soup-cookie-jar: do not accept cookies for well known public domains

SoupCookieJar uses the new soup_tld_* utils to reject cookies whose domains
are registered public suffixes. This prevents sites from setting supercookies.

https://bugzilla.gnome.org/show_bug.cgi?id=673802

diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
index 6077717..ab5a803 100644 (file)
--- a/libsoup/soup-cookie-jar.c
+++ b/libsoup/soup-cookie-jar.c
@@ -19,6 +19,7 @@
 #include "soup-marshal.h"
 #include "soup-message.h"
 #include "soup-session-feature.h"
+#include "soup-tld.h"
 #include "soup-uri.h"
 
 /**
@@ -479,6 +480,13 @@ soup_cookie_jar_add_cookie (SoupCookieJar *jar, SoupCookie *cookie)
        g_return_if_fail (SOUP_IS_COOKIE_JAR (jar));
        g_return_if_fail (cookie != NULL);
 
+       /* Never accept cookies for public domains. */
+       if (!g_hostname_is_ip_address (cookie->domain) &&
+           soup_tld_domain_is_public_suffix (cookie->domain)) {
+               soup_cookie_free (cookie);
+               return;
+       }
+
        priv = SOUP_COOKIE_JAR_GET_PRIVATE (jar);
        old_cookies = g_hash_table_lookup (priv->domains, cookie->domain);
        for (oc = old_cookies; oc; oc = oc->next) {