Merge remote-tracking branch 'origin/5.11' into dev

Change-Id: Ia082e20e2eb4b76afd4c1a1584ff4e5514655d7a
author: Qt Forward Merge Bot <qt_forward_merge_bot@qt-project.org> 2018-05-02 13:15:15 +0200
committer: Qt Forward Merge Bot <qt_forward_merge_bot@qt-project.org> 2018-05-02 13:15:15 +0200
commit: 7de400052f7df52095103f56f1cb753854be1af1 (patch)
tree: 823c01302efd5d2181a3b3a55eb2937e52c849b1 /src/network/access
parent: 8b098e6544221a96bc6a41a6bfcc0dfa7cf805e6 (diff)
parent: 364bd6ca74b059ffe8ae367e1562645a3ed0855e (diff)
2 files changed, 19 insertions, 1 deletions
diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp
index 07644b869f..35e79a69f2 100644
--- a/src/network/access/qnetworkaccessmanager.cpp
+++ b/src/network/access/qnetworkaccessmanager.cpp
@@ -178,7 +178,9 @@ static void ensureInitialized()
     it sends. It contains the proxy and cache configuration, as well as the
     signals related to such issues, and reply signals that can be used to
     monitor the progress of a network operation. One QNetworkAccessManager
-    should be enough for the whole Qt application.
+    instance should be enough for the whole Qt application. Since
+    QNetworkAccessManager is based on QObject, it can only be used from the
+    thread it belongs to.
 
     Once a QNetworkAccessManager object has been created, the application can
     use it to send requests over the network. A group of standard functions
diff --git a/src/network/access/qnetworkcookiejar.cpp b/src/network/access/qnetworkcookiejar.cpp
index f62a03b11d..2ec4acf26c 100644
--- a/src/network/access/qnetworkcookiejar.cpp
+++ b/src/network/access/qnetworkcookiejar.cpp
@@ -241,6 +241,17 @@ QList<QNetworkCookie> QNetworkCookieJar::cookiesForUrl(const QUrl &url) const
         if ((*it).isSecure() && !isEncrypted)
             continue;
 
+        QString domain = it->domain();
+        if (domain.startsWith(QLatin1Char('.'))) /// Qt6?: remove when compliant with RFC6265
+            domain = domain.mid(1);
+#if QT_CONFIG(topleveldomain)
+        if (qIsEffectiveTLD(domain) && url.host() != domain)
+            continue;
+#else
+        if (!domain.contains(QLatin1Char('.')) && url.host() != domain)
+            continue;
+#endif // topleveldomain
+
         // insert this cookie into result, sorted by path
         QList<QNetworkCookie>::Iterator insertIt = result.begin();
         while (insertIt != result.end()) {
@@ -340,6 +351,11 @@ bool QNetworkCookieJar::validateCookie(const QNetworkCookie &cookie, const QUrl
     if (domain.startsWith(QLatin1Char('.')))
         domain = domain.mid(1);
 
+    // We shouldn't reject if:
+    // "[...] the domain-attribute is identical to the canonicalized request-host"
+    // https://tools.ietf.org/html/rfc6265#section-5.3 step 5
+    if (host == domain)
+        return true;
 #if QT_CONFIG(topleveldomain)
     // the check for effective TLDs makes the "embedded dot" rule from RFC 2109 section 4.3.2
     // redundant; the "leading dot" rule has been relaxed anyway, see QNetworkCookie::normalize()
author	Qt Forward Merge Bot <qt_forward_merge_bot@qt-project.org>	2018-05-02 13:15:15 +0200
committer	Qt Forward Merge Bot <qt_forward_merge_bot@qt-project.org>	2018-05-02 13:15:15 +0200
commit	7de400052f7df52095103f56f1cb753854be1af1 (patch)
tree	823c01302efd5d2181a3b3a55eb2937e52c849b1 /src/network/access
parent	8b098e6544221a96bc6a41a6bfcc0dfa7cf805e6 (diff)
parent	364bd6ca74b059ffe8ae367e1562645a3ed0855e (diff)