Update DetachedResourceRequestTest cookie tests to upcoming changes

We are going to be asking cookies accessible in 3rd party contexts to be marked as samesite=none and secure, so make tests that want such cookies (if only to test them being blocked by preferences) set those attributes and use HTTPS. Bug: 1006816 Change-Id: I3c4b58de2b75736b85ce87b694c57fd8db04cbe1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1873154Reviewed-by: Benoit L <lizeb@chromium.org> Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#710761}

Update DetachedResourceRequestTest cookie tests to upcoming changes
We are going to be asking cookies accessible in 3rd party contexts to be marked as samesite=none and secure, so make tests that want such cookies (if only to test them being blocked by preferences) set those attributes and use HTTPS. Bug: 1006816 Change-Id: I3c4b58de2b75736b85ce87b694c57fd8db04cbe1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1873154Reviewed-by: Benoit L <lizeb@chromium.org> Commit-Queue: Maksim Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#710761}
649be46e · Maks Orlovich · Commit Bot · 0385b323 · 649be46e · 649be46e
Commit 649be46e authored Oct 30, 2019 by Maks Orlovich Committed by Commit Bot Oct 30, 2019
4 changed files
--- a/chrome/android/java/src/org/chromium/chrome/browser/ChromeFeatureList.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/ChromeFeatureList.java
@@ -226,6 +226,8 @@ public abstract class ChromeFeatureList {
            "ContextualSearchTapDisableOverride";
    public static final String CONTEXTUAL_SEARCH_TRANSLATION_MODEL =
            "ContextualSearchTranslationModel";
+    public static final String COOKIES_WITHOUT_SAME_SITE_MUST_BE_SECURE =
+            "CookiesWithoutSameSiteMustBeSecure";
    public static final String DARKEN_WEBSITES_CHECKBOX_IN_THEMES_SETTING =
            "DarkenWebsitesCheckboxInThemesSetting";
    public static final String DIRECT_ACTIONS = "DirectActions";
@@ -311,6 +313,7 @@ public abstract class ChromeFeatureList {
    public static final String REMOVE_NAVIGATION_HISTORY = "RemoveNavigationHistory";
    public static final String REORDER_BOOKMARKS = "ReorderBookmarks";
    public static final String REVAMPED_CONTEXT_MENU = "RevampedContextMenu";
+    public static final String SAME_SITE_BY_DEFAULT_COOKIES = "SameSiteByDefaultCookies";
    public static final String SCROLL_TO_EXPAND_PAYMENT_HANDLER = "ScrollToExpandPaymentHandler";
    public static final String SEND_TAB_TO_SELF = "SyncSendTabToSelf";
    public static final String SERVICE_MANAGER_FOR_DOWNLOAD = "ServiceManagerForDownload";

--- a/chrome/android/javatests/src/org/chromium/chrome/browser/customtabs/DetachedResourceRequestTest.java
+++ b/chrome/android/javatests/src/org/chromium/chrome/browser/customtabs/DetachedResourceRequestTest.java
@@ -12,6 +12,12 @@ import android.os.Bundle;
 import android.support.test.InstrumentationRegistry;
 import android.support.test.filters.SmallTest;
+import androidx.browser.customtabs.CustomTabsCallback;
+import androidx.browser.customtabs.CustomTabsIntent;
+import androidx.browser.customtabs.CustomTabsService;
+import androidx.browser.customtabs.CustomTabsSession;
+import androidx.browser.customtabs.CustomTabsSessionToken;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -42,18 +48,13 @@ import org.chromium.content_public.browser.test.util.JavaScriptUtils;
 import org.chromium.content_public.browser.test.util.TestThreadUtils;
 import org.chromium.net.NetError;
 import org.chromium.net.test.EmbeddedTestServer;
+import org.chromium.net.test.ServerCertificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.TimeoutException;
-import androidx.browser.customtabs.CustomTabsCallback;
-import androidx.browser.customtabs.CustomTabsIntent;
-import androidx.browser.customtabs.CustomTabsService;
-import androidx.browser.customtabs.CustomTabsSession;
-import androidx.browser.customtabs.CustomTabsSessionToken;
