Add an emergency way of narrow disabling new SameSite semantics via experiment

Bug: 1045122 Change-Id: I54beac2185515cf91b6225f9ce1588f2d2ae65e4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015430 Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Eric Orth <ericorth@chromium.org> Cr-Commit-Position: refs/heads/master@{#734693}

Add an emergency way of narrow disabling new SameSite semantics via experiment
Bug: 1045122 Change-Id: I54beac2185515cf91b6225f9ce1588f2d2ae65e4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015430 Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Eric Orth <ericorth@chromium.org> Cr-Commit-Position: refs/heads/master@{#734693}
08c3987f · Maks Orlovich · Commit Bot · 44ca1064 · 08c3987f · 08c3987f
Commit 08c3987f authored Jan 23, 2020 by Maks Orlovich Committed by Commit Bot Jan 23, 2020
5 changed files
--- a/services/network/cookie_settings.cc
+++ b/services/network/cookie_settings.cc
@@ -7,9 +7,12 @@
 #include <functional>
 #include "base/bind.h"
+#include "base/strings/string_split.h"
+#include "components/content_settings/core/common/content_settings_utils.h"
 #include "net/base/net_errors.h"
 #include "net/base/static_cookie_policy.h"
 #include "net/cookies/cookie_util.h"
+#include "services/network/public/cpp/features.h"
 namespace network {
 namespace {
@@ -17,10 +20,41 @@ bool IsDefaultSetting(const ContentSettingPatternSource& setting) {
  return setting.primary_pattern.MatchesAllHosts() &&
         setting.secondary_pattern.MatchesAllHosts();
 }
+void AppendEmergencyLegacyCookieAccess(
+    ContentSettingsForOneType* settings_for_legacy_cookie_access) {
+  if (!base::FeatureList::IsEnabled(features::kEmergencyLegacyCookieAccess))
+    return;
+  std::vector<std::string> patterns =
+      SplitString(features::kEmergencyLegacyCookieAccessParam.Get(), ",",
+                  base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+  for (const auto& pattern_str : patterns) {
+    // Only primary pattern and the setting actually looked at here.
+    settings_for_legacy_cookie_access->push_back(ContentSettingPatternSource(
+        ContentSettingsPattern::FromString(pattern_str),
+        ContentSettingsPattern::Wildcard(),
+        /* legacy, see CookieSettingsBase::GetCookieAccessSemanticsForDomain */
+        base::Value::FromUniquePtrValue(
+            content_settings::ContentSettingToValue(CONTENT_SETTING_ALLOW)),
+        std::string(), false));
+  }
+}
 }  // namespace
-CookieSettings::CookieSettings() {}
+CookieSettings::CookieSettings() {
-CookieSettings::~CookieSettings() {}
+  AppendEmergencyLegacyCookieAccess(&settings_for_legacy_cookie_access_);
+}
+CookieSettings::~CookieSettings() = default;
+void CookieSettings::set_content_settings_for_legacy_cookie_access(
+    const ContentSettingsForOneType& settings) {
+  settings_for_legacy_cookie_access_ = settings;
+  AppendEmergencyLegacyCookieAccess(&settings_for_legacy_cookie_access_);
+}
 SessionCleanupCookieStore::DeleteCookiePredicate
 CookieSettings::CreateDeleteCookieOnExitPredicate() const {

--- a/services/network/cookie_settings.h
+++ b/services/network/cookie_settings.h
@@ -54,9 +54,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) CookieSettings
  }
  void set_content_settings_for_legacy_cookie_access(
-      const ContentSettingsForOneType& settings) {
+      const ContentSettingsForOneType& settings);
-    settings_for_legacy_cookie_access_ = settings;
-  }
  // Returns a predicate that takes the domain of a cookie and a bool whether
  // the cookie is secure and returns true if the cookie should be deleted on

