soup-cookie-jar: do not accept cookies for well known public domains

SoupCookieJar uses the new soup_tld_* utils to reject cookies whose domains
are registered public suffixes. This prevents sites from setting supercookies.

https://bugzilla.gnome.org/show_bug.cgi?id=673802

1 files changed, 8 insertions, 0 deletions

diff --git a/libsoup/soup-cookie-jar.c b/libsoup/soup-cookie-jar.c
index 60777172..ab5a8030 100644
--- a/libsoup/soup-cookie-jar.c
+++ b/libsoup/soup-cookie-jar.c
@@ -19,6 +19,7 @@
 #include "soup-marshal.h"
 #include "soup-message.h"
 #include "soup-session-feature.h"
+#include "soup-tld.h"
 #include "soup-uri.h"
 
 /**
@@ -479,6 +480,13 @@ soup_cookie_jar_add_cookie (SoupCookieJar *jar, SoupCookie *cookie)
 	g_return_if_fail (SOUP_IS_COOKIE_JAR (jar));
 	g_return_if_fail (cookie != NULL);
 
+	/* Never accept cookies for public domains. */
+	if (!g_hostname_is_ip_address (cookie->domain) &&
+	    soup_tld_domain_is_public_suffix (cookie->domain)) {
+		soup_cookie_free (cookie);
+		return;
+	}
+
 	priv = SOUP_COOKIE_JAR_GET_PRIVATE (jar);
 	old_cookies = g_hash_table_lookup (priv->domains, cookie->domain);
 	for (oc = old_cookies; oc; oc = oc->next) {