Bug 1224579: [webext] Fix the handling of domain cookies. r=evilpie

--HG-- extra : commitid : 90fX4lH7xMk extra : rebase_source : a553deb3f3f8863d8aa0712ba0b7e286f22fa619
2024-10-25 19:25:43 +00:00 · 2015-12-23 11:18:38 -05:00 · 2015-12-23 11:18:38 -05:00 · fbbdff2da8
commit fbbdff2da8
parent a31ad54f9b
2 changed files with 27 additions and 22 deletions
--- a/toolkit/components/extensions/ext-cookies.js
+++ b/toolkit/components/extensions/ext-cookies.js
@ -71,10 +71,19 @@ function checkSetCookiePermissions(extension, uri, cookie) {
    return false;
  }

-  // The cookie service ignores any leading '.' passed in, but adds one if the
-  // proposed domain is not the exact domain of the URL. So start by stripping
-  // it off.
-  cookie.host = cookie.host.replace(/^\./, "");
+  if (!cookie.host) {
+    // If no explicit host is specified, this becomes a host-only cookie.
+    cookie.host = uri.host;
+    return true;
+  }
+
+  // A leading "." is not expected, but is tolerated if it's not the only
+  // character in the host. If there is one, start by stripping it off. We'll
+  // add a new one on success.
+  if (cookie.host.length > 1) {
+    cookie.host = cookie.host.replace(/^\./, "");
+  }
+  cookie.host = cookie.host.toLowerCase();

  if (cookie.host != uri.host) {
    // Not an exact match, so check for a valid subdomain.
@ -104,11 +113,12 @@ function checkSetCookiePermissions(extension, uri, cookie) {

    // RFC2109 suggests that we may only add cookies for sub-domains 1-level
    // below us, but enforcing that would break the web, so we don't.
-
-    // This is a valid sub-domain cookie, so add (or re-add) a leading dot.
-    cookie.host = "." + cookie.host;
  }

+  // An explicit domain was passed, so add a leading "." to make this a
+  // domain cookie.
+  cookie.host = "." + cookie.host;
+
  // We don't do any significant checking of path permissions. RFC2109
  // suggests we only allow sites to add cookies for sub-paths, similar to
  // same origin policy enforcement, but no-one implements this.
@ -252,13 +262,6 @@ extensions.registerSchemaAPI("cookies", "cookies", (extension, context) => {
      set: function(details, callback) {
        let uri = NetUtil.newURI(details.url).QueryInterface(Ci.nsIURL);

-        let domain;
-        if (details.domain !== null) {
-          domain = details.domain.toLowerCase();
-        } else {
-          domain = uri.host; // "If omitted, the cookie becomes a host-only cookie."
-        }
-
        let path;
        if (details.path !== null) {
          path = details.path;
@ -278,7 +281,7 @@ extensions.registerSchemaAPI("cookies", "cookies", (extension, context) => {
        let expiry = isSession ? 0 : details.expirationDate;
        // Ignore storeID.

-        let cookieAttrs = { host: domain, path: path, isSecure: secure };
+        let cookieAttrs = { host: details.domain, path: path, isSecure: secure };
        if (checkSetCookiePermissions(extension, uri, cookieAttrs)) {
          // TODO: Set |lastError| when false.
          //
--- a/toolkit/components/extensions/test/mochitest/test_ext_cookies_permissions.html
+++ b/toolkit/components/extensions/test/mochitest/test_ext_cookies_permissions.html
@ -113,20 +113,22 @@ function* testCookies(options) {

  let cookieSvc = SpecialPowers.Services.cookies;

+  let domain = options.domain.replace(/^\.?/, ".");
+
  // This will be evicted after we add a fourth cookie.
-  cookieSvc.add(options.domain, "/", "evicted", "bar", options.secure, false, false, options.expiry);
+  cookieSvc.add(domain, "/", "evicted", "bar", options.secure, false, false, options.expiry);
  // This will be modified by the background script.
-  cookieSvc.add(options.domain, "/", "foo", "bar", options.secure, false, false, options.expiry);
+  cookieSvc.add(domain, "/", "foo", "bar", options.secure, false, false, options.expiry);
  // This will be deleted by the background script.
-  cookieSvc.add(options.domain, "/", "deleted", "bar", options.secure, false, false, options.expiry);
+  cookieSvc.add(domain, "/", "deleted", "bar", options.secure, false, false, options.expiry);


  yield extension.startup();

  yield extension.awaitMessage("change-cookies");
-  cookieSvc.add(options.domain, "/", "x", "y", options.secure, false, false, options.expiry);
-  cookieSvc.add(options.domain, "/", "x", "z", options.secure, false, false, options.expiry);
-  cookieSvc.remove(options.domain, "x", "/", false);
+  cookieSvc.add(domain, "/", "x", "y", options.secure, false, false, options.expiry);
+  cookieSvc.add(domain, "/", "x", "z", options.secure, false, false, options.expiry);
+  cookieSvc.remove(domain, "x", "/", false);
  extension.sendMessage("cookies-changed");

  yield extension.awaitFinish("cookie-permissions");
@ -177,7 +179,7 @@ function* testCookies(options) {
  }

  for (let cookie of cookies) {
-    cookieSvc.remove(options.domain, cookie.name, "/", false);
+    cookieSvc.remove(cookie.host, cookie.name, "/", false);
  }
  // Make sure we don't silently poison subsequent tests if something goes wrong.
  is(getCookies(options.domain).length, 0, "cookies cleared");