CookieStore: Add browser-side opaque origin validation

This change adds browser side check for opaque origins. Related to CL: https://crrev.com/c/2137926/2 Change-Id: Idc1be35b44012b46f9df706392bb0d10aef38b0a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2142773Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Ayu Ishii <ayui@chromium.org> Cr-Commit-Position: refs/heads/master@{#759748}

CookieStore: Add browser-side opaque origin validation
This change adds browser side check for opaque origins. Related to CL: https://crrev.com/c/2137926/2 Change-Id: Idc1be35b44012b46f9df706392bb0d10aef38b0a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2142773Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Commit-Queue: Ayu Ishii <ayui@chromium.org> Cr-Commit-Position: refs/heads/master@{#759748}
ea2a3f8b · Ayu Ishii · Commit Bot · d2d62dd7 · ea2a3f8b · ea2a3f8b
Commit ea2a3f8b authored Apr 16, 2020 by Ayu Ishii Committed by Commit Bot Apr 16, 2020
Showing with 60 additions and 1 deletion

services/network/restricted_cookie_manager.cc services/network/restricted_cookie_manager.cc +5 -1

services/network/restricted_cookie_manager_unittest.cc services/network/restricted_cookie_manager_unittest.cc +55 -0

No files found.
--- a/services/network/restricted_cookie_manager.cc
+++ b/services/network/restricted_cookie_manager.cc
@@ -510,8 +510,12 @@ bool RestrictedCookieManager::ValidateAccessToCookiesAt(
    const GURL& url,
    const net::SiteForCookies& site_for_cookies,
    const url::Origin& top_frame_origin) {
-  bool site_for_cookies_ok = site_for_cookies_.IsEquivalent(site_for_cookies);
+  if (origin_.opaque()) {
+    mojo::ReportBadMessage("Access is denied in this context");
+    return false;
+  }

+  bool site_for_cookies_ok = site_for_cookies_.IsEquivalent(site_for_cookies);
  DCHECK(site_for_cookies_ok)
      << "site_for_cookies from renderer='" << site_for_cookies.ToDebugString()
      << "' from browser='" << site_for_cookies_.ToDebugString() << "';";

--- a/services/network/restricted_cookie_manager_unittest.cc
+++ b/services/network/restricted_cookie_manager_unittest.cc
@@ -423,6 +423,25 @@ TEST_P(RestrictedCookieManagerTest, GetAllForUrlFromWrongOrigin) {
  ASSERT_THAT(cookies, testing::SizeIs(0));
 }

+TEST_P(RestrictedCookieManagerTest, GetAllForUrlFromOpaqueOrigin) {
+  SetSessionCookie("cookie-name", "cookie-value", "example.com", "/");
+
+  url::Origin opaque_origin;
+  ASSERT_TRUE(opaque_origin.opaque());
+  service_->OverrideOriginForTesting(opaque_origin);
+
+  auto options = mojom::CookieManagerGetOptions::New();
+  options->name = "";
+  options->match_type = mojom::CookieMatchType::STARTS_WITH;
+  ExpectBadMessage();
+  std::vector<net::CanonicalCookie> cookies = sync_service_->GetAllForUrl(
+      GURL("https://example.com/test/"), GURL("https://example.com"),
+      url::Origin::Create(GURL("https://example.com")), std::move(options));
+  EXPECT_TRUE(received_bad_message());
+
+  ASSERT_THAT(cookies, testing::SizeIs(0));
+}
+
 TEST_P(RestrictedCookieManagerTest, GetCookieStringFromWrongOrigin) {
  SetSessionCookie("cookie-name", "cookie-value", "example.com", "/");
  SetSessionCookie("cookie-name-2", "cookie-value-2", "example.com", "/");
@@ -644,6 +663,23 @@ TEST_P(RestrictedCookieManagerTest, SetCanonicalCookieFromWrongOrigin) {
  ASSERT_TRUE(received_bad_message());
 }

+TEST_P(RestrictedCookieManagerTest, SetCanonicalCookieFromOpaqueOrigin) {
+  url::Origin opaque_origin;
+  ASSERT_TRUE(opaque_origin.opaque());
+  service_->OverrideOriginForTesting(opaque_origin);
+
+  ExpectBadMessage();
+  EXPECT_FALSE(sync_service_->SetCanonicalCookie(
+      net::CanonicalCookie(
+          "new-name", "new-value", "not-example.com", "/", base::Time(),
+          base::Time(), base::Time(), /* secure = */ true,
+          /* httponly = */ false, net::CookieSameSite::NO_RESTRICTION,
+          net::COOKIE_PRIORITY_DEFAULT),
+      GURL("https://example.com/test/"), GURL("https://example.com"),
+      url::Origin::Create(GURL("https://example.com"))));
+  ASSERT_TRUE(received_bad_message());
+}
+
 TEST_P(RestrictedCookieManagerTest, SetCookieFromStringWrongOrigin) {
  ExpectBadMessage();
  EXPECT_TRUE(backend()->SetCookieFromString(
@@ -967,6 +1003,25 @@ TEST_P(RestrictedCookieManagerTest, AddChangeListenerFromWrongOrigin) {
  EXPECT_EQ("cookie-value", good_listener.observed_changes()[0].cookie.Value());
 }

+TEST_P(RestrictedCookieManagerTest, AddChangeListenerFromOpaqueOrigin) {
+  url::Origin opaque_origin;
+  ASSERT_TRUE(opaque_origin.opaque());
+  service_->OverrideOriginForTesting(opaque_origin);
+
+  mojo::PendingRemote<network::mojom::CookieChangeListener> bad_listener_remote;
+  mojo::PendingReceiver<network::mojom::CookieChangeListener> bad_receiver =
+      bad_listener_remote.InitWithNewPipeAndPassReceiver();
+  ExpectBadMessage();
+  sync_service_->AddChangeListener(
+      GURL("https://example.com/test/"), GURL("https://example.com"),
+      url::Origin::Create(GURL("https://example.com")),
+      std::move(bad_listener_remote));
+  EXPECT_TRUE(received_bad_message());
+
+  TestCookieChangeListener bad_listener(std::move(bad_receiver));
+  ASSERT_THAT(bad_listener.observed_changes(), testing::SizeIs(0));
+}
+
 // Test that the Change listener receives the access semantics, and that they
 // are taken into account when deciding when to dispatch the change.
 TEST_P(RestrictedCookieManagerTest, ChangeNotificationIncludesAccessSemantics) {