Browser+LibWeb+WebContent: Track the source of document.cookie requests

To implement the HttpOnly attribute, the CookieJar needs to know where a request originated from. Namely, it needs to distinguish between HTTP / non-HTTP (i.e. JavaScript) requests. When the HttpOnly attribute is set, requests from JavaScript are to be blocked.
author: Timothy Flynn <trflynn89@pm.me> 2021-04-13 17:30:41 -0400
committer: Andreas Kling <kling@serenityos.org> 2021-04-14 16:07:46 +0200
commit: c00760c5f9ca72b89b39feb7042978da2f15eef3 (patch)
tree: fcec9f5b592b3472593c4f136c90e2f5595eac67
parent: 7193e518d1190e54ba3a94cc42c4905a7be786a1 (diff)
download: serenity-c00760c5f9ca72b89b39feb7042978da2f15eef3.zip
20 files changed, 54 insertions, 47 deletions
diff --git a/Userland/Applications/Browser/CookieJar.cpp b/Userland/Applications/Browser/CookieJar.cpp
index 97b100f034..0ec5219f30 100644
--- a/Userland/Applications/Browser/CookieJar.cpp
+++ b/Userland/Applications/Browser/CookieJar.cpp
@@ -33,7 +33,7 @@
 
 namespace Browser {
 
-String CookieJar::get_cookie(const URL& url)
+String CookieJar::get_cookie(const URL& url, Web::Cookie::Source)
 {
     purge_expired_cookies();
 
@@ -55,7 +55,7 @@ String CookieJar::get_cookie(const URL& url)
     return builder.build();
 }
 
-void CookieJar::set_cookie(const URL& url, const String& cookie_string)
+void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source)
 {
     auto domain = canonicalize_domain(url);
     if (!domain.has_value())
diff --git a/Userland/Applications/Browser/CookieJar.h b/Userland/Applications/Browser/CookieJar.h
index 1b2d17aa1b..7c791f2806 100644
--- a/Userland/Applications/Browser/CookieJar.h
+++ b/Userland/Applications/Browser/CookieJar.h
@@ -46,8 +46,8 @@ struct CookieStorageKey {
 
 class CookieJar {
 public:
-    String get_cookie(const URL& url);
-    void set_cookie(const URL& url, const String& cookie);
+    String get_cookie(const URL& url, Web::Cookie::Source source);
+    void set_cookie(const URL& url, const String& cookie, Web::Cookie::Source source);
     void dump_cookies() const;
 
 private:
diff --git a/Userland/Applications/Browser/Tab.cpp b/Userland/Applications/Browser/Tab.cpp
index d976378843..7d39864150 100644
--- a/Userland/Applications/Browser/Tab.cpp
+++ b/Userland/Applications/Browser/Tab.cpp
@@ -242,15 +242,15 @@ Tab::Tab(Type type)
             on_favicon_change(icon);
     };
 
-    hooks().on_get_cookie = [this](auto& url) -> String {
+    hooks().on_get_cookie = [this](auto& url, auto source) -> String {
         if (on_get_cookie)
-            return on_get_cookie(url);
+            return on_get_cookie(url, source);
         return {};
     };
 
-    hooks().on_set_cookie = [this](auto& url, auto& cookie) {
+    hooks().on_set_cookie = [this](auto& url, auto& cookie, auto source) {
         if (on_set_cookie)
-            on_set_cookie(url, cookie);
+            on_set_cookie(url, cookie, source);
     };
 
     hooks().on_get_source = [this](auto& url, auto& source) {
diff --git a/Userland/Applications/Browser/Tab.h b/Userland/Applications/Browser/Tab.h
index 8c806dcfb9..b2f1ca0165 100644
--- a/Userland/Applications/Browser/Tab.h
+++ b/Userland/Applications/Browser/Tab.h
@@ -70,8 +70,8 @@ public:
     Function<void(const URL&)> on_tab_open_request;
     Function<void(Tab&)> on_tab_close_request;
     Function<void(const Gfx::Bitmap&)> on_favicon_change;
-    Function<String(const URL& url)> on_get_cookie;
-    Function<void(const URL& url, const String& cookie)> on_set_cookie;
+    Function<String(const URL& url, Web::Cookie::Source source)> on_get_cookie;
+    Function<void(const URL& url, const String& cookie, Web::Cookie::Source source)> on_set_cookie;
     Function<void()> on_dump_cookies;
 
