Details
P1: Critical Description
Starting with Qt 5.15.2, the firstPartyUrl in QWebEngineCookieStore::FilterRequest looks like https://example.com/, even if the cookie is actually set on e.g. https://www.example.com/.
This can be seen by patching simplebrowser to log those URLs, by adding this in main:
QWebEngineProfile::defaultProfile()->cookieStore()->setCookieFilter([](auto request) {
qDebug() << request.firstPartyUrl;
return true;
});
And then e.g. visiting mouser.com. With Qt 5.15.1, the URLs logged are https://eu.mouser.com/ and https://www.mouser.com/, while with Qt 5.15.2 they all are https://mouser.com/.
I'm not sure if this was a deliberate change or a bug - but if deliberate, it seems like quite a breaking change for a patch release. Note that there's a privacy impact as well, as this could lead to cookies being blocked by the user to be accepted again (as the filter isn't working as intended).
Attachments
| For Gerrit Dashboard: QTBUG-90231 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 334352,13 | Fix first party url for cookie filter | 5.15 | qt/qtwebengine | Status: MERGED | +2 | 0 |
| 334353,12 | Add first_party_url for net::SiteForCookies | 87-based | qt/qtwebengine-chromium | Status: MERGED | +2 | 0 |
| 348505,3 | Add first_party_url for net::SiteForCookies | 88-based | qt/qtwebengine-chromium | Status: MERGED | +2 | 0 |