Commit 6c7144e4 authored by Lily Chen's avatar Lily Chen Committed by Commit Bot

Accept SameSite cookies on responses for extensions

This change allows responses to extension-initiated requests to always
accept SameSite cookies. This is accomplished by looking at
the request's |accept_same_site_cookies| parameter, and if it is true,
accept any SameSite cookies from the response.

Bug: 1017300
Change-Id: I8709ac01272898bdfb92c9b5b5d7189918b91ebd
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1878627Reviewed-by: default avatarAndrey Kosyakov <caseq@chromium.org>
Reviewed-by: default avatarMaksim Orlovich <morlovich@chromium.org>
Commit-Queue: Lily Chen <chlily@chromium.org>
Cr-Commit-Position: refs/heads/master@{#709533}
parent 15da591e
......@@ -1036,7 +1036,8 @@ void InterceptionJob::ProcessSetCookies(const net::HttpResponseHeaders& headers,
net::cookie_util::ComputeSameSiteContextForResponse(
create_loader_params_->request.url,
create_loader_params_->request.site_for_cookies,
create_loader_params_->request.request_initiator));
create_loader_params_->request.request_initiator,
create_loader_params_->request.attach_same_site_cookies));
// |this| might be deleted here if |cookies| is empty!
auto on_cookie_set = base::BindRepeating(
......
......@@ -493,10 +493,12 @@ ComputeSameSiteContextForScriptGet(
CookieOptions::SameSiteCookieContext ComputeSameSiteContextForResponse(
const GURL& url,
const GURL& site_for_cookies,
const base::Optional<url::Origin>& initiator) {
const base::Optional<url::Origin>& initiator,
bool attach_same_site_cookies) {
// |initiator| is here in case it'll be decided to ignore |site_for_cookies|
// for entirely browser-side requests (see https://crbug.com/958335).
if (MatchesSiteForCookies(url, site_for_cookies)) {
if (attach_same_site_cookies ||
MatchesSiteForCookies(url, site_for_cookies)) {
return ComputeSchemeChange(
CookieOptions::SameSiteCookieContext::SAME_SITE_LAX, url,
site_for_cookies);
......
......@@ -127,10 +127,12 @@ ComputeSameSiteContextForScriptGet(
// with respect to the SameSite attribute. This will only return CROSS_SITE or
// SAME_SITE_LAX (cookie sets of SameSite=strict cookies are permitted in same
// contexts that sets of SameSite=lax cookies are).
// If |attach_same_site_cookies| is true, this returns SAME_SITE_LAX.
NET_EXPORT CookieOptions::SameSiteCookieContext
ComputeSameSiteContextForResponse(const GURL& url,
const GURL& site_for_cookies,
const base::Optional<url::Origin>& initiator);
const base::Optional<url::Origin>& initiator,
bool attach_same_site_cookies);
// Determines which of the cookies for |url| can be set from a script context,
// with respect to the SameSite attribute. This will only return CROSS_SITE or
......
......@@ -455,7 +455,13 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com"), GURL("http://notexample.com"),
base::nullopt));
base::nullopt, false /* attach_same_site_cookies */));
// Same as above except |attach_same_site_cookies| makes it return LAX.
EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com"), GURL("http://notexample.com"),
base::nullopt, true /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
cookie_util::ComputeSameSiteContextForScriptSet(
......@@ -464,17 +470,31 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com/dir"), GURL("http://sub.example.com"),
base::nullopt));
base::nullopt, false /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com/dir"), GURL("http://sub.example.com"),
base::nullopt, true /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::
SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com/dir"), GURL("https://sub.example.com"),
base::nullopt));
base::nullopt, false /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::
SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
cookie_util::ComputeSameSiteContextForResponse(
GURL("http://example.com/dir"), GURL("https://sub.example.com"),
base::nullopt, true /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::
SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
cookie_util::ComputeSameSiteContextForResponse(
GURL("https://example.com/dir"), GURL("http://sub.example.com"),
base::nullopt, false /* attach_same_site_cookies */));
EXPECT_EQ(CookieOptions::SameSiteCookieContext::
SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
cookie_util::ComputeSameSiteContextForResponse(
GURL("https://example.com/dir"), GURL("http://sub.example.com"),
base::nullopt));
base::nullopt, true /* attach_same_site_cookies */));
EXPECT_EQ(
CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
......
......@@ -740,8 +740,8 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
options.set_include_httponly();
options.set_same_site_cookie_context(
net::cookie_util::ComputeSameSiteContextForResponse(
request_->url(), request_->site_for_cookies(),
request_->initiator()));
request_->url(), request_->site_for_cookies(), request_->initiator(),
request_->attach_same_site_cookies()));
options.set_return_excluded_cookies();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment