Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upabout:blank iframe contentDocument.cookie doesn't share cookies with parent document #25607
Comments
|
It occurs to me this could go a bit deep; we currently only have the sense of cookies "for url", but a non-http(s) url doesn't have to uniquely map to a domain. Blob: and javascript: srcs would also have this sort of trouble. |
|
When retrieving cookies, we should be using the origin of the incumbent global to determine the scope. Blobs and javascript URLs all define a meaningful origin based on the document that loaded them. |
|
CookieStorage::cookies_for_url is a step-by-step implementation of https://tools.ietf.org/html/rfc6265#section-5.4, which is correct for assembling the cookies that need to be sent in an HTTP header. We call this same method in non-HTTP cases, where it ends up with an empty domain string since it's finding the domain only by string url-parsing. Other methods in components/net/cookie_storage.rs do similarly. |
|
Hmm, it's a little bit more complex than I assumed at first. Since the cookies do care about the document path, we can't just send an origin. We will need our documents to have some notion of a page URL that is appropriate for fetching cookies from an about:blank document, but doesn't actually override the about:blank page URL. |
In WPT test cookies/navigated-away.html, there's an iframe with an explicit src of about:blank. A script in the parent sets document.cookie, then expects the iframe's contentDocument.cookie to reflect that same cookie. It does not, probably because we don't have the correct concept of origin for an about:blank iframe. This fails the test early, before the titular part of the test navigates the iframe away.