 /** Tests for detached resource requests. */
 @RunWith(ChromeJUnit4ClassRunner.class)
 public class DetachedResourceRequestTest {
@@ -351,13 +352,13 @@ public class DetachedResourceRequestTest {
    public void testCanBlockThirdPartyCookies() throws Exception {
        CustomTabsSessionToken session = prepareSession();
        CustomTabsTestUtils.warmUpAndWait();
-        mServer = EmbeddedTestServer.createAndStartServer(mContext);
+        mServer = EmbeddedTestServer.createAndStartHTTPSServer(mContext, ServerCertificate.CERT_OK);
        TestThreadUtils.runOnUiThreadBlocking(() -> {
            PrefServiceBridge prefs = PrefServiceBridge.getInstance();
            Assert.assertFalse(prefs.isBlockThirdPartyCookiesEnabled());
            prefs.setBlockThirdPartyCookiesEnabled(true);
        });
-        final Uri url = Uri.parse(mServer.getURL("/set-cookie?acookie"));
+        final Uri url = Uri.parse(mServer.getURL("/set-cookie?acookie;SameSite=none;Secure"));
        TestThreadUtils.runOnUiThreadBlocking(() -> {
            Assert.assertEquals(CustomTabsConnection.ParallelRequestStatus.SUCCESS,
                    mConnection.handleParallelRequest(session, prepareIntent(url, ORIGIN)));
@@ -373,6 +374,44 @@ public class DetachedResourceRequestTest {
        Assert.assertEquals("\"None\"", content);
    }
+    /**
+     * Demonstrates upcoming restrictions on cookies in third party contexts
+     */
+    @Test
+    @SmallTest
+    @EnableFeatures({ChromeFeatureList.SAME_SITE_BY_DEFAULT_COOKIES,
+            ChromeFeatureList.COOKIES_WITHOUT_SAME_SITE_MUST_BE_SECURE})
+    public void
+    testUpcomingThirdPartyCookiePolicies() throws Exception {
+        CustomTabsSessionToken session = prepareSession();
+        CustomTabsTestUtils.warmUpAndWait();
+        mServer = EmbeddedTestServer.createAndStartHTTPSServer(mContext, ServerCertificate.CERT_OK);
+        // This isn't blocking third-party cookies by preferences.
+        TestThreadUtils.runOnUiThreadBlocking(() -> {
+            PrefServiceBridge prefs = PrefServiceBridge.getInstance();
+            Assert.assertFalse(prefs.isBlockThirdPartyCookiesEnabled());
+        });
+        // Of the three cookies, only one that's both SameSite=None and Secure
+        // is actually set. (And Secure is meant as the attribute, being over
+        // https isn't enough).
+        final Uri url = Uri.parse(
+                mServer.getURL("/set-cookie?a=1&b=2;SameSite=None&c=3;SameSite=None;Secure;"));
+        TestThreadUtils.runOnUiThreadBlocking(() -> {
+            Assert.assertEquals(CustomTabsConnection.ParallelRequestStatus.SUCCESS,
+                    mConnection.handleParallelRequest(session, prepareIntent(url, ORIGIN)));
+        });
+        String echoUrl = mServer.getURL("/echoheader?Cookie");
+        Intent intent = CustomTabsTestUtils.createMinimalCustomTabIntent(mContext, echoUrl);
+        mCustomTabActivityTestRule.startCustomTabActivityWithIntent(intent);
+        Tab tab = mCustomTabActivityTestRule.getActivity().getActivityTab();
+        String content = JavaScriptUtils.executeJavaScriptAndWaitForResult(
+                tab.getWebContents(), "document.body.textContent");
+        Assert.assertEquals("\"c=3\"", content);
+    }
    @Test
    @SmallTest
    public void testThirdPartyCookieBlockingAllowsFirstParty() throws Exception {
@@ -466,8 +505,8 @@ public class DetachedResourceRequestTest {
    }
    private void testCanSetCookie(boolean afterNative) throws Exception {
-        mServer = EmbeddedTestServer.createAndStartServer(mContext);
+        mServer = EmbeddedTestServer.createAndStartHTTPSServer(mContext, ServerCertificate.CERT_OK);
-        final Uri url = Uri.parse(mServer.getURL("/set-cookie?acookie"));
+        final Uri url = Uri.parse(mServer.getURL("/set-cookie?acookie;SameSite=none;Secure"));
        DetachedResourceRequestCheckCallback customTabsCallback =
