Make CookiePolicyBrowserTests work with SameSite changes

This change updates CookiePolicyBrowserTest to work under SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure. This adds "SameSite=None;Secure" to some cookies which are accessed in a third party context in tests. Bug: 1006816 Change-Id: I7c4dc3d96f8cb718f9178fff93a000ce16c1d7f2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1830288Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Christian Dullweber <dullweber@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#708630}

Make CookiePolicyBrowserTests work with SameSite changes
This change updates CookiePolicyBrowserTest to work under SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure. This adds "SameSite=None;Secure" to some cookies which are accessed in a third party context in tests. Bug: 1006816 Change-Id: I7c4dc3d96f8cb718f9178fff93a000ce16c1d7f2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1830288Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Christian Dullweber <dullweber@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#708630}
52a72af8 · Lily Chen · Commit Bot · c6bdd518 · 52a72af8 · 52a72af8
Commit 52a72af8 authored Oct 23, 2019 by Lily Chen Committed by Commit Bot Oct 23, 2019
Showing with 92 additions and 29 deletions

chrome/browser/net/cookie_policy_browsertest.cc chrome/browser/net/cookie_policy_browsertest.cc +83 -26

content/test/data/browsing_data/site_data.html content/test/data/browsing_data/site_data.html +9 -3

No files found.
--- a/chrome/browser/net/cookie_policy_browsertest.cc
+++ b/chrome/browser/net/cookie_policy_browsertest.cc
@@ -179,6 +179,8 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
      content::GetCookies(browser()->profile(), redirected_url);
  ASSERT_EQ("", cookie);

+  // This cookie can be set even if it is Lax-by-default because the redirect
+  // counts as a top-level navigation and therefore the context is lax.
  ui_test_utils::NavigateToURL(browser(),
                               GURL(url.spec() + redirected_url.spec()));

@@ -197,24 +199,32 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,

  // Navigate iframe to a cross-site, cookie-setting endpoint, and verify that
  // the cookie is set:
-  NavigateFrameTo("b.com", "/set-cookie?thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+  NavigateFrameTo("b.com", "/set-cookie?thirdparty=1;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=1");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site, cookie-setting endpoint, and verify that the cookie
  // is set:
  NavigateFrameTo("b.com", "/iframe.html");
-  NavigateNestedFrameTo("b.com", "/set-cookie?thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+  // Still need SameSite=None and Secure because the top-level is a.com so this
+  // is still cross-site.
+  NavigateNestedFrameTo("b.com",
+                        "/set-cookie?thirdparty=2;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=2");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site, cookie-setting endpoint, and verify that the cookie
  // is set:
  NavigateFrameTo("c.com", "/iframe.html");
-  NavigateNestedFrameTo("b.com", "/set-cookie?thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+  NavigateNestedFrameTo("b.com",
+                        "/set-cookie?thirdparty=3;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=3");
 }

+// This test does the same navigations as the test above, so we can be assured
+// that the cookies are actually blocked because of the
+// block-third-party-cookies setting, and not just because of SameSite or
+// whatever.
 IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
                       ThirdPartyCookiesIFrameBlockSetting) {
  SetBlockThirdPartyCookies(true);
@@ -223,21 +233,23 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,

  // Navigate iframe to a cross-site, cookie-setting endpoint, and verify that
  // the cookie is not set:
-  NavigateFrameTo("b.com", "/set-cookie?thirdparty");
+  NavigateFrameTo("b.com", "/set-cookie?thirdparty=1;SameSite=None;Secure");
  ExpectCookiesOnHost("b.com", "");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site, cookie-setting endpoint, and verify that the cookie
  // is not set:
  NavigateFrameTo("b.com", "/iframe.html");
-  NavigateNestedFrameTo("b.com", "/set-cookie?thirdparty");
+  NavigateNestedFrameTo("b.com",
+                        "/set-cookie?thirdparty=2;SameSite=None;Secure");
  ExpectCookiesOnHost("b.com", "");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site, cookie-setting endpoint, and verify that the cookie
  // is not set:
  NavigateFrameTo("c.com", "/iframe.html");
-  NavigateNestedFrameTo("b.com", "/set-cookie?thirdparty");
+  NavigateNestedFrameTo("b.com",
+                        "/set-cookie?thirdparty=3;SameSite=None;Secure");
  ExpectCookiesOnHost("b.com", "");
 }

@@ -247,39 +259,43 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,

  // Set a cookie on `b.com`.
  content::SetCookie(browser()->profile(), https_server_.GetURL("b.com", "/"),
-                     "thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+                     "thirdparty=1;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=1");

  NavigateToPageWithFrame("a.com");

  // Navigate iframe to a cross-site, cookie-reading endpoint, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/echoheader?cookie");
-  ExpectFrameContent("thirdparty");
+  ExpectFrameContent("thirdparty=1");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site page that echos the cookie header, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a distinct cross-site page that echos the cookie header, and
  // verify that the cookie is not sent:
  NavigateFrameTo("c.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");
 }

+// This test does the same navigations as the test above, so we can be assured
+// that the cookies are actually blocked because of the
+// block-third-party-cookies setting, and not just because of SameSite or
+// whatever.
 IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
                       ThirdPartyCookiesIFrameBlockReading) {
  SetBlockThirdPartyCookies(true);