--- a/services/network/cookie_settings_unittest.cc
+++ b/services/network/cookie_settings_unittest.cc
@@ -8,6 +8,7 @@
 #include "net/base/features.h"
 #include "net/cookies/cookie_constants.h"
 #include "net/cookies/cookie_util.h"
+#include "services/network/public/cpp/features.h"
 #include "testing/gtest/include/gtest/gtest.h"
 namespace network {
@@ -324,5 +325,45 @@ TEST(CookieSettingsTest,
  }
 }
+TEST(CookieSettingsTest, CookieAccessSemanticsEmergencyOverride) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeaturesAndParameters(
+      {{net::features::kSameSiteByDefaultCookies, {}},
+       {features::kEmergencyLegacyCookieAccess,
+        {{features::kEmergencyLegacyCookieAccessParamName,
+          "example.org, [*.]example.gov"}}}},
+      {} /* disabled_features*/);
+  CookieSettings settings;
+  settings.set_content_settings_for_legacy_cookie_access(
+      {CreateSetting(kDomainWildcardPattern, "*", CONTENT_SETTING_ALLOW)});
+  const struct {
+    net::CookieAccessSemantics status;
+    std::string cookie_domain;
+  } kTestCases[] = {
+      // These three test cases are LEGACY because they match the setting.
+      {net::CookieAccessSemantics::LEGACY, kDomain},
+      {net::CookieAccessSemantics::LEGACY, kDotDomain},
+      // Subdomain also matches pattern.
+      {net::CookieAccessSemantics::LEGACY, kSubDomain},
+      // This test case defaults into NONLEGACY.
+      {net::CookieAccessSemantics::NONLEGACY, kOtherDomain},
+      // things that got pushed via experiment config.
+      {net::CookieAccessSemantics::LEGACY, "example.org"},
+      {net::CookieAccessSemantics::NONLEGACY, "sub.example.org"},
+      {net::CookieAccessSemantics::LEGACY, "example.gov"},
+      {net::CookieAccessSemantics::LEGACY, "sub.example.gov"},
+      {net::CookieAccessSemantics::NONLEGACY, "example.gov.uk"},
+  };
+  for (const auto& test : kTestCases) {
+    EXPECT_EQ(test.status,
+              settings.GetCookieAccessSemanticsForDomain(test.cookie_domain))
+        << test.cookie_domain;
+  }
+}
 }  // namespace
 }  // namespace network
--- a/services/network/public/cpp/features.cc
+++ b/services/network/public/cpp/features.cc
@@ -169,6 +169,14 @@ const base::Feature
        "DeriveOriginFromUrlForNeitherGetNorHeadRequestWhenHavingSpecialAccess",
        base::FEATURE_DISABLED_BY_DEFAULT};
+// Emergency switch for legacy cookie access semantics on given patterns, as
+// specified by the param, comma separated.
+const base::Feature kEmergencyLegacyCookieAccess{
+    "EmergencyLegacyCookieAccess", base::FEATURE_DISABLED_BY_DEFAULT};
+const char kEmergencyLegacyCookieAccessParamName[] = "Patterns";
+const base::FeatureParam<std::string> kEmergencyLegacyCookieAccessParam{
+    &kEmergencyLegacyCookieAccess, kEmergencyLegacyCookieAccessParamName, ""};
 bool ShouldEnableOutOfBlinkCorsForTesting() {
  return base::FeatureList::IsEnabled(features::kOutOfBlinkCors);
 }

--- a/services/network/public/cpp/features.h
+++ b/services/network/public/cpp/features.h
@@ -62,6 +62,12 @@ extern const base::Feature kOutOfBlinkFrameAncestors;
 COMPONENT_EXPORT(NETWORK_CPP)
 extern const base::Feature
    kDeriveOriginFromUrlForNeitherGetNorHeadRequestWhenHavingSpecialAccess;
+COMPONENT_EXPORT(NETWORK_CPP)
+extern const base::Feature kEmergencyLegacyCookieAccess;
+COMPONENT_EXPORT(NETWORK_CPP)
+extern const char kEmergencyLegacyCookieAccessParamName[];
+COMPONENT_EXPORT(NETWORK_CPP)
+extern const base::FeatureParam<std::string> kEmergencyLegacyCookieAccessParam;
 COMPONENT_EXPORT(NETWORK_CPP)
 bool ShouldEnableOutOfBlinkCorsForTesting();