From 472071c0476f3d42d5767a6823194857aa7f240b Mon Sep 17 00:00:00 2001
From: Martin Tournoij <martin@arp242.net>
Date: Wed, 3 Jun 2015 23:59:24 +0200
Subject: [PATCH] Add setting: 'content.third-party-cookie-policy', fixes #607

This sets the third-party cookie policy.

- I created a new ThirdPartyCookiePolicy() class, since this setting seems to be
  unique in the way it is set...

- I set the default to 'never', which is the most secure/private setting, but
  *may* break *some* features of a (very) limited number of sites; these are
  usually "non-critical" features.
  For example, on Stack Exchange sites you're logged in all 200+ sites if you
  sign in on one of them, this features required 3rd party cookies. You can
  still sign in with out, but you have to do so 200+ times (this is actually the
  only example I've ever noticed).

  AFAIK all "major" browsers accept 3rd-party cookies by default, except for
  Safari. Firefox also made this change, but reversed it (see:
  https://brendaneich.com/2013/05/c-is-for-cookie/), but they don't offer any
  good arguments to *not* have it IMHO, at least not that I could find.

  In any case, in my humble opinion "secure and private by default" is the best
  way to ship. But you're of course free to change it if you disagree ;-)
---
 doc/help/settings.asciidoc        | 13 +++++++++++++
 qutebrowser/config/configdata.py  |  4 ++++
 qutebrowser/config/configtypes.py | 10 ++++++++++
 qutebrowser/config/websettings.py | 21 +++++++++++++++++++++
 4 files changed, 48 insertions(+)

diff --git a/doc/help/settings.asciidoc b/doc/help/settings.asciidoc
index fc4802232..717a46d13 100644
--- a/doc/help/settings.asciidoc
+++ b/doc/help/settings.asciidoc
@@ -151,6 +151,7 @@
 |<<content-local-content-can-access-file-urls,local-content-can-access-file-urls>>|Whether locally loaded documents are allowed to access other local urls.
 |<<content-cookies-accept,cookies-accept>>|Whether to accept cookies.
 |<<content-cookies-store,cookies-store>>|Whether to store cookies.
+|<<content-third-party-cookie-policy,third-party-cookie-policy>>|Accept cookies from domains other than the main website
 |<<content-host-block-lists,host-block-lists>>|List of URLs of lists which contain hosts to block.
 |<<content-host-blocking-enabled,host-blocking-enabled>>|Whether host blocking is enabled.
 |==============
@@ -1336,6 +1337,18 @@ Valid values:
 
 Default: +pass:[true]+
 
+[[content-third-party-cookie-policy]]
+=== third-party-cookie-policy
+Accept cookies from domains other than the main website
+
+Valid values:
+
+ * +always+: Always accept.
+ * +never+: Never accept.
+ * +existing+: Only accept if we already have acookie stored for the domain
+
+Default: +pass:[never]+
+
 [[content-host-block-lists]]
 === host-block-lists
 List of URLs of lists which contain hosts to block.
diff --git a/qutebrowser/config/configdata.py b/qutebrowser/config/configdata.py
index a3bbe2d48..9028d2c78 100644
--- a/qutebrowser/config/configdata.py
+++ b/qutebrowser/config/configdata.py
@@ -681,6 +681,10 @@ def data(readonly=False):
              SettingValue(typ.Bool(), 'true'),
              "Whether to store cookies."),
 
+            ('third-party-cookie-policy',
+             SettingValue(typ.ThirdPartyCookiePolicy(), 'never'),
+             "Accept cookies from domains other than the main website"),
+
             ('host-block-lists',
              SettingValue(
                  typ.UrlList(none_ok=True),
diff --git a/qutebrowser/config/configtypes.py b/qutebrowser/config/configtypes.py
index 55d782202..b4d7319c6 100644
--- a/qutebrowser/config/configtypes.py
+++ b/qutebrowser/config/configtypes.py
@@ -1329,6 +1329,16 @@ class AcceptCookies(BaseType):
                                ('never', "Don't accept cookies at all."))
 
 
+class ThirdPartyCookiePolicy(BaseType):
+
+    """Accept cookies from domains other than the main website."""
+
+    valid_values = ValidValues(('always', "Always accept."),
+                               ('never', "Never accept."),
+                               ('existing', "Only accept if we already have a"
+                                   "cookie stored for the domain."))
+
+
 class ConfirmQuit(List):
 
     """Whether to display a confirmation when the window is closed."""
diff --git a/qutebrowser/config/websettings.py b/qutebrowser/config/websettings.py
index 117abbb26..edea4edeb 100644
--- a/qutebrowser/config/websettings.py
+++ b/qutebrowser/config/websettings.py
@@ -238,6 +238,25 @@ class GlobalSetter(Setter):
         self._setter(*args)
 
 
+class ThirdPartyCookies(Base):
+
+    """The ThirdPartyCookiePolicy setting is different from other settings."""
+
+    mapping = (
+        ('always', QWebSettings.AlwaysAllowThirdPartyCookies),
+        ('never', QWebSettings.AlwaysBlockThirdPartyCookies),
+        ('existing', QWebSettings.AllowThirdPartyWithExistingCookies),
+    )
+
+    def get(self, qws=None):
+        policy = QWebSettings.globalSettings().thirdPartyCookiePolicy()
+        return tuple(filter(lambda i: i[1] == policy, self.mapping))[0][0]
+
+    def _set(self, value, qws=None):
+        x = filter(lambda i: i[0] == value, self.mapping)
+        QWebSettings.globalSettings().setThirdPartyCookiePolicy(tuple(x)[0][1])
+
+
 MAPPINGS = {
     'content': {
         'allow-images':
@@ -264,6 +283,8 @@ MAPPINGS = {
             Attribute(QWebSettings.LocalContentCanAccessRemoteUrls),
         'local-content-can-access-file-urls':
             Attribute(QWebSettings.LocalContentCanAccessFileUrls),
+        'third-party-cookie-policy':
+            ThirdPartyCookies(),
     },
     'network': {
         'dns-prefetch':