I agree that Option B looks like the way to go here. * The parameter expansion of `GetCookiesForURI` appears necessary since I wouldn't expect the parent-context `CookieService::GetCookieStringFromHttp` to change behavior. * Checking for secure cookies in an insecure origin will be easy within `GetCookiesForURI`. * Filtering in `SetCookieStringFromDocument` will be similar. * Wiping cookie values before broadcast to content processes will align with http-only cookies, namely in functions: `RemoveAll()`, `AddCookie()`, `RemoveBatchDeletedCookies()` and `SerializeCookieList()` * Looks like filtering should already work in the `GetCookieStringFromDocument()` for [CookieServiceChild](https://searchfox.org/mozilla-central/rev/5bcbe6ae54ee5b152f6cef29dc5627ec7c0e1f1e/netwerk/cookie/CookieServiceChild.cpp#325-327) and [CookieService](https://searchfox.org/mozilla-central/rev/5bcbe6ae54ee5b152f6cef29dc5627ec7c0e1f1e/netwerk/cookie/CookieService.cpp#438-441) so that's nice. Further, since we can probably trust a server to not intentionally try to overwrite it's own cookies I would expect the behavior of the following functions to remain the same: `CookieService::SetCookieStringFromHttp` -> only used to put cookie into jar from response header in parent context `CookieServiceChild::GetCookieStringFromHttp` -> not implemented `CookieServiceChild::SetCookieStringFromHttp` -> only used to add cookie from response header to child and notify parent to store cookie in jar
Bug 1783536 Comment 18 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I agree that Option B looks like the way to go here. * The parameter expansion of `GetCookiesForURI` appears necessary since I wouldn't expect the parent-context `CookieService::GetCookieStringFromHttp` to change behavior. * Checking for secure cookies in an insecure origin will be easy within `GetCookiesForURI`. * Filtering in `SetCookieStringFromDocument` will be similar. * Wiping cookie values before broadcast to content processes will align with http-only cookies, namely in functions: `RemoveCookie()`, `AddCookie()`, `RemoveBatchDeletedCookies()` and `SerializeCookieList()` * Looks like filtering should already work in the `GetCookieStringFromDocument()` for [CookieServiceChild](https://searchfox.org/mozilla-central/rev/5bcbe6ae54ee5b152f6cef29dc5627ec7c0e1f1e/netwerk/cookie/CookieServiceChild.cpp#325-327) and [CookieService](https://searchfox.org/mozilla-central/rev/5bcbe6ae54ee5b152f6cef29dc5627ec7c0e1f1e/netwerk/cookie/CookieService.cpp#438-441) so that's nice. Further, since we can probably trust a server to not intentionally try to overwrite it's own cookies I would expect the behavior of the following functions to remain the same: `CookieService::SetCookieStringFromHttp` -> only used to put cookie into jar from response header in parent context `CookieServiceChild::GetCookieStringFromHttp` -> not implemented `CookieServiceChild::SetCookieStringFromHttp` -> only used to add cookie from response header to child and notify parent to store cookie in jar