     const String& title() const { return m_title; }
diff --git a/Userland/Applications/Browser/main.cpp b/Userland/Applications/Browser/main.cpp
index 0d995bf9ca..4f4a73c75a 100644
--- a/Userland/Applications/Browser/main.cpp
+++ b/Userland/Applications/Browser/main.cpp
@@ -219,12 +219,12 @@ int main(int argc, char** argv)
             });
         };
 
-        new_tab.on_get_cookie = [&](auto& url) -> String {
-            return cookie_jar.get_cookie(url);
+        new_tab.on_get_cookie = [&](auto& url, auto source) -> String {
+            return cookie_jar.get_cookie(url, source);
         };
 
-        new_tab.on_set_cookie = [&](auto& url, auto& cookie) {
-            cookie_jar.set_cookie(url, cookie);
+        new_tab.on_set_cookie = [&](auto& url, auto& cookie, auto source) {
+            cookie_jar.set_cookie(url, cookie, source);
         };
 
         new_tab.on_dump_cookies = [&]() {
diff --git a/Userland/Libraries/LibWeb/Cookie/Cookie.h b/Userland/Libraries/LibWeb/Cookie/Cookie.h
index 48f06569fa..fd7bb11533 100644
--- a/Userland/Libraries/LibWeb/Cookie/Cookie.h
+++ b/Userland/Libraries/LibWeb/Cookie/Cookie.h
@@ -31,6 +31,11 @@
 
 namespace Web::Cookie {
 
+enum class Source {
+    NonHttp,
+    Http,
+};
+
 struct Cookie {
     String name;
     String value;
diff --git a/Userland/Libraries/LibWeb/DOM/Document.cpp b/Userland/Libraries/LibWeb/DOM/Document.cpp
index 3cf3a18aa1..a4f77872a4 100644
--- a/Userland/Libraries/LibWeb/DOM/Document.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Document.cpp
@@ -821,17 +821,17 @@ void Document::completely_finish_loading()
     dispatch_event(DOM::Event::create(HTML::EventNames::load));
 }
 
-String Document::cookie()
+String Document::cookie(Cookie::Source source)
 {
     if (auto* page = this->page())
-        return page->client().page_did_request_cookie(m_url);
+        return page->client().page_did_request_cookie(m_url, source);
     return {};
 }
 
-void Document::set_cookie(String cookie)
+void Document::set_cookie(String cookie, Cookie::Source source)
 {
     if (auto* page = this->page())
-        page->client().page_did_set_cookie(m_url, cookie);
+        page->client().page_did_set_cookie(m_url, cookie, source);
 }
 
 }
diff --git a/Userland/Libraries/LibWeb/DOM/Document.h b/Userland/Libraries/LibWeb/DOM/Document.h
index 27d350b256..5f63b4d408 100644
--- a/Userland/Libraries/LibWeb/DOM/Document.h
+++ b/Userland/Libraries/LibWeb/DOM/Document.h
@@ -40,6 +40,7 @@
 #include <LibWeb/CSS/CSSStyleSheet.h>
 #include <LibWeb/CSS/StyleResolver.h>
 #include <LibWeb/CSS/StyleSheetList.h>
+#include <LibWeb/Cookie/Cookie.h>
 #include <LibWeb/DOM/DOMImplementation.h>
 #include <LibWeb/DOM/ExceptionOr.h>
 #include <LibWeb/DOM/NonElementParentNode.h>
@@ -73,8 +74,8 @@ public:
 
     virtual ~Document() override;
 
