Skip to content

LibWeb: Implement Clear-Site-Data HTTP response header #6887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

LibWeb: Implement Clear-Site-Data HTTP response header #6887

wants to merge 1 commit into from
+186 −1

Conversation

@estefysc
Copy link
Contributor

@estefysc estefysc commented Nov 20, 2025

Add support for parsing and processing the Clear-Site-Data HTTP response header per W3C specification. This causes the navigation.https.html WPT test to go from timeout to pass.

Implemented:

  • Storage clearing (origin-scoped): LocalStorage, SessionStorage, IndexedDB, ServiceWorkers, Caches
  • Cookie clearing (global - CookieJar lacks domain-scoped API)
  • Header parsing for "cache", "cookies", "storage", "*" directives

Not implemented:

  • Cache clearing (no API available)
  • ExecutionContexts/reload

Testing:
WPT test clear-site-data/navigation.https.html passes via browser runner (./Meta/ladybird.py).

gmta
gmta reviewed Nov 21, 2025
View reviewed changes
Libraries/LibWeb/Loader/ResourceLoader.cpp Outdated
page.client().page_did_set_cookie(url, cookie.value(), Cookie::Source::Http); // FIXME: Determine cookie source correctly
}

// https://www.w3.org/TR/clear-site-data/#parsing
Copy link
Collaborator

@gmta gmta Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you first make sure your using the editor's draft of this spec?
I.e. https://w3c.github.io/webappsec-clear-site-data/

Copy link
Contributor Author

@estefysc estefysc Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do.

trflynn89
trflynn89 reviewed Nov 21, 2025
View reviewed changes
Libraries/LibWebView/WebContentClient.cpp Outdated
void WebContentClient::did_clear_all_cookies(URL::URL url)
{
(void)url;
Application::cookie_jar().expire_cookies_accessed_since(UnixDateTime::from_seconds_since_epoch(0));
Copy link
Contributor

@trflynn89 trflynn89 Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't thoroughly looked at this patch, but this caught my eye - I really do not want a single site sending a Clear-Site-Data header to delete all of my cookies.

Imagine github.com sending this header and suddenly you're logged out of youtube.com.

Copy link
Contributor Author

@estefysc estefysc Nov 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, I understand that. I was trying to stay within scope for this PR (added the fixme noting per origin clearing needed to be implemented). If it's no problem, then I can implement the per origin clearing before resubmitting.

Copy link
Collaborator

@gmta gmta Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should definitely not clear everything; please update the PR to do this per origin instead.

Copy link
Contributor Author

@estefysc estefysc Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do

@estefysc
Copy link
Contributor Author

estefysc commented Nov 25, 2025

I am resubmitting with code that clears cookies per origin and with the editor's draft url for the spec.

@github-actions github-actions bot added the conflicts Pull request has merge conflicts that need resolution label Nov 27, 2025
@github-actions
Copy link

github-actions bot commented Nov 27, 2025

Your pull request has conflicts that need to be resolved before it can be reviewed and merged. Make sure to rebase your branch on top of the latest master.

@github-actions github-actions bot removed the conflicts Pull request has merge conflicts that need resolution label Nov 28, 2025
@estefysc
LibWeb: Implement Clear-Site-Data HTTP response header
8718354 
Add support for parsing and processing the Clear-Site-Data HTTP
response header per W3C specification. This causes the
navigation.https.html WPT test to go from timeout to pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gmta gmta gmta left review comments

@trflynn89 trflynn89 trflynn89 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@estefysc @gmta @trflynn89