  // Set a cookie on `b.com`.
  content::SetCookie(browser()->profile(), https_server_.GetURL("b.com", "/"),
-                     "thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+                     "thirdparty=1;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=1");

  NavigateToPageWithFrame("a.com");

@@ -309,10 +325,17 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,

  // Set a cookie on `b.com`.
  content::SetCookie(browser()->profile(), https_server_.GetURL("b.com", "/"),
-                     "thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+                     "thirdparty=1;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=1");
+
+  // Set a cookie on othersite.com.
+  content::SetCookie(browser()->profile(),
+                     https_server_.GetURL("othersite.com", "/"),
+                     "thirdparty=other;SameSite=None;Secure");
+  ExpectCookiesOnHost("othersite.com", "thirdparty=other");

  // Allow all requests to b.com to have cookies.
+  // On the other hand, othersite.com does not have an exception set for it.
  auto cookie_settings =
      CookieSettingsFactory::GetForProfile(browser()->profile());
  GURL url = https_server_.GetURL("b.com", "/");
@@ -323,21 +346,32 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
  // Navigate iframe to a cross-site, cookie-reading endpoint, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/echoheader?cookie");
-  ExpectFrameContent("thirdparty");
+  ExpectFrameContent("thirdparty=1");
+  // Navigate iframe to othersite.com and verify that the cookie is not sent.
+  NavigateFrameTo("othersite.com", "/echoheader?cookie");
+  ExpectFrameContent("None");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site page that echos the cookie header, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");
+  // Navigate nested iframe to othersite.com and verify that the cookie is not
+  // sent.
+  NavigateNestedFrameTo("othersite.com", "/echoheader?cookie");
+  ExpectNestedFrameContent("None");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a distinct cross-site page that echos the cookie header, and
  // verify that the cookie is sent:
  NavigateFrameTo("c.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");
+  // Navigate nested iframe to othersite.com and verify that the cookie is not
+  // sent.
+  NavigateNestedFrameTo("othersite.com", "/echoheader?cookie");
+  ExpectNestedFrameContent("None");
 }

 IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
@@ -346,8 +380,8 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,

  // Set a cookie on `b.com`.
  content::SetCookie(browser()->profile(), https_server_.GetURL("b.com", "/"),
-                     "thirdparty");
-  ExpectCookiesOnHost("b.com", "thirdparty");
+                     "thirdparty=1;SameSite=None;Secure");
+  ExpectCookiesOnHost("b.com", "thirdparty=1");

  // Allow all requests on the top frame domain a.com to have cookies.
  auto cookie_settings =
@@ -361,21 +395,44 @@ IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest,
  // Navigate iframe to a cross-site, cookie-reading endpoint, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/echoheader?cookie");
-  ExpectFrameContent("thirdparty");
+  ExpectFrameContent("thirdparty=1");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a cross-site page that echos the cookie header, and verify that
  // the cookie is sent:
  NavigateFrameTo("b.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");

  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
  // frame to a distinct cross-site page that echos the cookie header, and
  // verify that the cookie is sent:
  NavigateFrameTo("c.com", "/iframe.html");
  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
-  ExpectNestedFrameContent("thirdparty");
+  ExpectNestedFrameContent("thirdparty=1");
+
+  // Now repeat the above with a dfiferent top frame site, which does not have
+  // an exception set for it.
+  NavigateToPageWithFrame("othersite.com");
+
+  // Navigate iframe to a cross-site, cookie-reading endpoint, and verify that
+  // the cookie is not sent:
+  NavigateFrameTo("b.com", "/echoheader?cookie");
+  ExpectFrameContent("None");
+
+  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
+  // frame to a cross-site page that echos the cookie header, and verify that
+  // the cookie is not sent:
+  NavigateFrameTo("b.com", "/iframe.html");
+  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
+  ExpectNestedFrameContent("None");
+
+  // Navigate iframe to a cross-site frame with a frame, and navigate _that_
+  // frame to a distinct cross-site page that echos the cookie header, and
+  // verify that the cookie is not sent:
+  NavigateFrameTo("c.com", "/iframe.html");
+  NavigateNestedFrameTo("b.com", "/echoheader?cookie");
+  ExpectNestedFrameContent("None");
 }

 IN_PROC_BROWSER_TEST_F(CookiePolicyBrowserTest, ThirdPartyIFrameStorage) {

--- a/content/test/data/browsing_data/site_data.html
+++ b/content/test/data/browsing_data/site_data.html
@@ -9,8 +9,13 @@
    domAutomationController.send(false);
  }

+  function isHttps_() {
+    return location.protocol === 'https:';
+  }
+
  function setCookie() {
-    document.cookie = 'foo=bar; Max-Age=1000';
+    const samesite_none_secure = '; SameSite=None; Secure';
+    document.cookie = 'foo=bar; Max-Age=1000' + (isHttps_() ? samesite_none_secure : '');
    success_();
  }

@@ -19,7 +24,8 @@
  }

  function setSessionCookie() {
-    document.cookie = 'bar=session';
+    const samesite_none_secure = '; SameSite=None; Secure';
+    document.cookie = 'bar=session' + (isHttps_() ? samesite_none_secure : '');
    success_();
  }

@@ -155,4 +161,4 @@
  and BrowsingDataRemoverBrowserTest::SetDataForType.
 </body>

-</html>
\ No newline at end of file
+</html>