-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
about:blank gets to inherit cookies, too #332
Comments
So what Gecko does here isn't to copy the cookies, since those can obviously change. Instead, what Gecko does is that it has a concept of "origin URI" which is normally the same as the document URI (e.g. when a document is loaded over HTTP). When origins are inherited/aliased, the origin URI is inherited as well. Access to I looked into what Blink does, and they have a "cookieURL" on their Document object, with the following comment:
which sounds basically like the Gecko setup with slightly different names. WebKit has the same thing as Blink; I assume it predates the fork (not surprising). |
Okay, so that means documents have at least three associated URLs:
I guess that's easy enough. It's still unclear whether we are inheriting all this state correctly in the first place though. E.g., it doesn't seem like HTTPS state gets inherited when creating an about:blank browsing context. @mikewest? |
If we're creating a new top-level browsing context, I'd suggest that we shouldn't inherit this state. If we're creating a nested or auxiliary browsing context, inheriting the various bits of state for |
That makes sense. This should also happen when navigating to a non-initial about:blank right? Although in that case do you inherit from the parent or the source browsing context? |
In Gecko's case, from the source. Note that there might not be a parent at all (consider navigating a toplevel window to about:blank). |
I agree that inheriting from the navigation's source is the right thing to do. It's not what WebKit/Blink does, though, and it would be a pretty large effort to change that. |
That's surprising, in light of the above-cited source comments that say that cookie inheritance follows security context inheritance, because security context inheritance does come from the source, right? |
It does follow context inheritance, but Blink inherits the security context for
It will result in a frame that's same-origin with |
I see. Except in the In any case, it sounds like what Blink/WebKit are doing there is already not following what the spec says should happen for origin inheritance... :( What do you do for navigation of a toplevel window? |
Correct. We transfer the origin from the window's opener in the same way Gecko does for
That's correct. Blink/WebKit have never followed the spec's recommendations on this point, though I think I agree that the specced inheritance behavior is better than what we currently implement.
We inherit from the opener for cases where a top-level window navigates to |
FWIW, the HTML spec currently says that https://html.spec.whatwg.org/#dom-document-cookie says that |
Yeah, that should probably be based on whether or not the document has an opaque origin. |
Per https://bugzilla.mozilla.org/show_bug.cgi?id=1223885 it seems that in the majority of implementations cookies cross the about:blank boundary too, just like HTTPS state, etc.
It seems this copying is not currently happening when creating a new browsing context though: https://html.spec.whatwg.org/#creating-a-new-browsing-context. Hmm.
The text was updated successfully, but these errors were encountered: