Accept SameSite cookies on responses for extensions

This change allows responses to extension-initiated requests to always accept SameSite cookies. This is accomplished by looking at the request's |accept_same_site_cookies| parameter, and if it is true, accept any SameSite cookies from the response. Bug: 1017300 Change-Id: I8709ac01272898bdfb92c9b5b5d7189918b91ebd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1878627Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#709533}

Accept SameSite cookies on responses for extensions
This change allows responses to extension-initiated requests to always accept SameSite cookies. This is accomplished by looking at the request's |accept_same_site_cookies| parameter, and if it is true, accept any SameSite cookies from the response. Bug: 1017300 Change-Id: I8709ac01272898bdfb92c9b5b5d7189918b91ebd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1878627Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#709533}
6c7144e4 · Lily Chen · Commit Bot · 15da591e · 6c7144e4 · 6c7144e4
Commit 6c7144e4 authored Oct 25, 2019 by Lily Chen Committed by Commit Bot Oct 25, 2019
5 changed files
--- a/content/browser/devtools/devtools_url_loader_interceptor.cc
+++ b/content/browser/devtools/devtools_url_loader_interceptor.cc
@@ -1036,7 +1036,8 @@ void InterceptionJob::ProcessSetCookies(const net::HttpResponseHeaders& headers,
      net::cookie_util::ComputeSameSiteContextForResponse(
          create_loader_params_->request.url,
          create_loader_params_->request.site_for_cookies,
-          create_loader_params_->request.request_initiator));
+          create_loader_params_->request.request_initiator,
+          create_loader_params_->request.attach_same_site_cookies));
  // |this| might be deleted here if |cookies| is empty!
  auto on_cookie_set = base::BindRepeating(

--- a/net/cookies/cookie_util.cc
+++ b/net/cookies/cookie_util.cc
@@ -493,10 +493,12 @@ ComputeSameSiteContextForScriptGet(
 CookieOptions::SameSiteCookieContext ComputeSameSiteContextForResponse(
    const GURL& url,
    const GURL& site_for_cookies,
-    const base::Optional<url::Origin>& initiator) {
+    const base::Optional<url::Origin>& initiator,
+    bool attach_same_site_cookies) {
  // |initiator| is here in case it'll be decided to ignore |site_for_cookies|
  // for entirely browser-side requests (see https://crbug.com/958335).
-  if (MatchesSiteForCookies(url, site_for_cookies)) {
+  if (attach_same_site_cookies ||
+      MatchesSiteForCookies(url, site_for_cookies)) {
    return ComputeSchemeChange(
        CookieOptions::SameSiteCookieContext::SAME_SITE_LAX, url,
        site_for_cookies);

--- a/net/cookies/cookie_util.h
+++ b/net/cookies/cookie_util.h
@@ -127,10 +127,12 @@ ComputeSameSiteContextForScriptGet(
 // with respect to the SameSite attribute. This will only return CROSS_SITE or
 // SAME_SITE_LAX (cookie sets of SameSite=strict cookies are permitted in same
 // contexts that sets of SameSite=lax cookies are).
+// If |attach_same_site_cookies| is true, this returns SAME_SITE_LAX.
 NET_EXPORT CookieOptions::SameSiteCookieContext
 ComputeSameSiteContextForResponse(const GURL& url,
                                  const GURL& site_for_cookies,
-                                  const base::Optional<url::Origin>& initiator);
+                                  const base::Optional<url::Origin>& initiator,
+                                  bool attach_same_site_cookies);
 // Determines which of the cookies for |url| can be set from a script context,
 // with respect to the SameSite attribute. This will only return CROSS_SITE or

--- a/net/cookies/cookie_util_unittest.cc
+++ b/net/cookies/cookie_util_unittest.cc
@@ -455,7 +455,13 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
  EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
            cookie_util::ComputeSameSiteContextForResponse(
                GURL("http://example.com"), GURL("http://notexample.com"),
-                base::nullopt));
+                base::nullopt, false /* attach_same_site_cookies */));
+  // Same as above except |attach_same_site_cookies| makes it return LAX.
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
+            cookie_util::ComputeSameSiteContextForResponse(
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                base::nullopt, true /* attach_same_site_cookies */));
  EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
            cookie_util::ComputeSameSiteContextForScriptSet(
@@ -464,17 +470,31 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
            cookie_util::ComputeSameSiteContextForResponse(
                GURL("http://example.com/dir"), GURL("http://sub.example.com"),
-                base::nullopt));
+                base::nullopt, false /* attach_same_site_cookies */));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
+            cookie_util::ComputeSameSiteContextForResponse(
+                GURL("http://example.com/dir"), GURL("http://sub.example.com"),
+                base::nullopt, true /* attach_same_site_cookies */));
  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
            cookie_util::ComputeSameSiteContextForResponse(
                GURL("http://example.com/dir"), GURL("https://sub.example.com"),
-                base::nullopt));
+                base::nullopt, false /* attach_same_site_cookies */));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
+                SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
+            cookie_util::ComputeSameSiteContextForResponse(
+                GURL("http://example.com/dir"), GURL("https://sub.example.com"),
+                base::nullopt, true /* attach_same_site_cookies */));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
+                SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
+            cookie_util::ComputeSameSiteContextForResponse(
+                GURL("https://example.com/dir"), GURL("http://sub.example.com"),
+                base::nullopt, false /* attach_same_site_cookies */));
  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
            cookie_util::ComputeSameSiteContextForResponse(
                GURL("https://example.com/dir"), GURL("http://sub.example.com"),
-                base::nullopt));
+                base::nullopt, true /* attach_same_site_cookies */));
  EXPECT_EQ(
      CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,

--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -740,8 +740,8 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
  options.set_include_httponly();
  options.set_same_site_cookie_context(
      net::cookie_util::ComputeSameSiteContextForResponse(
-          request_->url(), request_->site_for_cookies(),
+          request_->url(), request_->site_for_cookies(), request_->initiator(),
-          request_->initiator()));
+          request_->attach_same_site_cookies()));
  options.set_return_excluded_cookies();