-    String cookie();
-    void set_cookie(String);
+    String cookie(Cookie::Source = Cookie::Source::NonHttp);
+    void set_cookie(String, Cookie::Source = Cookie::Source::NonHttp);
 
     bool should_invalidate_styles_on_attribute_changes() const { return m_should_invalidate_styles_on_attribute_changes; }
     void set_should_invalidate_styles_on_attribute_changes(bool b) { m_should_invalidate_styles_on_attribute_changes = b; }
diff --git a/Userland/Libraries/LibWeb/Forward.h b/Userland/Libraries/LibWeb/Forward.h
index 8bc90a2320..02476139c2 100644
--- a/Userland/Libraries/LibWeb/Forward.h
+++ b/Userland/Libraries/LibWeb/Forward.h
@@ -30,6 +30,7 @@
 namespace Web::Cookie {
 struct Cookie;
 struct ParsedCookie;
+enum class Source;
 }
 
 namespace Web::CSS {
diff --git a/Userland/Libraries/LibWeb/InProcessWebView.cpp b/Userland/Libraries/LibWeb/InProcessWebView.cpp
index 7a8745bfcb..61cbc087a8 100644
--- a/Userland/Libraries/LibWeb/InProcessWebView.cpp
+++ b/Userland/Libraries/LibWeb/InProcessWebView.cpp
@@ -433,17 +433,17 @@ String InProcessWebView::page_did_request_prompt(const String& message, const St
     return {};
 }
 
-String InProcessWebView::page_did_request_cookie(const URL& url)
+String InProcessWebView::page_did_request_cookie(const URL& url, Cookie::Source source)
 {
     if (on_get_cookie)
-        return on_get_cookie(url);
+        return on_get_cookie(url, source);
     return {};
 }
 
-void InProcessWebView::page_did_set_cookie(const URL& url, const String& cookie)
+void InProcessWebView::page_did_set_cookie(const URL& url, const String& cookie, Cookie::Source source)
 {
     if (on_set_cookie)
-        on_set_cookie(url, cookie);
+        on_set_cookie(url, cookie, source);
 }
 
 }
diff --git a/Userland/Libraries/LibWeb/InProcessWebView.h b/Userland/Libraries/LibWeb/InProcessWebView.h
index f718c63690..46db6e319c 100644
--- a/Userland/Libraries/LibWeb/InProcessWebView.h
+++ b/Userland/Libraries/LibWeb/InProcessWebView.h
@@ -111,8 +111,8 @@ private:
     virtual void page_did_request_alert(const String&) override;
     virtual bool page_did_request_confirm(const String&) override;
     virtual String page_did_request_prompt(const String&, const String&) override;
-    virtual String page_did_request_cookie(const URL&) override;
-    virtual void page_did_set_cookie(const URL&, const String&) override;
+    virtual String page_did_request_cookie(const URL&, Cookie::Source) override;
+    virtual void page_did_set_cookie(const URL&, const String&, Cookie::Source) override;
 
     void layout_and_sync_size();
 
diff --git a/Userland/Libraries/LibWeb/Loader/FrameLoader.cpp b/Userland/Libraries/LibWeb/Loader/FrameLoader.cpp
index 19f1f0b369..496cb38d8d 100644
--- a/Userland/Libraries/LibWeb/Loader/FrameLoader.cpp
+++ b/Userland/Libraries/LibWeb/Loader/FrameLoader.cpp
@@ -277,7 +277,7 @@ void FrameLoader::resource_did_load()
     // FIXME: Support multiple instances of the Set-Cookie response header.
     auto set_cookie = resource()->response_headers().get("Set-Cookie");
     if (set_cookie.has_value())
-        document->set_cookie(set_cookie.value());
+        document->set_cookie(set_cookie.value(), Cookie::Source::Http);
 
     if (!url.fragment().is_empty())
         frame().scroll_to_anchor(url.fragment());
diff --git a/Userland/Libraries/LibWeb/OutOfProcessWebView.cpp b/Userland/Libraries/LibWeb/OutOfProcessWebView.cpp
index 017a7f258e..6c069edf69 100644
--- a/Userland/Libraries/LibWeb/OutOfProcessWebView.cpp
+++ b/Userland/Libraries/LibWeb/OutOfProcessWebView.cpp
@@ -365,17 +365,17 @@ void OutOfProcessWebView::notify_server_did_change_favicon(const Gfx::Bitmap& fa
         on_favicon_change(favicon);
 }
 
