Add legacy cookie access settings to CookieManager's CookieSettings

Bug: 978172
Change-Id: Id8594533c1135e71dc15a3195007129f3bcc99e3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1718359Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Commit-Queue: Lily Chen <chlily@chromium.org>
Cr-Commit-Position: refs/heads/master@{#688112}

chrome/browser/net/profile_network_context_service.cc

@@ -390,9 +390,18 @@ ProfileNetworkContextService::CreateCookieManagerParams(
 #endif
 
   ContentSettingsForOneType settings;
-  HostContentSettingsMapFactory::GetForProfile(profile)->GetSettingsForOneType(
+  HostContentSettingsMap* host_content_settings_map =
+      HostContentSettingsMapFactory::GetForProfile(profile);
+  host_content_settings_map->GetSettingsForOneType(
       CONTENT_SETTINGS_TYPE_COOKIES, std::string(), &settings);
   out->settings = std::move(settings);
+
+  ContentSettingsForOneType settings_for_legacy_cookie_access;
+  host_content_settings_map->GetSettingsForOneType(
+      CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS, std::string(),
+      &settings_for_legacy_cookie_access);
+  out->settings_for_legacy_cookie_access =
+      std::move(settings_for_legacy_cookie_access);
   return out;
 }
 
@@ -607,19 +616,40 @@ void ProfileNetworkContextService::OnContentSettingChanged(
     ContentSettingsType content_type,
     const std::string& resource_identifier) {
   if (content_type != CONTENT_SETTINGS_TYPE_COOKIES &&
+      content_type != CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS &&
       content_type != CONTENT_SETTINGS_TYPE_DEFAULT) {
     return;
   }
 
-  ContentSettingsForOneType settings;
-  HostContentSettingsMapFactory::GetForProfile(profile_)->GetSettingsForOneType(
-      CONTENT_SETTINGS_TYPE_COOKIES, std::string(), &settings);
-  content::BrowserContext::ForEachStoragePartition(
-      profile_, base::BindRepeating(
-                    [](ContentSettingsForOneType settings,
-                       content::StoragePartition* storage_partition) {
-                      storage_partition->GetCookieManagerForBrowserProcess()
-                          ->SetContentSettings(settings);
-                    },
-                    settings));
+  if (content_type == CONTENT_SETTINGS_TYPE_COOKIES ||
+      content_type == CONTENT_SETTINGS_TYPE_DEFAULT) {
+    ContentSettingsForOneType cookies_settings;
+    HostContentSettingsMapFactory::GetForProfile(profile_)
+        ->GetSettingsForOneType(CONTENT_SETTINGS_TYPE_COOKIES, std::string(),
+                                &cookies_settings);
+    content::BrowserContext::ForEachStoragePartition(
+        profile_, base::BindRepeating(
+                      [](ContentSettingsForOneType settings,
+                         content::StoragePartition* storage_partition) {
+                        storage_partition->GetCookieManagerForBrowserProcess()
+                            ->SetContentSettings(settings);
+                      },
+                      cookies_settings));
+  }
+
+  if (content_type == CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS ||
+      content_type == CONTENT_SETTINGS_TYPE_DEFAULT) {
+    ContentSettingsForOneType legacy_cookie_access_settings;
+    HostContentSettingsMapFactory::GetForProfile(profile_)
+        ->GetSettingsForOneType(CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS,
+                                std::string(), &legacy_cookie_access_settings);
+    content::BrowserContext::ForEachStoragePartition(
+        profile_, base::BindRepeating(
+                      [](ContentSettingsForOneType settings,
+                         content::StoragePartition* storage_partition) {
+                        storage_partition->GetCookieManagerForBrowserProcess()
+                            ->SetContentSettingsForLegacyCookieAccess(settings);
+                      },
+                      legacy_cookie_access_settings));
+  }
 }

components/content_settings/core/browser/BUILD.gn

@@ -110,6 +110,7 @@ jumbo_source_set("unit_tests") {
     "//components/prefs:test_support",
     "//components/sync_preferences:test_support",
     "//extensions/buildflags",
+    "//net",
     "//ppapi/buildflags:buildflags",
     "//testing/gmock",
     "//testing/gtest",

components/content_settings/core/browser/content_settings_registry.cc

@@ -14,6 +14,7 @@
 #include "components/content_settings/core/browser/content_settings_utils.h"
 #include "components/content_settings/core/browser/website_settings_registry.h"
 #include "components/content_settings/core/common/content_settings.h"
+#include "net/cookies/cookie_util.h"
 
