Deprecate `<meta http-equiv="set-cookie" ...>`

Intent to Deprecate: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ Bug: 767813 Change-Id: I29868952df3e9c8d5cef85fa39c43a85d850b9e9 Reviewed-on: https://chromium-review.googlesource.com/678723 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#504322}

Deprecate `<meta http-equiv="set-cookie" ...>`
Intent to Deprecate: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/0sJ8GUJO0Dw/iMmcXLIGBAAJ Bug: 767813 Change-Id: I29868952df3e9c8d5cef85fa39c43a85d850b9e9 Reviewed-on: https://chromium-review.googlesource.com/678723 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Eric Lawrence <elawrence@chromium.org> Cr-Commit-Position: refs/heads/master@{#504322}
d3c852d2 · Mike West · Commit Bot · 2fe91802 · d3c852d2 · d3c852d2
Commit d3c852d2 authored Sep 26, 2017 by Mike West Committed by Commit Bot Sep 26, 2017
5 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/cookies/meta-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/cookies/meta-expected.txt
+CONSOLE WARNING: Setting cookies via `<meta http-equiv='Set-Cookie' ...>` is deprecated, and will stop working in M65, around March 2018. Consider switching to `document.cookie = ...`, or to `Set-Cookie` HTTP headers instead. See https://www.chromestatus.com/feature/6170540112871424 for more details.
+CONSOLE ERROR: line 3: Blocked setting the `meta-set-cookie=1` cookie from a `<meta>` tag.
+This is a testharness.js-based test.
+PASS Cookie is not set from `<meta>`.
+Harness: the test ran to completion.
+
--- a/third_party/WebKit/LayoutTests/http/tests/cookies/meta.html
+++ b/third_party/WebKit/LayoutTests/http/tests/cookies/meta.html
+<!DOCTYPE html>
+<head>
+  <meta http-equiv="set-cookie" content="meta-set-cookie=1">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+  <script>
+    test(t => {
+      assert_equals(document.cookie.indexOf('meta-set-cookie'), -1);
+    }, "Cookie is not set from `<meta>`.");
+  </script>
+</body>
--- a/third_party/WebKit/Source/core/frame/Deprecation.cpp
+++ b/third_party/WebKit/Source/core/frame/Deprecation.cpp
@@ -363,6 +363,16 @@ String Deprecation::DeprecationMessage(WebFeature feature) {
             "https://www.chromestatus.com/feature/5669008342777856 for more "
             "details.";

+    // Blocked `<meta http-equiv="set-cookie" ...>`
+    case WebFeature::kMetaSetCookie:
+      return String::Format(
+          "Setting cookies via `<meta http-equiv='Set-Cookie' ...>` is "
+          "deprecated, and will stop working in %s. Consider switching "
+          "to `document.cookie = ...`, or to `Set-Cookie` HTTP headers "
+          "instead. See %s for more details.",
+          milestoneString(M65),
+          "https://www.chromestatus.com/feature/6170540112871424");
+
    // Powerful features on insecure origins (https://goo.gl/rStTGz)
    case WebFeature::kDeviceMotionInsecureOrigin:
      return "The devicemotion event is deprecated on insecure origins, and "

--- a/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
+++ b/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
@@ -7,6 +7,7 @@
 #include "core/css/StyleEngine.h"
 #include "core/dom/Document.h"
 #include "core/dom/ScriptableDocumentParser.h"
+#include "core/frame/Deprecation.h"
 #include "core/frame/LocalFrame.h"
 #include "core/frame/UseCounter.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
@@ -120,12 +121,8 @@ void HttpEquiv::ProcessHttpEquivRefresh(Document& document,
 void HttpEquiv::ProcessHttpEquivSetCookie(Document& document,
                                          const AtomicString& content,
                                          Element* element) {
-  // FIXME: make setCookie work on XML documents too; e.g. in case of
-  // <html:meta.....>
-  if (!document.IsHTMLDocument())
-    return;
+  Deprecation::CountDeprecation(document, WebFeature::kMetaSetCookie);

-  UseCounter::Count(document, WebFeature::kMetaSetCookie);
  if (!document.GetContentSecurityPolicy()->AllowInlineScript(
          element, NullURL(), "", OrdinalNumber(), "",
          ContentSecurityPolicy::InlineType::kBlock,
@@ -134,8 +131,16 @@ void HttpEquiv::ProcessHttpEquivSetCookie(Document& document,
                      WebFeature::kMetaSetCookieWhenCSPBlocksInlineScript);
  }

-  // Exception (for sandboxed documents) ignored.
-  document.setCookie(content, IGNORE_EXCEPTION_FOR_TESTING);
+  if (!RuntimeEnabledFeatures::BlockMetaSetCookieEnabled()) {
+    // Exception (for sandboxed documents) ignored.
+    document.setCookie(content, IGNORE_EXCEPTION_FOR_TESTING);
+    return;
+  }
+
+  document.AddConsoleMessage(ConsoleMessage::Create(
+      kSecurityMessageSource, kErrorMessageLevel,
+      String::Format("Blocked setting the `%s` cookie from a `<meta>` tag.",
+                     content.Utf8().data())));
 }

 }  // namespace blink
--- a/third_party/WebKit/Source/platform/runtime_enabled_features.json5
+++ b/third_party/WebKit/Source/platform/runtime_enabled_features.json5
@@ -117,6 +117,10 @@
      name: "BlockCredentialedSubresources",
      status: "stable",
    },
+    {
+      name: "BlockMetaSetCookie",
+      status: "experimental"
+    },
    {
      name: "Budget",
      status: "stable",