From bd67a5afaa74b8099b99febd830a0c0235e9b89b Mon Sep 17 00:00:00 2001
From: Shannon Booth <shannon@serenityos.org>
Date: Mon, 30 Jun 2025 15:19:27 +1200
Subject: [PATCH] LibURL: Differentiate cross site opaque origins

Previously if we had two opaque origins both URLs were
being treated as same site.
---
 Libraries/LibURL/Site.cpp |  3 +--
 Tests/LibURL/TestURL.cpp  | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Libraries/LibURL/Site.cpp b/Libraries/LibURL/Site.cpp
index 9f097f6f547..d3985849e41 100644
--- a/Libraries/LibURL/Site.cpp
+++ b/Libraries/LibURL/Site.cpp
@@ -36,9 +36,8 @@ bool Site::is_same_site(Site const& other) const
 {
     // 1. If A and B are the same opaque origin, then return true.
     // NOTE: Origins in sites are always opaque.
-    // FIXME: Currently all opaque origins are identical, how should we distinguish them?
     if (m_value.has<Origin>() && other.m_value.has<Origin>())
-        return true;
+        return m_value.get<Origin>().nonce() == other.m_value.get<Origin>().nonce();
 
     // 2. If A or B is an opaque origin, then return false.
     if (m_value.has<Origin>() || other.m_value.has<Origin>())
diff --git a/Tests/LibURL/TestURL.cpp b/Tests/LibURL/TestURL.cpp
index 7cf1982468f..20708ce42fb 100644
--- a/Tests/LibURL/TestURL.cpp
+++ b/Tests/LibURL/TestURL.cpp
@@ -689,3 +689,23 @@ TEST_CASE(public_suffix)
         EXPECT_EQ(domain->public_suffix(), OptionalNone {});
     }
 }
+
+TEST_CASE(same_site)
+{
+    auto opaque_origin = URL::Origin::create_opaque();
+    auto second_opaque_origin = URL::Origin::create_opaque();
+
+    auto site1_https_url = URL::Parser::basic_parse("https://www.ladybird.org"sv).value();
+    auto site1_https_second_url = URL::Parser::basic_parse("https://www.ladybird.org/some/file/path"sv).value();
+    auto site1_http_url = URL::Parser::basic_parse("http://www.ladybird.org"sv).value();
+
+    auto site2_https_url = URL::Parser::basic_parse("https://www.serenityos.org"sv).value();
+
+    EXPECT(!opaque_origin.is_same_site(second_opaque_origin));
+    EXPECT(opaque_origin.is_same_site(opaque_origin));
+    EXPECT(!opaque_origin.is_same_site(site1_https_url.origin()));
+
+    EXPECT(site1_https_url.origin().is_same_site(site1_https_second_url.origin()));
+    EXPECT(!site1_https_url.origin().is_same_site(site1_http_url.origin()));
+    EXPECT(!site1_https_url.origin().is_same_site(site2_https_url.origin()));
+}