-String OutOfProcessWebView::notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url)
+String OutOfProcessWebView::notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url, Cookie::Source source)
 {
     if (on_get_cookie)
-        return on_get_cookie(url);
+        return on_get_cookie(url, source);
     return {};
 }
 
-void OutOfProcessWebView::notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie)
+void OutOfProcessWebView::notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie, Cookie::Source source)
 {
     if (on_set_cookie)
-        on_set_cookie(url, cookie);
+        on_set_cookie(url, cookie, source);
 }
 
 void OutOfProcessWebView::did_scroll()
diff --git a/Userland/Libraries/LibWeb/OutOfProcessWebView.h b/Userland/Libraries/LibWeb/OutOfProcessWebView.h
index 5c603b6a6d..386cd92be7 100644
--- a/Userland/Libraries/LibWeb/OutOfProcessWebView.h
+++ b/Userland/Libraries/LibWeb/OutOfProcessWebView.h
@@ -79,8 +79,8 @@ public:
     void notify_server_did_get_source(const URL& url, const String& source);
     void notify_server_did_js_console_output(const String& method, const String& line);
     void notify_server_did_change_favicon(const Gfx::Bitmap& favicon);
-    String notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url);
-    void notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie);
+    String notify_server_did_request_cookie(Badge<WebContentClient>, const URL& url, Cookie::Source source);
+    void notify_server_did_set_cookie(Badge<WebContentClient>, const URL& url, const String& cookie, Cookie::Source source);
 
 private:
     OutOfProcessWebView();
diff --git a/Userland/Libraries/LibWeb/Page/Page.h b/Userland/Libraries/LibWeb/Page/Page.h
index c831efddaa..2df1f2a1fd 100644
--- a/Userland/Libraries/LibWeb/Page/Page.h
+++ b/Userland/Libraries/LibWeb/Page/Page.h
@@ -111,8 +111,8 @@ public:
     virtual void page_did_request_alert(const String&) { }
     virtual bool page_did_request_confirm(const String&) { return false; }
     virtual String page_did_request_prompt(const String&, const String&) { return {}; }
-    virtual String page_did_request_cookie(const URL&) { return {}; }
-    virtual void page_did_set_cookie(const URL&, const String&) { }
+    virtual String page_did_request_cookie(const URL&, Cookie::Source) { return {}; }
+    virtual void page_did_set_cookie(const URL&, const String&, Cookie::Source) { }
 };
 
 }
diff --git a/Userland/Libraries/LibWeb/WebContentClient.cpp b/Userland/Libraries/LibWeb/WebContentClient.cpp
index d7e95be831..dd25e07e3a 100644
--- a/Userland/Libraries/LibWeb/WebContentClient.cpp
+++ b/Userland/Libraries/LibWeb/WebContentClient.cpp
@@ -199,13 +199,13 @@ void WebContentClient::handle(const Messages::WebContentClient::DidChangeFavicon
 
 OwnPtr<Messages::WebContentClient::DidRequestCookieResponse> WebContentClient::handle(const Messages::WebContentClient::DidRequestCookie& message)
 {
-    auto result = m_view.notify_server_did_request_cookie({}, message.url());
+    auto result = m_view.notify_server_did_request_cookie({}, message.url(), static_cast<Cookie::Source>(message.source()));
     return make<Messages::WebContentClient::DidRequestCookieResponse>(result);
 }
 
 void WebContentClient::handle(const Messages::WebContentClient::DidSetCookie& message)
 {
-    m_view.notify_server_did_set_cookie({}, message.url(), message.cookie());
+    m_view.notify_server_did_set_cookie({}, message.url(), message.cookie(), static_cast<Cookie::Source>(message.source()));
 }
 
 }
diff --git a/Userland/Libraries/LibWeb/WebViewHooks.h b/Userland/Libraries/LibWeb/WebViewHooks.h
index 748d4ce356..a8f4d2911c 100644
--- a/Userland/Libraries/LibWeb/WebViewHooks.h
+++ b/Userland/Libraries/LibWeb/WebViewHooks.h
@@ -48,8 +48,8 @@ public:
     Function<void(DOM::Document*)> on_set_document;
     Function<void(const URL&, const String&)> on_get_source;
     Function<void(const String& method, const String& line)> on_js_console_output;
-    Function<String(const URL& url)> on_get_cookie;
-    Function<void(const URL& url, const String& cookie)> on_set_cookie;
+    Function<String(const URL& url, Cookie::Source source)> on_get_cookie;
+    Function<void(const URL& url, const String& cookie, Cookie::Source source)> on_set_cookie;
 };
 
