aboutsummaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorGravatar Dylan Simon <dylan@dylex.net>2011-09-14 17:30:42 -0400
committerGravatar Dylan Simon <dylan@dylex.net>2011-09-17 23:39:45 -0400
commita964be6bd96583f8735fd297856f1c9845850f6a (patch)
tree332bf3ed489975a76b53d92e6103df306247e919 /src
parent23dbcac12ebfd4391132dd27e646fcf892108502 (diff)
preserve HttpOnly flag on cookies to prevent XSS attacks
Diffstat (limited to 'src')
-rw-r--r--src/commands.c13
-rw-r--r--src/cookie-jar.c4
2 files changed, 12 insertions, 5 deletions
diff --git a/src/commands.c b/src/commands.c
index 7689ea1..85057b3 100644
--- a/src/commands.c
+++ b/src/commands.c
@@ -241,8 +241,8 @@ show_inspector(WebKitWebView *page, GArray *argv, GString *result) {
void
add_cookie(WebKitWebView *page, GArray *argv, GString *result) {
(void) page; (void) result;
- gchar *host, *path, *name, *value;
- gboolean secure = 0;
+ gchar *host, *path, *name, *value, *scheme;
+ gboolean secure = 0, httponly = 0;
SoupDate *expires = NULL;
if(argv->len != 6)
@@ -253,14 +253,19 @@ add_cookie(WebKitWebView *page, GArray *argv, GString *result) {
path = argv_idx (argv, 1);
name = argv_idx (argv, 2);
value = argv_idx (argv, 3);
- secure = strcmp (argv_idx (argv, 4), "https") == 0;
- if (strlen (argv_idx (argv, 5)) != 0)
+ scheme = argv_idx (argv, 4);
+ if (strncmp (scheme, "http", 4) == 0) {
+ secure = scheme[4] == 's';
+ httponly = strncmp (&scheme[4+secure], "Only", 4) == 0;
+ }
+ if (argv->len >= 6 && *argv_idx (argv, 5))
expires = soup_date_new_from_time_t (
strtoul (argv_idx (argv, 5), NULL, 10));
// Create new cookie
SoupCookie * cookie = soup_cookie_new (name, value, host, path, -1);
soup_cookie_set_secure (cookie, secure);
+ soup_cookie_set_http_only (cookie, httponly);
if (expires)
soup_cookie_set_expires (cookie, expires);
diff --git a/src/cookie-jar.c b/src/cookie-jar.c
index dd9585b..2f6be83 100644
--- a/src/cookie-jar.c
+++ b/src/cookie-jar.c
@@ -40,7 +40,9 @@ changed(SoupCookieJar *jar, SoupCookie *old_cookie, SoupCookie *new_cookie) {
* command because otherwise a loop would occur when a cookie change is
* propagated to other uzbl instances using add/delete_cookie. */
if(!uzbl_jar->in_manual_add) {
- gchar *scheme = cookie->secure ? "https" : "http";
+ gchar *scheme = cookie->secure
+ ? cookie->http_only ? "httpsOnly" : "https"
+ : cookie->http_only ? "httpOnly" : "http";
gchar *expires = NULL;
if(cookie->expires)