diff options
| author | Siwei Li <siwei.li@live.com> | 2023-01-14 16:14:26 -0800 |
|---|---|---|
| committer | Siwei Li <siwei.li@live.com> | 2023-01-14 17:35:03 -0800 |
| commit | 81242200168043bd71295845df10206cd47a227a (patch) | |
| tree | 05165e3cd5dfdea6541a0911b84a239ac04f2dfe | |
| parent | c009aefa3749f99fcbacac050ee3e0cf779be463 (diff) | |
| download | libsoup-81242200168043bd71295845df10206cd47a227a.tar.gz | |
SameSite=None cookies should be rejected unless the Secure attribute is set.
| -rw-r--r-- | libsoup/cookies/soup-cookie-jar.c | 6 | ||||
| -rw-r--r-- | tests/samesite-test.c | 10 |
2 files changed, 13 insertions, 3 deletions
diff --git a/libsoup/cookies/soup-cookie-jar.c b/libsoup/cookies/soup-cookie-jar.c index 35c1d7b3..2cc1d410 100644 --- a/libsoup/cookies/soup-cookie-jar.c +++ b/libsoup/cookies/soup-cookie-jar.c @@ -618,6 +618,12 @@ soup_cookie_jar_add_cookie_full (SoupCookieJar *jar, SoupCookie *cookie, GUri *u return; } + /* SameSite=None cookies are rejected unless the Secure attribute is set. */ + if (soup_cookie_get_same_site_policy (cookie) == SOUP_SAME_SITE_POLICY_NONE && !soup_cookie_get_secure (cookie)) { + soup_cookie_free (cookie); + return; + } + g_mutex_lock (&priv->mutex); old_cookies = g_hash_table_lookup (priv->domains, soup_cookie_get_domain (cookie)); diff --git a/tests/samesite-test.c b/tests/samesite-test.c index 91d31216..b7593467 100644 --- a/tests/samesite-test.c +++ b/tests/samesite-test.c @@ -13,14 +13,17 @@ static void same_site_setup (SameSiteFixture *fixture, gconstpointer data) { - SoupCookie *cookie_none, *cookie_lax, *cookie_strict, *cookie_default; + SoupCookie *cookie_none, *cookie_none_secure, *cookie_lax, *cookie_strict, *cookie_default; - fixture->origin_uri = g_uri_parse ("http://127.0.0.1", SOUP_HTTP_URI_FLAGS, NULL); - fixture->cross_uri = g_uri_parse ("http://localhost", SOUP_HTTP_URI_FLAGS, NULL); + fixture->origin_uri = g_uri_parse ("https://127.0.0.1", SOUP_HTTP_URI_FLAGS, NULL); + fixture->cross_uri = g_uri_parse ("https://localhost", SOUP_HTTP_URI_FLAGS, NULL); fixture->jar = soup_cookie_jar_new (); cookie_none = soup_cookie_new ("none", "1", "127.0.0.1", "/", 1000); soup_cookie_set_same_site_policy (cookie_none, SOUP_SAME_SITE_POLICY_NONE); + cookie_none_secure = soup_cookie_new ("none_secure", "1", "127.0.0.1", "/", 1000); + soup_cookie_set_same_site_policy (cookie_none_secure, SOUP_SAME_SITE_POLICY_NONE); + soup_cookie_set_secure(cookie_none_secure, TRUE); cookie_lax = soup_cookie_new ("lax", "1", "127.0.0.1", "/", 1000); soup_cookie_set_same_site_policy (cookie_lax, SOUP_SAME_SITE_POLICY_LAX); cookie_strict = soup_cookie_new ("strict", "1", "127.0.0.1", "/", 1000); @@ -28,6 +31,7 @@ same_site_setup (SameSiteFixture *fixture, cookie_default = soup_cookie_new ("default", "1", "127.0.0.1", "/", 1000); soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_none); + soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_none_secure); soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_lax); soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_strict); soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_default); |