diff --git a/Base/res/html/misc/cookie.html b/Base/res/html/misc/cookie.html
index e44c8611997..8bbbfb3af97 100644
--- a/Base/res/html/misc/cookie.html
+++ b/Base/res/html/misc/cookie.html
@@ -9,7 +9,7 @@
-
+
diff --git a/Userland/Applications/Browser/CookieJar.cpp b/Userland/Applications/Browser/CookieJar.cpp
index 0ec5219f308..8da46a07fa2 100644
--- a/Userland/Applications/Browser/CookieJar.cpp
+++ b/Userland/Applications/Browser/CookieJar.cpp
@@ -55,7 +55,7 @@ String CookieJar::get_cookie(const URL& url, Web::Cookie::Source)
return builder.build();
}
-void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source)
+void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Cookie::Source source)
{
auto domain = canonicalize_domain(url);
if (!domain.has_value())
@@ -65,7 +65,7 @@ void CookieJar::set_cookie(const URL& url, const String& cookie_string, Web::Coo
if (!parsed_cookie.has_value())
return;
- store_cookie(parsed_cookie.value(), url, move(domain.value()));
+ store_cookie(parsed_cookie.value(), url, move(domain.value()), source);
purge_expired_cookies();
}
@@ -152,7 +152,7 @@ String CookieJar::default_path(const URL& url)
return uri_path.substring(0, last_separator);
}
-void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain)
+void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source)
{
// https://tools.ietf.org/html/rfc6265#section-5.3
@@ -215,7 +215,8 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL
cookie.http_only = parsed_cookie.http_only_attribute_present;
// 10. If the cookie was received from a "non-HTTP" API and the cookie's http-only-flag is set, abort these steps and ignore the cookie entirely.
- // FIXME: Update CookieJar to track where the cookie originated (an HTTP request vs document.cookie).
+ if (source != Web::Cookie::Source::Http && cookie.http_only)
+ return;
// 11. If the cookie store contains a cookie with the same name, domain, and path as the newly created cookie:
CookieStorageKey key { cookie.name, cookie.domain, cookie.path };
@@ -223,7 +224,8 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL
if (auto old_cookie = m_cookies.find(key); old_cookie != m_cookies.end()) {
// If the newly created cookie was received from a "non-HTTP" API and the old-cookie's http-only-flag is set, abort these
// steps and ignore the newly created cookie entirely.
- // FIXME: Similar to step 10, CookieJar needs to track where the cookie originated.
+ if (source != Web::Cookie::Source::Http && old_cookie->value.http_only)
+ return;
// Update the creation-time of the newly created cookie to match the creation-time of the old-cookie.
cookie.creation_time = old_cookie->value.creation_time;
diff --git a/Userland/Applications/Browser/CookieJar.h b/Userland/Applications/Browser/CookieJar.h
index 7c791f28066..58b8f3f65a1 100644
--- a/Userland/Applications/Browser/CookieJar.h
+++ b/Userland/Applications/Browser/CookieJar.h
@@ -55,7 +55,7 @@ private:
static bool domain_matches(const String& string, const String& domain_string);
static String default_path(const URL& url);
- void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain);
+ void store_cookie(Web::Cookie::ParsedCookie& parsed_cookie, const URL& url, String canonicalized_domain, Web::Cookie::Source source);
void purge_expired_cookies();
HashMap m_cookies;