[webkit-changes] [WebKit/WebKit] aa297f: Add support for `Secure` cookies for loopback host...

Fri, 03 Apr 2026 16:17:26 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: aa297f89b9a60b60a28828a20bc1ea5c36da6840
      
https://github.com/WebKit/WebKit/commit/aa297f89b9a60b60a28828a20bc1ea5c36da6840
  Author: Xyan Bhatnagar <[email protected]>
  Date:   2026-04-03 (Fri, 03 Apr 2026)

  Changed paths:
    M LayoutTests/TestExpectations
    M LayoutTests/http/tests/inspector/page/get-cookies-expected.txt
    M LayoutTests/http/tests/inspector/page/get-cookies.html
    M LayoutTests/http/tests/inspector/page/resources/set-cookie.py
    M Source/WTF/wtf/PlatformHave.h
    M Source/WebCore/loader/CookieJar.cpp
    M Source/WebCore/loader/CookieJar.h
    M Source/WebCore/platform/network/CacheValidation.cpp
    M Tools/TestWebKitAPI/CMakeLists.txt
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WebCore/CookieJar.cpp

  Log Message:
  -----------
  Add support for `Secure` cookies for loopback hostnames.
https://bugs.webkit.org/show_bug.cgi?id=281149
rdar://137604100, rdar://84509597

Reviewed by Blaze Burg, Matthew Finkel, Anne Van Kesteren.

WebKit will now allow retrieval of `Secure` cookies created for loopback 
hostnames
on Cocoa builds only.

For macOS builds, this change only takes effect on >= 26.0. Those builds
enforce that `localhost` and subdomains always resolve to loopback addresses.

Web Inspector will still not show `Secure` cookies for loopback hostnames with
insecure schemes (https://bugs.webkit.org/show_bug.cgi?id=311205).

This change will only work correctly once the underlying cookie storage starts
accepting `Secure` cookies for loopback hostnames. Hence, this change, in 
isolation
does not make `Secure` cookies work correctly for loopback hostnames.

These are the loopback hostnames that are detected by WebKit:
* localhost and *.localhost
* IPv4 address in 127.0.0.0/8 subnet

* LayoutTests/TestExpectations: get-cookies layout tests are no longer skipped, 
but expected to fail for now
* LayoutTests/http/tests/inspector/page/get-cookies-expected.txt: Expectations 
for non-HTTPS loopback URLs with Secure cookies
* LayoutTests/http/tests/inspector/page/get-cookies.html: New test case for 
non-HTTPS loopback URLs with Secure cookies
* LayoutTests/http/tests/inspector/page/resources/set-cookie.py: Updated Python 
server to support adding Secure attribute to cookie
* Source/WTF/wtf/PlatformHave.h: Added LOCALHOST_TIED_TO_LOOPBACK build constant
* Source/WebCore/loader/CookieJar.cpp:
(WebCore::CookieJar::shouldIncludeSecureCookies): Modified to now return `YES` 
for loopback hostnames, irrespective of scheme
* Source/WebCore/loader/CookieJar.h:
* Source/WebCore/platform/network/CacheValidation.cpp: Updated to include 
loopback hostnames when evaluating if Secure cookies should be included
(WebCore::cookieRequestHeaderFieldValue):
* Tools/TestWebKitAPI/CMakeLists.txt: Updated to include CookieJar.cpp
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: Updated to 
include CookieJar.cpp
* Tools/TestWebKitAPI/Tests/WebCore/CookieJar.cpp: Added.
(TestWebKitAPI::TEST(CookieJar, ShouldIncludeSecureCookiesForHTTPS)): Checks 
that HTTPS scheme means Secure cookies are allowed.
(TestWebKitAPI::TEST(CookieJar, ShouldNotIncludeSecureCookiesForPlainHTTP)): 
Checks that other HTTP addresses means Secure cookies are not allowed.
(TestWebKitAPI::TEST(CookieJar, 
ShouldNotIncludeSecureCookiesForNonLocalHostnames)): Checks that other 
variations on localhost means Secure cookies are not allowed.
(TestWebKitAPI::TEST(CookieJar, 
ShouldNotIncludeSecureCookiesForNonLoopbackIPv4)): Checks that other variations 
on IPv4 addresses means Secure cookies are not allowed.
(TestWebKitAPI::TEST(CookieJar, ShouldIncludeSecureCookiesForIPv6Loopback)): 
Checks that IPv6 loopback addresses means Secure cookies are allowed.
(TestWebKitAPI::TEST(CookieJar, ShouldIncludeSecureCookiesForIPv4Loopback)): 
Checks that IPv4 loopback addresses means Secure cookies are allowed.
(TestWebKitAPI::TEST(CookieJar, ShouldIncludeSecureCookiesForLocalhost)): 
Checks that localhost means Secure cookies are allowed.
(TestWebKitAPI::TEST(CookieJar, 
ShouldIncludeSecureCookiesForLocalhostSubdomains)): Checks that localhost 
subdomains means Secure cookies are allowed.
(TestWebKitAPI::TEST(CookieJar, 
ShouldIncludeSecureCookiesForNormalizedIPv4Loopback)): Checks that WHATWG 
normalized IPv4 loopback address means Secure cookies are allowed.

Canonical link: https://commits.webkit.org/310542@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to