From 85083fce2da7a270e324fd951b7f3d03a50aef1b Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 20 Nov 2017 14:20:39 +0100 Subject: Implement "cookie-averse document objects". See: https://html.spec.whatwg.org/multipage/dom.html#cookie-averse-document-object This resolves #196. --- dom/base/nsContentSink.cpp | 5 +++++ dom/base/nsIDocument.h | 28 ++++++++++++++++++++++++++++ dom/html/nsHTMLDocument.cpp | 10 ++++++++++ 3 files changed, 43 insertions(+) (limited to 'dom') diff --git a/dom/base/nsContentSink.cpp b/dom/base/nsContentSink.cpp index 3d6f069d2..85b3d07bf 100644 --- a/dom/base/nsContentSink.cpp +++ b/dom/base/nsContentSink.cpp @@ -305,6 +305,11 @@ nsContentSink::ProcessHeaderData(nsIAtom* aHeader, const nsAString& aValue, mDocument->SetHeaderData(aHeader, aValue); if (aHeader == nsGkAtoms::setcookie) { + // Don't allow setting cookies in cookie-averse documents. + if (mDocument->IsCookieAverse()) { + return NS_OK; + } + // Note: Necko already handles cookies set via the channel. We can't just // call SetCookie on the channel because we want to do some security checks // here. diff --git a/dom/base/nsIDocument.h b/dom/base/nsIDocument.h index 5b10c9914..8f35e9ba5 100644 --- a/dom/base/nsIDocument.h +++ b/dom/base/nsIDocument.h @@ -1923,6 +1923,34 @@ public: return mMarkedCCGeneration; } + /** + * Returns whether this document is cookie-averse. See + * https://html.spec.whatwg.org/multipage/dom.html#cookie-averse-document-object + */ + bool IsCookieAverse() const + { + // If we are a document that "has no browsing context." + if (!GetInnerWindow()) { + return true; + } + + // If we are a document "whose URL's scheme is not a network scheme." + // NB: Explicitly allow file: URIs to store cookies. + nsCOMPtr codebaseURI; + NodePrincipal()->GetURI(getter_AddRefs(codebaseURI)); + + if (!codebaseURI) { + return true; + } + + nsAutoCString scheme; + codebaseURI->GetScheme(scheme); + return !scheme.EqualsLiteral("http") && + !scheme.EqualsLiteral("https") && + !scheme.EqualsLiteral("ftp") && + !scheme.EqualsLiteral("file"); + } + bool IsLoadedAsData() { return mLoadedAsData; diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp index 5e6302941..7d66aab04 100644 --- a/dom/html/nsHTMLDocument.cpp +++ b/dom/html/nsHTMLDocument.cpp @@ -1255,6 +1255,11 @@ nsHTMLDocument::GetCookie(nsAString& aCookie, ErrorResult& rv) rv.Throw(NS_ERROR_DOM_SECURITY_ERR); return; } + + // If the document is a cookie-averse document, return an empty string. + if (IsCookieAverse()) { + return; + } // not having a cookie service isn't an error nsCOMPtr service = do_GetService(NS_COOKIESERVICE_CONTRACTID); @@ -1310,6 +1315,11 @@ nsHTMLDocument::SetCookie(const nsAString& aCookie, ErrorResult& rv) return; } + // If the document is a cookie-averse document, do nothing. + if (IsCookieAverse()) { + return; + } + // not having a cookie service isn't an error nsCOMPtr service = do_GetService(NS_COOKIESERVICE_CONTRACTID); if (service && mDocumentURI) { -- cgit v1.2.3