 }
diff --git a/Userland/Services/WebContent/PageHost.cpp b/Userland/Services/WebContent/PageHost.cpp
index c470295a13..f7ae26e18f 100644
--- a/Userland/Services/WebContent/PageHost.cpp
+++ b/Userland/Services/WebContent/PageHost.cpp
@@ -208,14 +208,14 @@ void PageHost::page_did_request_image_context_menu(const Gfx::IntPoint& content_
     m_client.post_message(Messages::WebContentClient::DidRequestImageContextMenu(content_position, url, target, modifiers, bitmap->to_shareable_bitmap()));
 }
 
-String PageHost::page_did_request_cookie(const URL& url)
+String PageHost::page_did_request_cookie(const URL& url, Web::Cookie::Source source)
 {
-    return m_client.send_sync<Messages::WebContentClient::DidRequestCookie>(url)->cookie();
+    return m_client.send_sync<Messages::WebContentClient::DidRequestCookie>(url, static_cast<u8>(source))->cookie();
 }
 
-void PageHost::page_did_set_cookie(const URL& url, const String& cookie)
+void PageHost::page_did_set_cookie(const URL& url, const String& cookie, Web::Cookie::Source source)
 {
-    m_client.post_message(Messages::WebContentClient::DidSetCookie(url, cookie));
+    m_client.post_message(Messages::WebContentClient::DidSetCookie(url, cookie, static_cast<u8>(source)));
 }
 
 }
diff --git a/Userland/Services/WebContent/PageHost.h b/Userland/Services/WebContent/PageHost.h
index aaa41b61be..6872a51a13 100644
--- a/Userland/Services/WebContent/PageHost.h
+++ b/Userland/Services/WebContent/PageHost.h
@@ -79,8 +79,8 @@ private:
     virtual String page_did_request_prompt(const String&, const String&) override;
     virtual void page_did_change_favicon(const Gfx::Bitmap&) override;
     virtual void page_did_request_image_context_menu(const Gfx::IntPoint&, const URL&, const String& target, unsigned modifiers, const Gfx::Bitmap*) override;
-    virtual String page_did_request_cookie(const URL&) override;
-    virtual void page_did_set_cookie(const URL&, const String&) override;
+    virtual String page_did_request_cookie(const URL&, Web::Cookie::Source) override;
+    virtual void page_did_set_cookie(const URL&, const String&, Web::Cookie::Source) override;
 
     explicit PageHost(ClientConnection&);
 
diff --git a/Userland/Services/WebContent/WebContentClient.ipc b/Userland/Services/WebContent/WebContentClient.ipc
index c9b7bfc6cf..a93fd8ed7c 100644
--- a/Userland/Services/WebContent/WebContentClient.ipc
+++ b/Userland/Services/WebContent/WebContentClient.ipc
@@ -25,6 +25,6 @@ endpoint WebContentClient = 90
     DidGetSource(URL url, String source) =|
     DidJSConsoleOutput(String method, String line) =|
     DidChangeFavicon(Gfx::ShareableBitmap favicon) =|
-    DidRequestCookie(URL url) => (String cookie)
-    DidSetCookie(URL url, String cookie) =|
+    DidRequestCookie(URL url, u8 source) => (String cookie)
+    DidSetCookie(URL url, String cookie, u8 source) =|
 }
author	Timothy Flynn <trflynn89@pm.me>	2021-04-13 17:30:41 -0400
committer	Andreas Kling <kling@serenityos.org>	2021-04-14 16:07:46 +0200
commit	c00760c5f9ca72b89b39feb7042978da2f15eef3 (patch)
tree	fcec9f5b592b3472593c4f136c90e2f5595eac67
parent	7193e518d1190e54ba3a94cc42c4905a7be786a1 (diff)
download	serenity-c00760c5f9ca72b89b39feb7042978da2f15eef3.zip