Add domain and path checks for secure cookies eviction

2025-08-03 04:30:10 +01:00 · 2016-12-08 02:05:38 -08:00 · 2016-12-08 02:05:38 -08:00 · 63a7e8efdf
commit 63a7e8efdf
parent 64b456f0e2
4 changed files with 37 additions and 17 deletions
--- a/components/net/cookie_storage.rs
+++ b/components/net/cookie_storage.rs
@ -33,10 +33,31 @@ impl CookieStorage {
    }

    // http://tools.ietf.org/html/rfc6265#section-5.3
-    pub fn remove(&mut self, cookie: &Cookie, source: CookieSource) -> Result<Option<Cookie>, ()> {
+    pub fn remove(&mut self, cookie: &Cookie, url: &ServoUrl, source: CookieSource) -> Result<Option<Cookie>, ()> {
        let domain = reg_host(cookie.cookie.domain.as_ref().unwrap_or(&"".to_string()));
        let cookies = self.cookies_map.entry(domain).or_insert(vec![]);

+        // https://www.ietf.org/id/draft-ietf-httpbis-cookie-alone-01.txt Step 2
+        if !cookie.cookie.secure && url.scheme() != "https" && url.scheme() != "wss" {
+            let new_domain = cookie.cookie.domain.as_ref().unwrap();
+            let new_path = cookie.cookie.path.as_ref().unwrap();
+
+            let any_overlapping = cookies.iter().any(|c| {
+                let existing_domain = c.cookie.domain.as_ref().unwrap();
+                let existing_path = c.cookie.path.as_ref().unwrap();
+
+                c.cookie.name == cookie.cookie.name &&
+                c.cookie.secure &&
+                (Cookie::domain_match(new_domain, existing_domain) ||
+                 Cookie::domain_match(existing_domain, new_domain)) &&
+                Cookie::path_match(new_path, existing_path)
+            });
+
+            if any_overlapping {
+                return Err(());
+            }
+        }
+
        // Step 11.1
        let position = cookies.iter().position(|c| {
            c.cookie.domain == cookie.cookie.domain &&
@ -62,8 +83,13 @@ impl CookieStorage {
    }

    // http://tools.ietf.org/html/rfc6265#section-5.3
-    pub fn push(&mut self, mut cookie: Cookie, source: CookieSource) {
-        let old_cookie = self.remove(&cookie, source);
+    pub fn push(&mut self, mut cookie: Cookie, url: &ServoUrl, source: CookieSource) {
+        // https://www.ietf.org/id/draft-ietf-httpbis-cookie-alone-01.txt Step 1
+        if cookie.cookie.secure && url.scheme() != "https" && url.scheme() != "wss" {
+            return;
+        }
+
+        let old_cookie = self.remove(&cookie, url, source);
        if old_cookie.is_err() {
            // This new cookie is not allowed to overwrite an existing one.
            return;
@ -120,7 +146,6 @@ impl CookieStorage {
            // Step 1
            c.appropriate_for_url(url, source)
        };
-
        // Step 2
        let domain = reg_host(url.host_str().unwrap_or(""));
        let cookies = self.cookies_map.entry(domain).or_insert(vec![]);