privacy: never send cookies in third-party requests

as mentioned in section 7.1 of RFC 6265

1 files changed, 5 insertions, 3 deletions

diff --git a/src/IO/http.c b/src/IO/http.c
index 526b8460..41ee137a 100644
--- a/src/IO/http.c
+++ b/src/IO/http.c
@@ -271,7 +271,8 @@ static Dstr *Http_make_content_type(const DilloUrl *url)
 /*
  * Make the http query string
  */
-Dstr *a_Http_make_query_str(const DilloUrl *url, bool_t use_proxy)
+Dstr *a_Http_make_query_str(const DilloUrl *url, const DilloUrl *requester,
+                            bool_t use_proxy)
 {
    const char *auth;
    char *ptr, *cookies, *referer;
@@ -296,7 +297,7 @@ Dstr *a_Http_make_query_str(const DilloUrl *url, bool_t use_proxy)
                     (URL_PATH_(url) || URL_QUERY_(url)) ? "" : "/");
    }
 
-   cookies = a_Cookies_get_query(url);
+   cookies = a_Cookies_get_query(url, requester);
    auth = a_Auth_get_auth_str(url);
    referer = Http_get_referer(url);
    if (URL_FLAGS(url) & URL_Post) {
@@ -365,7 +366,8 @@ static void Http_send_query(ChainLink *Info, SocketData_t *S)
    DataBuf *dbuf;
 
    /* Create the query */
-   query = a_Http_make_query_str(S->web->url,S->flags & HTTP_SOCKET_USE_PROXY);
+   query = a_Http_make_query_str(S->web->url, S->web->requester,
+                                 S->flags & HTTP_SOCKET_USE_PROXY);
    dbuf = a_Chain_dbuf_new(query->str, query->len, 0);
 
    /* actually this message is sent too early.