[or-cvs] [https-everywhere/master 6/7] We can now set the secure flag on cookies!

pde at torproject.org pde at torproject.org
Thu Nov 11 00:28:02 UTC 2010


Author: Peter Eckersley <pde at eff.org>
Date: Wed, 10 Nov 2010 14:29:49 -0800
Subject: We can now set the secure flag on cookies!
Commit: 5e80b3cee972c6eb0c946e269b2faa55bad63828

---
 src/chrome/content/code/HTTPS.js      |   18 +++++++++++++--
 src/chrome/content/code/HTTPSRules.js |   36 +++++++++++++++++---------------
 src/components/https-everywhere.js    |    5 ++++
 3 files changed, 39 insertions(+), 20 deletions(-)

diff --git a/src/chrome/content/code/HTTPS.js b/src/chrome/content/code/HTTPS.js
index 53665b1..3ac96f5 100644
--- a/src/chrome/content/code/HTTPS.js
+++ b/src/chrome/content/code/HTTPS.js
@@ -1,4 +1,4 @@
-//INCLUDE('STS', 'Cookie');
+INCLUDE('Cookie');
 // XXX: Disable STS for now.
 var STS = {
   isSTSURI : function(uri) {
@@ -144,10 +144,21 @@ const HTTPS = {
   registered: false,
   handleSecureCookies: function(req) {
     
+    try {
+      req = req.QueryInterface(CI.nsIHttpChannel);
+    } catch(e) {
+      this.log(WARN, "Request is not an nsIHttpChannel: " + req);
+      return;
+    }
     if (!this.secureCookies) return;
     var uri = req.URI;
+    if (!uri) {
+      this.log(WARN,"No URI inside request " +req);
+      return;
+    }
+    this.log(VERB, "Cookie hunting in" + uri.spec);
     
-    if (uri.schemeIs("https") && (req instanceof CI.nsIHttpChannel)) {
+    if (uri.schemeIs("https")) {
       var host = uri.host;
       try {
         var cookies = req.getResponseHeader("Set-Cookie");
@@ -158,11 +169,12 @@ const HTTPS = {
       if (!cookies) return;
       var c;
       for each (var cs in cookies.split("\n")) {
+        this.log(DBUG, "Examining cookie: ");
         c = new Cookie(cs, host);
         if (!c.secure && HTTPSRules.should_secure_cookie(c)) {
+          this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
           c.secure = true;
           req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
-          this.log(WARN,msg + c);
         }
       }
       
diff --git a/src/chrome/content/code/HTTPSRules.js b/src/chrome/content/code/HTTPSRules.js
index b6ac193..f027470 100644
--- a/src/chrome/content/code/HTTPSRules.js
+++ b/src/chrome/content/code/HTTPSRules.js
@@ -12,8 +12,8 @@ function Exclusion(pattern) {
 function CookieRule(host, cookiename) {
   this.host = host
   this.host_c = new RegExp(host);
-  this.cookiename = cookiename;
-  this.cookiename_c = new RegExp(cookiename);
+  this.name = cookiename;
+  this.name_c = new RegExp(cookiename);
 }
 
 function RuleSet(name, match_rule, default_off) {
@@ -232,7 +232,7 @@ const RuleWriter = {
       var c_rule = new CookieRule(xmlrules.securecookie[i]. at host,
                                   xmlrules.securecookie[i]. at name);
       ret.cookierules.push(c_rule);
-      this.log(DBUG,"Cookie rule "+ c_rule.host+ " " +c_rule.cookiename);
+      this.log(DBUG,"Cookie rule "+ c_rule.host+ " " +c_rule.name);
     }
 
     return ret;
@@ -304,21 +304,23 @@ const HTTPSRules = {
     return null;
   },
   
-  should_secure_cookie: function(cookie) {
-    var i = 0;
-    for (i = 0; i < this.cookierules.length; ++i) {
-      this.log(DBUG, "Testing cookie:");
-      this.log(DBUG, "  name: " + c.name);
-      this.log(DBUG, "  host: " + c.host);
-      this.log(DBUG, "  domain: " + c.domain);
-      this.log(DBUG, "  rawhost: " + c.rawHost);
-      var cr = this.cookierules[i];
-      if (cr.host_c.test(c.host) && cr.name_c.test(c.name)) {
-        return true;
-      } else {
-        return false;
+  should_secure_cookie: function(c) {
+    // Check to see if the Cookie object c meets any of our cookierule citeria 
+    // for being marked as secure
+    this.log(DBUG, "Testing cookie:");
+    this.log(DBUG, "  name: " + c.name);
+    this.log(DBUG, "  host: " + c.host);
+    this.log(DBUG, "  domain: " + c.domain);
+    this.log(DBUG, "  rawhost: " + c.rawHost);
+    var i,j;
+    // XXX lots of optimisation could happen here
+    for (i = 0; i < this.rules.length; ++i) 
+      for (j = 0; j < this.rules[i].cookierules.length; j++) {
+        var cr = this.rules[i].cookierules[j];
+        if (cr.host_c.test(c.host) && cr.name_c.test(c.name)) 
+          return true;
       }
-    }
+    return false;
   }
 
 };
diff --git a/src/components/https-everywhere.js b/src/components/https-everywhere.js
index aa5bc6e..ed23796 100644
--- a/src/components/https-everywhere.js
+++ b/src/components/https-everywhere.js
@@ -222,7 +222,11 @@ HTTPSEverywhere.prototype = {
         return;
       }
       HTTPS.forceChannel(channel);
+    } else if (topic == "http-on-examine-response") {
+      this.log(DBUG, "Got http-on-examine-response ");
+      HTTPS.handleSecureCookies(channel);
     } else if (topic == "http-on-examine-merged-response") {
+      this.log(DBUG, "Got http-on-examine-merged-response ");
       HTTPS.handleSecureCookies(channel);
     } else if (topic == "app-startup") {
       this.log(DBUG,"Got app-startup");
@@ -236,6 +240,7 @@ HTTPSEverywhere.prototype = {
       this.log(DBUG, "Got profile-after-change");
       OS.addObserver(this, "http-on-modify-request", false);
       OS.addObserver(this, "http-on-examine-merged-response", false);
+      OS.addObserver(this, "http-on-examine-response", false);
       var dls = CC['@mozilla.org/docloaderservice;1']
         .getService(CI.nsIWebProgress);
       dls.addProgressListener(this, CI.nsIWebProgress.NOTIFY_STATE_REQUEST);
-- 
1.7.1




More information about the tor-commits mailing list