Created attachment 290175 [details] [review]
Port to WebKit2

Review of attachment 290175 [details] [review]:

Looks good to me, other than the comment below.

::: src/edit.js
@@ +53,3 @@
+        context = WebKit.WebContext.get_default();
+        cookie_manager = context.get_cookie_manager();
+        cookie_manager.delete_all_cookies();

Why do you need this?

Feel free to use http://landfill.bugzilla.org/ if you want to test things.

Whoops, damn, wrong tab. Sorry.

(In reply to comment #2)
> Review of attachment 290175 [details] [review]:
> 
> Looks good to me, other than the comment below.
> 
> ::: src/edit.js
> @@ +53,3 @@
> +        context = WebKit.WebContext.get_default();
> +        cookie_manager = context.get_cookie_manager();
> +        cookie_manager.delete_all_cookies();
> 
> Why do you need this?

In the past we had code to remove the existing cookie jar with our own to ensure that the cookie jar used in the browser does not leak into our session. This idea originated in GOA [1] where we wanted to be very sure that the user explicitly entered her credentials, instead of accidentally adding somebody else's account that might have been used in the browser.

Anyway, as far as I can see cookies are not leaking from the browser to the application, so we don't need this delete_all_cookies call. I tested by logging into Drive in epiphany and then starting gnome-documents without the cookies DB.

Note that if you ctrl+c out of the app instead of waiting for the inactivity-timeout, then the cookies won't be stored persistently and you will have to re-authenticate next time.

[1] https://git.gnome.org/browse/gnome-online-accounts/tree/src/goabackend/goawebview.c#n286

Created attachment 290342 [details] [review]
Port to WebKit2

Remove the delete_all_cookies call.

Review of attachment 290342 [details] [review]:

Looks good, thanks.

(In reply to comment #5)
> (In reply to comment #2)
> > Review of attachment 290175 [details] [review] [details]:
> > 
> > Looks good to me, other than the comment below.
> > 
> > ::: src/edit.js
> > @@ +53,3 @@
> > +        context = WebKit.WebContext.get_default();
> > +        cookie_manager = context.get_cookie_manager();
> > +        cookie_manager.delete_all_cookies();
> > 
> > Why do you need this?
> 
> In the past we had code to remove the existing cookie jar with our own to
> ensure that the cookie jar used in the browser does not leak into our session.

That shouldn't happen unless you use the same sqlite database, which is not the case.

> This idea originated in GOA [1] where we wanted to be very sure that the user
> explicitly entered her credentials, instead of accidentally adding somebody
> else's account that might have been used in the browser.
> 
> Anyway, as far as I can see cookies are not leaking from the browser to the
> application, so we don't need this delete_all_cookies call. I tested by logging
> into Drive in epiphany and then starting gnome-documents without the cookies
> DB.

In WebKit2 the application has to set a cookies jar path to enable persisten cookies, so unless two apps use the same file the cookies should never be shared between applications.
 
> Note that if you ctrl+c out of the app instead of waiting for the
> inactivity-timeout, then the cookies won't be stored persistently and you will
> have to re-authenticate next time.

We write the cookies to the sqlite database when the cookie jar changes, so that sounds like a bug in wk, please file a bug report.

> [1]
> https://git.gnome.org/browse/gnome-online-accounts/tree/src/goabackend/goawebview.c#n286

I'm happy to see the port was so easy for gnome-documents :-)