-
Lily Chen authored
This attempts to detect SameSite cookie "compatibility pairs" and tag them with a new CookieInclusionStatus::WarningReason. These are pairs of two similar cookies used to work around incompatible clients (browsers which do not support SameSite=None), where one has SameSite=None and Secure and the other has no SameSite attribute specified. The intention is that browsers which support SameSite=None and enforce SameSite-Lax-by-default will drop the old-style cookie, while browsers which do not support SameSite=None will drop the new-style cookie. The heuristic used to detect such pairs of cookies is: - The cookies cannot be equivalent (same name, domain, path). - One must have SameSite=None and Secure, and the other must have unspecified SameSite. - They must have the same domain, path, and value. - One must have a name that is a prefix or suffix of the other's name, and the shorter of the two names must have length at least 3. Such pairs of cookies are tagged if they are included in the same cross-site access attempt via HTTP request, HTTP response, or document.cookie read. Setting cookies via writing to document.cookie does not result in tagging of compatibility pairs. Additionally, a cookie access in a non-HTTP (i.e. script) context will not tag or compute cookie pairs from any cookie that has the HttpOnly attribute. Bug: 1095192 Change-Id: I43075cb851e6e02a5d2ef3e443e63e13fb21bd4a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2243255 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by:
Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#779942}
d8675a0e
