: line 4: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?test=/security/xssAuditor/cookie-injection.html&alert-cookie=1&q=%3Cmeta%20http-equiv=%22Set-Cookie%22%20content=%22xssAuditorTestCookie=FAIL%22%20/%3E' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header. >+CONSOLE MESSAGE: line 4: The Set-Cookie meta tag is obsolete and was ignored. Use the HTTP header Set-Cookie or document.cookie instead. > ALERT: PASS >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357576">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185077
:
344226
|
344265
|
357575
| 357576