mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2026-04-18 18:00:31 +00:00
8d97389038
This will allow parsing cookies outside of LibWeb. LibHTTP is basically becoming the home of HTTP WG specs.
249 lines
9.5 KiB
C++
249 lines
9.5 KiB
C++
/*
|
|
* Copyright (c) 2022, Tobias Christiansen <tobyase@serenityos.org>
|
|
* Copyright (c) 2023-2026, Tim Flynn <trflynn89@ladybird.org>
|
|
*
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
*/
|
|
|
|
#include <AK/IPv4Address.h>
|
|
#include <AK/IPv6Address.h>
|
|
#include <LibHTTP/Cookie/Cookie.h>
|
|
#include <LibIPC/Decoder.h>
|
|
#include <LibIPC/Encoder.h>
|
|
#include <LibURL/URL.h>
|
|
|
|
namespace HTTP::Cookie {
|
|
|
|
static String time_to_string(UnixDateTime const& time)
|
|
{
|
|
return MUST(time.to_string("%Y-%m-%d %H:%M:%S %Z"sv));
|
|
}
|
|
|
|
String Cookie::creation_time_to_string() const
|
|
{
|
|
return time_to_string(creation_time);
|
|
}
|
|
|
|
String Cookie::last_access_time_to_string() const
|
|
{
|
|
return time_to_string(last_access_time);
|
|
}
|
|
|
|
String Cookie::expiry_time_to_string() const
|
|
{
|
|
return time_to_string(expiry_time);
|
|
}
|
|
|
|
StringView same_site_to_string(SameSite same_site)
|
|
{
|
|
switch (same_site) {
|
|
case SameSite::Default:
|
|
return "Default"sv;
|
|
case SameSite::None:
|
|
return "None"sv;
|
|
case SameSite::Lax:
|
|
return "Lax"sv;
|
|
case SameSite::Strict:
|
|
return "Strict"sv;
|
|
}
|
|
VERIFY_NOT_REACHED();
|
|
}
|
|
|
|
SameSite same_site_from_string(StringView same_site_mode)
|
|
{
|
|
if (same_site_mode.equals_ignoring_ascii_case("None"sv))
|
|
return SameSite::None;
|
|
if (same_site_mode.equals_ignoring_ascii_case("Strict"sv))
|
|
return SameSite::Strict;
|
|
if (same_site_mode.equals_ignoring_ascii_case("Lax"sv))
|
|
return SameSite::Lax;
|
|
return SameSite::Default;
|
|
}
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22#section-5.1.2
|
|
Optional<String> canonicalize_domain(URL::URL const& url)
|
|
{
|
|
if (!url.host().has_value())
|
|
return {};
|
|
|
|
// 1. Convert the host name to a sequence of individual domain name labels.
|
|
// 2. All labels must be one of U-label, A-label, or Non-Reserved LDH (NR-LDH) label (see Section 2.3.1 of [RFC5890]).
|
|
// If any label is not one of these then abort this algorithm and fail to canonicalize the host name.
|
|
// 3. Convert each U-label to an A-label (see Section 2.3.2.1 of [RFC5890]).
|
|
// 4. If any label is a Fake A-label then abort this algorithm and fail to canonicalize the host name.
|
|
// 5. Concatenate the resulting labels, separated by a %x2E (".") character.
|
|
// FIXME: Implement the above conversions.
|
|
|
|
return MUST(url.serialized_host().to_lowercase());
|
|
}
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22#section-5.1.3
|
|
bool domain_matches(StringView string, StringView domain_string)
|
|
{
|
|
// A string domain-matches a given domain string if at least one of the following conditions hold:
|
|
|
|
// * The domain string and the string are identical. (Note that both the domain string and the string will have been
|
|
// canonicalized to lower case at this point.)
|
|
if (string == domain_string)
|
|
return true;
|
|
|
|
// * All of the following conditions hold:
|
|
// - The domain string is a suffix of the string.
|
|
if (!string.ends_with(domain_string))
|
|
return false;
|
|
// - The last character of the string that is not included in the domain string is a %x2E (".") character.
|
|
if (string[string.length() - domain_string.length() - 1] != '.')
|
|
return false;
|
|
// - The string is a host name (i.e., not an IP address).
|
|
if (AK::IPv4Address::from_string(string).has_value())
|
|
return false;
|
|
if (AK::IPv6Address::from_string(string).has_value())
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22#section-5.1.4-3
|
|
bool path_matches(StringView request_path, StringView cookie_path)
|
|
{
|
|
// A request-path path-matches a given cookie-path if at least one of the following conditions holds:
|
|
|
|
// * The cookie-path and the request-path are identical.
|
|
if (request_path == cookie_path)
|
|
return true;
|
|
|
|
if (request_path.starts_with(cookie_path)) {
|
|
// * The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").
|
|
if (cookie_path.ends_with('/'))
|
|
return true;
|
|
|
|
// * The cookie-path is a prefix of the request-path, and the first character of the request-path that is not
|
|
// included in the cookie-path is a %x2F ("/") character.
|
|
if (request_path[cookie_path.length()] == '/')
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22#section-5.1.4-1
|
|
String default_path(URL::URL const& url)
|
|
{
|
|
// 1. Let uri-path be the path portion of the request-uri if such a portion exists (and empty otherwise).
|
|
auto uri_path = URL::percent_decode(url.serialize_path());
|
|
|
|
// 2. If the uri-path is empty or if the first character of the uri-path is not a %x2F ("/") character, output
|
|
// %x2F ("/") and skip the remaining steps.
|
|
if (uri_path.is_empty() || (uri_path[0] != '/'))
|
|
return "/"_string;
|
|
|
|
StringView uri_path_view = uri_path;
|
|
size_t last_separator = uri_path_view.find_last('/').value();
|
|
|
|
// 3. If the uri-path contains no more than one %x2F ("/") character, output %x2F ("/") and skip the remaining step.
