Make cross-origin prefetches not send SameSite cookies.

We should probably not have these requests follow cross-origin redirects anyways, but in the off case they do redirect to the original site, they should not be sending SameSite cookies to it. Fixed: 1070232 Bug: 1060631 Change-Id: Id1e5b700c779f7b20aeba9bd372178aeb83c755f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2147924 Commit-Queue: Matt Menke <mmenke@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Cr-Commit-Position: refs/heads/master@{#758967}

Make cross-origin prefetches not send SameSite cookies.
We should probably not have these requests follow cross-origin redirects anyways, but in the off case they do redirect to the original site, they should not be sending SameSite cookies to it. Fixed: 1070232 Bug: 1060631 Change-Id: Id1e5b700c779f7b20aeba9bd372178aeb83c755f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2147924 Commit-Queue: Matt Menke <mmenke@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Cr-Commit-Position: refs/heads/master@{#758967}
76af5ab9 · Matt Menke · Commit Bot · ec71e96c · 76af5ab9 · 76af5ab9
Commit 76af5ab9 authored Apr 14, 2020 by Matt Menke Committed by Commit Bot Apr 14, 2020
Showing with 119 additions and 0 deletions

content/browser/loader/prefetch_browsertest.cc content/browser/loader/prefetch_browsertest.cc +113 -0

content/browser/loader/prefetch_url_loader_service.cc content/browser/loader/prefetch_url_loader_service.cc +6 -0

No files found.
--- a/content/browser/loader/prefetch_browsertest.cc
+++ b/content/browser/loader/prefetch_browsertest.cc
@@ -16,10 +16,13 @@
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
+#include "content/public/test/url_loader_monitor.h"
 #include "content/shell/browser/shell.h"
 #include "net/base/features.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/mock_host_resolver.h"
 #include "services/network/public/cpp/features.h"
+#include "services/network/public/cpp/resource_request.h"
 #include "third_party/blink/public/common/features.h"

 namespace content {
@@ -152,6 +155,53 @@ IN_PROC_BROWSER_TEST_P(PrefetchBrowserTestPrivacyChanges, RedirectNotFollowed) {
  EXPECT_TRUE(embedded_test_server()->ShutdownAndWaitUntilComplete());
 }

+IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest,
+                       CrossOriginDocumentHasNoSameSiteCookies) {
+  const char* prefetch_path = "/prefetch.html";
+  const char* target_path = "/target.html";
+  RegisterResponse(
+      target_path,
+      ResponseEntry("<head><title>Prefetch Target</title></head>"));
+
+  base::RunLoop prefetch_waiter;
+  auto request_counter = RequestCounter::CreateAndMonitor(
+      cross_origin_server_.get(), target_path, &prefetch_waiter);
+  RegisterRequestHandler(cross_origin_server_.get());
+  ASSERT_TRUE(cross_origin_server_->Start());
+
+  const GURL cross_origin_target_url =
+      cross_origin_server_->GetURL("3p.example", target_path);
+  RegisterResponse(
+      prefetch_path,
+      ResponseEntry(base::StringPrintf(
+          "<body><link rel='prefetch' as='document' href='%s'></body>",
+          cross_origin_target_url.spec().c_str())));
+  RegisterRequestHandler(embedded_test_server());
+  ASSERT_TRUE(embedded_test_server()->Start());
+  EXPECT_EQ(0, request_counter->GetRequestCount());
+  EXPECT_EQ(0, GetPrefetchURLLoaderCallCount());
+
+  URLLoaderMonitor monitor({cross_origin_target_url});
+
+  // Loading a page that prefetches the target URL would increment the
+  // |request_counter|.
+  EXPECT_TRUE(
+      NavigateToURL(shell(), embedded_test_server()->GetURL(prefetch_path)));
+  prefetch_waiter.Run();
+  EXPECT_EQ(1, request_counter->GetRequestCount());
+  EXPECT_EQ(1, GetPrefetchURLLoaderCallCount());
+
+  monitor.WaitForUrls();
+  base::Optional<network::ResourceRequest> request =
+      monitor.GetRequestInfo(cross_origin_target_url);
+  ASSERT_TRUE(request);
+  ASSERT_TRUE(request->site_for_cookies.IsNull());
+  ASSERT_TRUE(request->trusted_params);
+  url::Origin cross_origin = url::Origin::Create(cross_origin_target_url);
+  EXPECT_EQ(net::NetworkIsolationKey(cross_origin, cross_origin),
+            request->trusted_params->network_isolation_key);
+}
+
 IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest,
                       CrossOriginDocumentReusedAsNavigation) {
  const char* prefetch_path = "/prefetch.html";
@@ -588,6 +638,69 @@ IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest, WithPreload) {
  NavigateToURLAndWaitTitle(target_url, "done");
 }

+IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest,
+                       CrossOriginWithPreloadHasNoSameSiteCookies) {
+  const char* target_path = "/target.html";
+  const char* preload_path = "/preload.js";
+  RegisterResponse(
+      target_path,
+      ResponseEntry("<head><title>Prefetch Target</title><script "
+                    "src=\"./preload.js\"></script></head>",
+                    "text/html",
+                    {{"link", "</preload.js>;rel=\"preload\";as=\"script\""},
+                     {"access-control-allow-origin", "*"}}));
+  RegisterResponse(preload_path,
+                   ResponseEntry("document.title=\"done\";", "text/javascript",
+                                 {{"cache-control", "public, max-age=600"}}));
+
+  base::RunLoop preload_waiter;
+  auto target_request_counter =
+      RequestCounter::CreateAndMonitor(cross_origin_server_.get(), target_path);
+  auto preload_request_counter = RequestCounter::CreateAndMonitor(
+      cross_origin_server_.get(), preload_path, &preload_waiter);
+  RegisterRequestHandler(cross_origin_server_.get());
+
+  ASSERT_TRUE(cross_origin_server_->Start());
+
+  const GURL cross_origin_target_url =
+      cross_origin_server_->GetURL("3p.example", target_path);
+
+  const char* prefetch_path = "/prefetch.html";
+  RegisterResponse(prefetch_path,
+                   ResponseEntry(base::StringPrintf(
+                       "<body><link rel='prefetch' href='%s' as='document' "
+                       "crossorigin='anonymous'></body>",
+                       cross_origin_target_url.spec().c_str())));
+  RegisterRequestHandler(embedded_test_server());
+  ASSERT_TRUE(embedded_test_server()->Start());
+  EXPECT_EQ(0, GetPrefetchURLLoaderCallCount());
+
+  URLLoaderMonitor monitor({cross_origin_target_url});
+
+  // Loading a page that prefetches the target URL would increment both
+  // |target_request_counter| and |preload_request_counter|.
+  EXPECT_TRUE(
+      NavigateToURL(shell(), embedded_test_server()->GetURL(prefetch_path)));
+  preload_waiter.Run();
+  EXPECT_EQ(1, target_request_counter->GetRequestCount());
+  EXPECT_EQ(1, preload_request_counter->GetRequestCount());
+  EXPECT_EQ(2, GetPrefetchURLLoaderCallCount());
+
+  GURL cross_origin_preload_url =
+      cross_origin_server_->GetURL("3p.example", preload_path);
+  WaitUntilLoaded(cross_origin_preload_url);
+
+  monitor.WaitForUrls();
+  base::Optional<network::ResourceRequest> request =
+      monitor.GetRequestInfo(cross_origin_target_url);
+  ASSERT_TRUE(request);
+  ASSERT_TRUE(request->site_for_cookies.IsNull());
+  ASSERT_TRUE(request->trusted_params);
+  url::Origin cross_origin = url::Origin::Create(cross_origin_target_url);
+  EXPECT_EQ(net::NetworkIsolationKey(cross_origin, cross_origin),
+            request->trusted_params->network_isolation_key);
+}
+
 IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest, CrossOriginWithPreload) {
  const char* target_path = "/target.html";
  const char* preload_path = "/preload.js";

--- a/content/browser/loader/prefetch_url_loader_service.cc
+++ b/content/browser/loader/prefetch_url_loader_service.cc
@@ -151,6 +151,9 @@ void PrefetchURLLoaderService::CreateLoaderAndStart(
      return;
    }

+    // Cross-site prefetches shouldn't include SameSite cookies.
+    resource_request.site_for_cookies = net::SiteForCookies();
+
    // Use the trusted cross-origin prefetch loader factory, and set the
    // request's NetworkIsolationKey suitable for the cross-origin prefetch.
    network_loader_factory_to_use = current_context.cross_origin_factory;
@@ -181,6 +184,9 @@ void PrefetchURLLoaderService::CreateLoaderAndStart(
      return;
    }

+    // Cross-site prefetches shouldn't include SameSite cookies.
+    resource_request.site_for_cookies = net::SiteForCookies();
+
    resource_request.trusted_params = network::ResourceRequest::TrustedParams();
    resource_request.trusted_params->network_isolation_key =
        nik_iterator->second;