PATCH: Better cross-domain cookie detection [BR 66090]
Waldo Bastian
bastian at kde.org
Sun Nov 30 14:59:05 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun November 30 2003 15:50, Dawit A. wrote:
> On Sunday 30 November 2003 09:01, Waldo Bastian wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Sun November 30 2003 02:40, Dawit A. wrote:
> > > Hi,
> > >
> > > The following patch is intended to address the malfunctioning of
> > > cross-domain cookie detection (BR# 66090) when the web pages contain
> > > IFRAMES or FRAMES.
> > >
> > > The patch seems to correctly catch cross-domain requests even for
> > > iframes, but I am still being prompted for cookies that I should not
> > > be. Waldo, any ideas ? Hmm... I guess I should make sure the meta-data
> > > is set, i.e. the crossDomain function works properly.
> >
> > Ah, very nice, I had a quick look into this already. I also noticed that
> > the cross-domain check needs to be done in the http slave, instead of the
> > khtml part. Otherwise it will not work correctly in combination with
> > redirections.
> >
> > E.g. http://www.kde.org loads the image
> > http://www.kde.org/ads/ad.server.com/ foo.png which redirects to
> > http://ad.server.com/foo.png
> >
> > Will play a bit with your patch.
>
> Already changed the patch... I have been playing with this since last night
> as well. One of the things I realized is that currently the "cross-domain"
> meta data is not set unless the loader is used. An iframe or child frames
> requests for that matter do not go through the loader, hence the
> "cross-domain" meta-data will never be set in those cases. The solution I
> am trying now is a whole sale move of the cross-domain check code into a
> public function in KHTMLPart, isCrossDomainRequest( const KURL& url =
> KURL() ). I can then call this function from both openURL(...) in KHTMLPart
> and the Loader.
>
> I also thought about redirection. One way to deal with that would be to
> send the origination url along with the flag and only use the url on
> redirections, no ?
I would replace the flag with the URL of the main-document and then put
isCrossDomainRequest() in http.cc
> As a side note I actually do not like the fact that the jobs do not give
> applications the ability to override the automatic redirection. What would
> have been ideal IMHO is ability for applications to override the automatic
> redirection if desired (a flag for example) and then call the default
> automatic implementation if they chose to do so. This way application can
> do whatever they need, like warning the user about the pending redirection
> (which BTW is a requirement of the HTTP spec.), before allowing the
> redirection to take place. I do not know if it is feasible to do this right
> now though...
Something we could look into after 3.2
Cheers,
Waldo
- --
bastian at kde.org -=|[ SUSE, The Linux Desktop Experts ]|=- bastian at suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/ygW5N4pvrENfboIRAkwUAJ998etU8p+ljziJNX79mPaVhrTuuACgisF0
SQOqfoL4qygfRG78AYz0/TA=
=YJ9C
-----END PGP SIGNATURE-----
More information about the kde-core-devel
mailing list