Issue 767813 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	█ mkwst@chromium.org Buried. Ping if important.
Closed:	Dec 2017
Components:	Blink>SecurityFeature Internals>Network>Cookies
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac
Pri:	3
Type:	Task
M-65 Hotlist-EnamelAndFriendsFixIt

Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt

Deprecate/remove `<meta http-equiv="set-cookie" ...>`

Project Member Reported by mkwst@chromium.org, Sep 22 2017

Issue description

`<meta http-equiv="set-cookie" ...>` provides a mechanism for manipulating a host's cookies via markup. Ideally, we would require access to a host's HTTP headers, or script-execution capabilities to modify this data. Based on usage numbers, this might be doable.

Project Member

Comment 1 by bugdroid1@chromium.org, Sep 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3c852d2ffe2926f0d7d5fe395348fa0710d6513

commit d3c852d2ffe2926f0d7d5fe395348fa0710d6513
Author: Mike West <mkwst@chromium.org>
Date: Tue Sep 26 09:22:23 2017

Deprecate `<meta http-equiv="set-cookie" ...>`

Intent to Deprecate: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ

Bug:  767813 
Change-Id: I29868952df3e9c8d5cef85fa39c43a85d850b9e9
Reviewed-on: https://chromium-review.googlesource.com/678723
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504322}
[add] https://crrev.com/d3c852d2ffe2926f0d7d5fe395348fa0710d6513/third_party/WebKit/LayoutTests/http/tests/cookies/meta-expected.txt
[add] https://crrev.com/d3c852d2ffe2926f0d7d5fe395348fa0710d6513/third_party/WebKit/LayoutTests/http/tests/cookies/meta.html
[modify] https://crrev.com/d3c852d2ffe2926f0d7d5fe395348fa0710d6513/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/d3c852d2ffe2926f0d7d5fe395348fa0710d6513/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
[modify] https://crrev.com/d3c852d2ffe2926f0d7d5fe395348fa0710d6513/third_party/WebKit/Source/platform/runtime_enabled_features.json5

Comment 2 by mkwst@chromium.org, Sep 26 2017

Status: Started (was: Assigned)

Deprecated in 63; aiming to remove in 65.

Comment 3 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 4 Deleted

Project Member

Comment 5 by bugdroid1@chromium.org, Dec 4 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e71f2e951038b1b204d0f35cdfee0463a63bffa1

commit e71f2e951038b1b204d0f35cdfee0463a63bffa1
Author: Mike West <mkwst@chromium.org>
Date: Mon Dec 04 15:06:12 2017

Block `<meta http-equiv="set-cookie" ...>`

Intent to Deprecate: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ

HTML discussion at https://github.com/whatwg/html/issues/3076.

Bug:  767813 
Change-Id: Ibbbce7794c6802e66eeb4e8e6d95acedebbe840c
Reviewed-on: https://chromium-review.googlesource.com/800290
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521338}
[add] https://crrev.com/e71f2e951038b1b204d0f35cdfee0463a63bffa1/third_party/WebKit/LayoutTests/external/wpt/cookies/meta-blocked.html
[modify] https://crrev.com/e71f2e951038b1b204d0f35cdfee0463a63bffa1/third_party/WebKit/LayoutTests/http/tests/cookies/meta-expected.txt
[modify] https://crrev.com/e71f2e951038b1b204d0f35cdfee0463a63bffa1/third_party/WebKit/Source/core/frame/Deprecation.cpp
[modify] https://crrev.com/e71f2e951038b1b204d0f35cdfee0463a63bffa1/third_party/WebKit/Source/platform/runtime_enabled_features.json5

Comment 6 by mkwst@chromium.org, Dec 21 2017

Labels: M-65
Status: Fixed (was: Started)

This should be shipping in 65.

Project Member

Comment 7 by bugdroid1@chromium.org, Aug 17

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/94ec17be028f348f27d6e754f1e3fa33b29011f9

commit 94ec17be028f348f27d6e754f1e3fa33b29011f9
Author: Eric Willigers <ericwilligers@chromium.org>
Date: Fri Aug 17 03:15:16 2018

Retire BlockMetaSetCookie runtime flag

M65 removed the ability to manipulate a host's cookies via markup.
https://chromium-review.googlesource.com/800290
https://www.chromestatus.com/feature/6170540112871424

BUG= 767813 

Change-Id: Ib201015bb2cf570da299630c9edaaf674068114c
Reviewed-on: https://chromium-review.googlesource.com/1166264
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Eric Willigers <ericwilligers@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583951}
[modify] https://crrev.com/94ec17be028f348f27d6e754f1e3fa33b29011f9/third_party/blink/renderer/core/loader/http_equiv.cc
[modify] https://crrev.com/94ec17be028f348f27d6e754f1e3fa33b29011f9/third_party/blink/renderer/platform/runtime_enabled_features.json5

►

Issue 767813 link

Issue metadata

Deprecate/remove `<meta http-equiv="set-cookie" ...>`

Issue description

Comment 1 by bugdroid1@chromium.org, Sep 26 2017

Comment 1 Deleted

Comment 2 by mkwst@chromium.org, Sep 26 2017

Comment 2 Deleted

Comment 3 by est...@chromium.org, Nov 10 2017

Comment 3 Deleted

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Dec 4 2017

Comment 5 Deleted

Comment 6 by mkwst@chromium.org, Dec 21 2017

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Aug 17

Comment 7 Deleted

Sign in to add a comment