                new DetachedResourceRequestCheckCallback(

--- a/chrome/browser/android/chrome_feature_list.cc
+++ b/chrome/browser/android/chrome_feature_list.cc
@@ -39,6 +39,7 @@
 #include "components/sync/driver/sync_driver_switches.h"
 #include "content/public/common/content_features.h"
 #include "media/base/media_switches.h"
+#include "net/base/features.h"
 #include "services/device/public/cpp/device_features.h"
 #include "ui/base/ui_base_features.h"
@@ -191,6 +192,8 @@ const base::Feature* kFeaturesExposedToJava[] = {
    &kVideoPersistence,
    &kVrBrowsingFeedback,
    &kWebApkAdaptiveIcon,
+    &net::features::kSameSiteByDefaultCookies,
+    &net::features::kCookiesWithoutSameSiteMustBeSecure,
    &payments::features::kAlwaysAllowJustInTimePaymentApp,
    &payments::features::kPaymentRequestSkipToGPay,
    &payments::features::kReturnGooglePayInBasicCard,

--- a/chrome/browser/android/customtabs/detached_resource_request_unittest.cc
+++ b/chrome/browser/android/customtabs/detached_resource_request_unittest.cc
@@ -128,7 +128,8 @@ std::unique_ptr<HttpResponse> SetCookieAndNoContent(
    return nullptr;
  auto response = std::make_unique<net::test_server::BasicHttpResponse>();
-  response->AddCustomHeader("Set-Cookie", kCookieFromNoContent);
+  response->AddCustomHeader("Set-Cookie", std::string(kCookieFromNoContent) +
+                                              ";SameSite=None;Secure");
  response->set_code(net::HTTP_NO_CONTENT);
  return response;
 }
@@ -199,18 +200,15 @@ class DetachedResourceRequestTest : public ::testing::Test {
  void SetUp() override {
    profile_ = std::make_unique<TestingProfile>();
    test_server_ = std::make_unique<net::EmbeddedTestServer>();
-    embedded_test_server()->RegisterRequestHandler(
+    https_server_ = std::make_unique<net::EmbeddedTestServer>(
-        base::BindRepeating(&SetCookieAndRedirect));
+        net::EmbeddedTestServer::TYPE_HTTPS);
-    embedded_test_server()->RegisterRequestHandler(
+    second_https_server_ = std::make_unique<net::EmbeddedTestServer>(
-        base::BindRepeating(&SetCookieAndNoContent));
+        net::EmbeddedTestServer::TYPE_HTTPS);
-    embedded_test_server()->RegisterRequestHandler(
+    second_https_server_->SetSSLConfig(
-        base::BindRepeating(&ManyRedirects));
+        net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
-    embedded_test_server()->RegisterRequestHandler(
+    RegisterHandlers(embedded_test_server());
-        base::BindRepeating(&LargeHeadersAndResponseSize));
+    RegisterHandlers(https_server());
-    embedded_test_server()->RegisterRequestHandler(
+    RegisterHandlers(second_https_server());
-        base::BindRepeating(&LargeResponseAndCookie));
-    embedded_test_server()->AddDefaultHandlers(
-        base::FilePath("chrome/test/data"));
    host_resolver_ = std::make_unique<content::TestHostResolver>();
    host_resolver_->host_resolver()->AddRule("*", "127.0.0.1");
  }
@@ -220,33 +218,54 @@ class DetachedResourceRequestTest : public ::testing::Test {
    base::RunLoop().RunUntilIdle();
  }
+  void RegisterHandlers(net::EmbeddedTestServer* server) {
+    server->RegisterRequestHandler(base::BindRepeating(&SetCookieAndRedirect));
+    server->RegisterRequestHandler(base::BindRepeating(&SetCookieAndNoContent));
+    server->RegisterRequestHandler(base::BindRepeating(&ManyRedirects));
+    server->RegisterRequestHandler(
+        base::BindRepeating(&LargeHeadersAndResponseSize));
+    server->RegisterRequestHandler(
+        base::BindRepeating(&LargeResponseAndCookie));
+    server->AddDefaultHandlers(base::FilePath("chrome/test/data"));
+  }
 protected:
+  // http://127.0.0.1:...
  net::EmbeddedTestServer* embedded_test_server() const {
    return test_server_.get();
  }
+  // https://127.0.0.1:...
+  net::EmbeddedTestServer* https_server() const { return https_server_.get(); }
+  // https://localhost:...
