Browser: Respect the HttpOnly flag when storing cookies

Base/res/html/misc/cookie.html

@@ -9,7 +9,7 @@ <h3>Invalid cookies (the browser should reject these):</h3>
  <br /><input id=invalid1 type=button onclick="setCookie(this.value)" value="cookie4=value4; domain=serenityos.org" />
  <label for=invalid1>The Domain attribute does not domain-match this page</label>
  <br /><input id=invalid2 type=button onclick="setCookie(this.value)" value="cookie5=value5; httponly" />
- <label for=invalid2>The cookie is HttpOnly thus cannot be set via JavaScript (*not yet implemented*)</label>
+ <label for=invalid2>The cookie is HttpOnly thus cannot be set via JavaScript</label>
  <br /><input id=invalid3 type=button onclick="setCookie(this.value)" value="cookie6=value6; max-age=-1" />
  <label for=invalid3>The cookie expired in the past</label>
  <br /><input id=invalid4 type=button onclick="setCookie(this.value)" value="cookie7=value7; expires=Mon, 23 Jan 1989 08:10:36 GMT" />

Userland/Applications/Browser/CookieJar.cpp

@@ -55,7 +55,7 @@ String CookieJar::get_cookie(const URL& url, Web::Cookie::Source)
  return builder.build();
 }
 
-void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source)
+void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source source)
 {
  auto domain = canonicalize_domain(url);
  if (!domain.has_value())
@@ -65,7 +65,7 @@ void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Coo
  if (!parsed_cookie.has_value())
  return;
 
- store_cookie(parsed_cookie.value(), url, move(domain.value()));
+ store_cookie(parsed_cookie.value(), url, move(domain.value()), source);
  purge_expired_cookies();
 }
 
@@ -152,7 +152,7 @@ String CookieJar::default_path(const URL& url)
  return uri_path.substring(0, last_separator);
 }
 
-void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain)
+void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source)
 {
  // https://tools.ietf.org/html/rfc6265#section-5.3
 
@@ -215,15 +215,17 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL
  cookie.http_only = parsed_cookie.http_only_attribute_present;
 
  // 10. If the cookie was received from a "non-HTTP" API and the cookie's http-only-flag is set, abort these steps and ignore the cookie entirely.
- // FIXME: Update CookieJar to track where the cookie originated (an HTTP request vs document.cookie).
+ if (source != Web::Cookie::Source::Http && cookie.http_only)
+ return;
 
  // 11. If the cookie store contains a cookie with the same name, domain, and path as the newly created cookie:
  CookieStorageKey key { cookie.name, cookie.domain, cookie.path };
 
  if (auto old_cookie = m_cookies.find(key); old_cookie != m_cookies.end()) {
  // If the newly created cookie was received from a "non-HTTP" API and the old-cookie's http-only-flag is set, abort these
  // steps and ignore the newly created cookie entirely.
- // FIXME: Similar to step 10, CookieJar needs to track where the cookie originated.
+ if (source != Web::Cookie::Source::Http && old_cookie->value.http_only)
+ return;
 
  // Update the creation-time of the newly created cookie to match the creation-time of the old-cookie.
  cookie.creation_time = old_cookie->value.creation_time;

Userland/Applications/Browser/CookieJar.h

@@ -55,7 +55,7 @@ class CookieJar {
  static bool domain_matches(const String& string, const String& domain_string);
  static String default_path(const URL& url);
 
- void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain);
+ void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source);
  void purge_expired_cookies();
 
  HashMap<CookieStorageKey, Web::Cookie::Cookie> m_cookies;