LibWebView: Reject cookies whose domain is on the Public Suffix List

Author: https://github.com/trflynn89
Commit: https://github.com/SerenityOS/serenity/commit/a39eebeb74
Pull-request: https://github.com/SerenityOS/serenity/pull/21515

Base/res/html/misc/cookie.html

@@ -20,6 +20,8 @@
     <label for=invalid4>The cookie expired in the past</label>
     <br /><input id=invalid5 type=button onclick="setTooLargeCookie()" value="cookie10=[more than 4096 chars]" />
     <label for=invalid5>The cookie is too large</label>
+    <br /><input id=invalid6 type=button onclick="setCookie(this.value)" value="cookie11=value11; domain=uk.gov" />
+    <label for=invalid6>The cookie's domain is on the Public Suffix List</label>
     <br />
 
     <h3>Unretrievable cookies (the browser should accept these but not display them):</h3>

Userland/Libraries/LibWebView/CookieJar.cpp

@@ -19,6 +19,7 @@
 #include <LibWeb/Cookie/ParsedCookie.h>
 #include <LibWebView/CookieJar.h>
 #include <LibWebView/Database.h>
+#include <LibWebView/URL.h>
 
 namespace WebView {
 
@@ -316,7 +317,18 @@ void CookieJar::store_cookie(Web::Cookie::ParsedCookie const& parsed_cookie, con
     }
 
     // 5. If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix:
-    // FIXME: Support rejection of public suffixes. The full list is here: https://publicsuffix.org/list/public_suffix_list.dat
+    if (is_public_suffix(cookie.domain)) {
+        // If the domain-attribute is identical to the canonicalized request-host:
+        if (cookie.domain == canonicalized_domain) {
+            // Let the domain-attribute be the empty string.
+            cookie.domain = DeprecatedString::empty();
+        }
+        // Otherwise:
+        else {
+            // Ignore the cookie entirely and abort these steps.
+            return;
+        }
+    }
 
     // 6. If the domain-attribute is non-empty:
     if (!cookie.domain.is_empty()) {