+  net::EmbeddedTestServer* second_https_server() const {
+    return second_https_server_.get();
+  }
  content::BrowserContext* browser_context() const { return profile_.get(); }
  void SetAndCheckCookieWithRedirect(bool third_party) {
    base::RunLoop first_request_waiter;
    base::RunLoop second_request_waiter;
-    embedded_test_server()->RegisterRequestMonitor(base::BindRepeating(
+    https_server()->RegisterRequestMonitor(base::BindRepeating(
        &WatchPathAndReportHeaders, kSetCookieAndRedirect, nullptr, nullptr,
        first_request_waiter.QuitClosure()));
-    embedded_test_server()->RegisterRequestMonitor(
+    https_server()->RegisterRequestMonitor(
        base::BindRepeating(&WatchPathAndReportHeaders, kHttpNoContent, nullptr,
                            nullptr, second_request_waiter.QuitClosure()));
-    ASSERT_TRUE(embedded_test_server()->Start());
+    ASSERT_TRUE(https_server()->Start());
-    GURL redirected_url(embedded_test_server()->GetURL(kHttpNoContent));
+    GURL redirected_url(https_server()->GetURL(kHttpNoContent));
    std::string relative_url =
        base::StringPrintf("%s?%s=%s&%s=%s", kSetCookieAndRedirect, kCookieKey,
-                           "acookie", kUrlKey, redirected_url.spec().c_str());
+                           "acookie; SameSite=None; Secure", kUrlKey,
+                           redirected_url.spec().c_str());
-    GURL url(embedded_test_server()->GetURL(relative_url));
+    GURL url(https_server()->GetURL(relative_url));
    GURL site_for_cookies = third_party ? GURL("http://cats.google.com")
-                                        : embedded_test_server()->base_url();
+                                        : https_server()->base_url();
    std::string cookie = content::GetCookies(browser_context(), url);
    ASSERT_EQ("", cookie);
@@ -291,6 +310,8 @@ class DetachedResourceRequestTest : public ::testing::Test {
  content::BrowserTaskEnvironment task_environment_;
  std::unique_ptr<content::TestHostResolver> host_resolver_;
  std::unique_ptr<net::EmbeddedTestServer> test_server_;
+  std::unique_ptr<net::EmbeddedTestServer> https_server_;
+  std::unique_ptr<net::EmbeddedTestServer> second_https_server_;
 };
 TEST_F(DetachedResourceRequestTest, Simple) {
@@ -512,9 +533,9 @@ TEST_F(DetachedResourceRequestTest, CanSetThirdPartyCookie) {
 TEST_F(DetachedResourceRequestTest, NoContentCanSetCookie) {
  base::RunLoop request_completion_waiter;
-  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(https_server()->Start());
-  GURL url(embedded_test_server()->GetURL(kSetCookieAndNoContent));
+  GURL url(https_server()->GetURL(kSetCookieAndNoContent));
  GURL site_for_cookies("http://cats.google.com/");
  std::string cookie = content::GetCookies(browser_context(), url);
@@ -558,22 +579,22 @@ TEST_F(DetachedResourceRequestTest, MultipleOrigins) {
  base::RunLoop second_request_waiter;
  base::RunLoop detached_request_waiter;
-  embedded_test_server()->RegisterRequestMonitor(base::BindRepeating(
+  https_server()->RegisterRequestMonitor(base::BindRepeating(
      &WatchPathAndReportHeaders, kSetCookieAndRedirect, nullptr, nullptr,
      first_request_waiter.QuitClosure()));
-  embedded_test_server()->RegisterRequestMonitor(base::BindRepeating(
+  second_https_server()->RegisterRequestMonitor(base::BindRepeating(
      &WatchPathAndReportHeaders, kSetCookieAndNoContent, nullptr, nullptr,
      second_request_waiter.QuitClosure()));
-  ASSERT_TRUE(embedded_test_server()->Start());
+  ASSERT_TRUE(https_server()->Start());
+  ASSERT_TRUE(second_https_server()->Start());
-  GURL redirected_origin("http://notgoogle.com");
+  GURL redirected_origin = second_https_server()->base_url();
-  GURL redirected_url(embedded_test_server()->GetURL(redirected_origin.host(),
+  GURL redirected_url(second_https_server()->GetURL(kSetCookieAndNoContent));
-                                                     kSetCookieAndNoContent));
+  std::string relative_url = base::StringPrintf(
-  std::string relative_url =
+      "%s?%s=%s&%s=%s", kSetCookieAndRedirect, kCookieKey,
-      base::StringPrintf("%s?%s=%s&%s=%s", kSetCookieAndRedirect, kCookieKey,
+      "acookie;SameSite=None;Secure", kUrlKey, redirected_url.spec().c_str());
-                         "acookie", kUrlKey, redirected_url.spec().c_str());
-  GURL url(embedded_test_server()->GetURL(relative_url));
+  GURL url(https_server()->GetURL(relative_url));
  GURL site_for_cookies = GURL("http://cats.google.com");
  std::string cookie = content::GetCookies(browser_context(), url);