|
|
if (last_separator == 0)
|
|
return "/"_string;
|
|
|
|
// 4. Output the characters of the uri-path from the first character up to, but not including, the right-most
|
|
// %x2F ("/").
|
|
// FIXME: The path might not be valid UTF-8.
|
|
return MUST(String::from_utf8(uri_path.substring_view(0, last_separator)));
|
|
}
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-22#section-5.8.3
|
|
bool cookie_matches_url(Cookie const& cookie, URL::URL const& url, String const& retrieval_host_canonical, Optional<Source> source)
|
|
{
|
|
// * Either:
|
|
// - The cookie's host-only-flag is true and retrieval-host-canonical is identical to the cookie's domain.
|
|
bool is_host_only_and_has_identical_domain = cookie.host_only && (retrieval_host_canonical == cookie.domain);
|
|
// Or:
|
|
// - The cookie's host-only-flag is false and retrieval-host-canonical domain-matches (see Section 5.1.3)
|
|
// the cookie's domain.
|
|
// - The cookie's domain is not a public suffix, for user agents configured to reject "public suffixes".
|
|
bool is_not_host_only_and_domain_matches = (!cookie.host_only && domain_matches(retrieval_host_canonical, cookie.domain))
|
|
&& !URL::is_public_suffix(cookie.domain);
|
|
|
|
if (!is_host_only_and_has_identical_domain && !is_not_host_only_and_domain_matches)
|
|
return false;
|
|
|
|
// * The retrieval's URI's path path-matches the cookie's path.
|
|
if (!path_matches(url.serialize_path(), cookie.path))
|
|
return false;
|
|
|
|
// * If the cookie's secure-only-flag is true, then the retrieval's URI must denote a "secure" connection (as
|
|
// defined by the user agent).
|
|
if (cookie.secure && url.scheme() != "https"sv && url.scheme() != "wss"sv)
|
|
return false;
|
|
|
|
// * If the cookie's http-only-flag is true, then exclude the cookie if the retrieval's type is "non-HTTP".
|
|
if (cookie.http_only && (source != Source::Http))
|
|
return false;
|
|
|
|
// FIXME: * If the cookie's same-site-flag is not "None" and the retrieval's same-site status is "cross-site", then
|
|
// exclude the cookie unless all of the following conditions are met:
|
|
// * The retrieval's type is "HTTP".
|
|
// * The same-site-flag is "Lax" or "Default".
|
|
// * The HTTP request associated with the retrieval uses a "safe" method.
|
|
// * The target browsing context of the HTTP request associated with the retrieval is the active browsing context
|
|
// or a top-level traversable.
|
|
|
|
return true;
|
|
}
|
|
|
|
}
|
|
|
|
template<>
|
|
ErrorOr<void> IPC::encode(Encoder& encoder, HTTP::Cookie::Cookie const& cookie)
|
|
{
|
|
TRY(encoder.encode(cookie.name));
|
|
TRY(encoder.encode(cookie.value));
|
|
TRY(encoder.encode(cookie.domain));
|
|
TRY(encoder.encode(cookie.path));
|
|
TRY(encoder.encode(cookie.creation_time));
|
|
TRY(encoder.encode(cookie.expiry_time));
|
|
TRY(encoder.encode(cookie.host_only));
|
|
TRY(encoder.encode(cookie.http_only));
|
|
TRY(encoder.encode(cookie.last_access_time));
|
|
TRY(encoder.encode(cookie.persistent));
|
|
TRY(encoder.encode(cookie.secure));
|
|
TRY(encoder.encode(cookie.same_site));
|
|
|
|
return {};
|
|
}
|
|
|
|
template<>
|
|
ErrorOr<HTTP::Cookie::Cookie> IPC::decode(Decoder& decoder)
|
|
{
|
|
auto name = TRY(decoder.decode<String>());
|
|
auto value = TRY(decoder.decode<String>());
|
|
auto domain = TRY(decoder.decode<String>());
|
|
auto path = TRY(decoder.decode<String>());
|
|
auto creation_time = TRY(decoder.decode<UnixDateTime>());
|
|
auto expiry_time = TRY(decoder.decode<UnixDateTime>());
|
|
auto host_only = TRY(decoder.decode<bool>());
|
|
auto http_only = TRY(decoder.decode<bool>());
|
|
auto last_access_time = TRY(decoder.decode<UnixDateTime>());
|
|
auto persistent = TRY(decoder.decode<bool>());
|
|
auto secure = TRY(decoder.decode<bool>());
|
|
auto same_site = TRY(decoder.decode<HTTP::Cookie::SameSite>());
|
|
|
|
return HTTP::Cookie::Cookie { move(name), move(value), same_site, creation_time, last_access_time, expiry_time, move(domain), move(path), secure, http_only, host_only, persistent };
|
|
}
|
|
|
|
template<>
|
|
ErrorOr<void> IPC::encode(Encoder& encoder, HTTP::Cookie::VersionedCookie const& cookie)
|
|
{
|
|
TRY(encoder.encode(cookie.cookie_version));
|
|
TRY(encoder.encode(cookie.cookie));
|
|
|
|
return {};
|
|
}
|
|
|
|
template<>
|
|
ErrorOr<HTTP::Cookie::VersionedCookie> IPC::decode(Decoder& decoder)
|
|
{
|
|
auto cookie_version = TRY(decoder.decode<Optional<Core::SharedVersion>>());
|
|
auto cookie = TRY(decoder.decode<String>());
|
|
|
|
return HTTP::Cookie::VersionedCookie { cookie_version, move(cookie) };
|
|
}
|