 #if defined(OS_ANDROID)
 #include "media/base/android/media_drm_bridge.h"
@@ -349,13 +350,16 @@ void ContentSettingsRegistry::Init() {
            ContentSettingsInfo::PERSISTENT,
            ContentSettingsInfo::EXCEPTIONS_ON_SECURE_AND_INSECURE_ORIGINS);
 
+  ContentSetting legacy_cookie_access_initial_default =
+      net::cookie_util::IsSameSiteByDefaultCookiesEnabled()
+          ? CONTENT_SETTING_BLOCK
+          : CONTENT_SETTING_ALLOW;
   Register(CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS, "legacy-cookie-access",
-           CONTENT_SETTING_BLOCK, WebsiteSettingsInfo::UNSYNCABLE,
-           WhitelistedSchemes(),
+           legacy_cookie_access_initial_default,
+           WebsiteSettingsInfo::UNSYNCABLE, WhitelistedSchemes(),
            ValidSettings(CONTENT_SETTING_ALLOW, CONTENT_SETTING_BLOCK),
            WebsiteSettingsInfo::SINGLE_ORIGIN_ONLY_SCOPE,
-           WebsiteSettingsRegistry::DESKTOP |
-               WebsiteSettingsRegistry::PLATFORM_ANDROID,
+           WebsiteSettingsRegistry::ALL_PLATFORMS,
            ContentSettingsInfo::INHERIT_IN_INCOGNITO,
            ContentSettingsInfo::PERSISTENT,
            ContentSettingsInfo::EXCEPTIONS_ON_SECURE_AND_INSECURE_ORIGINS);

components/content_settings/core/browser/cookie_settings.cc

@@ -116,6 +116,16 @@ bool CookieSettings::IsStorageDurable(const GURL& origin) const {
   return setting == CONTENT_SETTING_ALLOW;
 }
 
+void CookieSettings::GetSettingForLegacyCookieAccess(
+    const GURL& cookie_domain,
+    ContentSetting* setting) const {
+  DCHECK(setting);
+
+  *setting = host_content_settings_map_->GetContentSetting(
+      cookie_domain, GURL(), CONTENT_SETTINGS_TYPE_LEGACY_COOKIE_ACCESS,
+      std::string() /* resource_identifier */);
+}
+
 void CookieSettings::ShutdownOnUIThread() {
   DCHECK(thread_checker_.CalledOnValidThread());
   pref_change_registrar_.RemoveAll();
@@ -179,6 +189,9 @@ void CookieSettings::OnCookiePreferencesChanged() {
        pref_change_registrar_.prefs()->GetBoolean(
            prefs::kCookieControlsEnabled));
 
+  // Safe to read |block_third_party_cookies_| without locking here because the
+  // only place that writes to it is this method and it will always be run on
+  // the same thread.
   if (block_third_party_cookies_ != new_block_third_party_cookies) {
     {
       base::AutoLock auto_lock(lock_);

components/content_settings/core/browser/cookie_settings.h

@@ -102,6 +102,10 @@ class CookieSettings : public CookieSettingsBase,
   // This method may be called on any thread.
   bool ShouldBlockThirdPartyCookies() const;
 
+  // content_settings::CookieSettingsBase:
+  void GetSettingForLegacyCookieAccess(const GURL& cookie_domain,
+                                       ContentSetting* setting) const override;
+
   // Detaches the |CookieSettings| from |PrefService|. This methods needs to be
   // called before destroying the service. Afterwards, only const methods can be
   // called.

components/content_settings/core/common/DEPS

@@ -3,6 +3,7 @@ include_rules = [
   "+mojo/public/cpp/bindings",
   "+net/base",
   "+net/cookies/cookie_util.h",
+  "+net/cookies/cookie_constants.h",
   "+testing",
   "+url",
 ]

components/content_settings/core/common/cookie_settings_base.cc

@@ -3,9 +3,11 @@
 // found in the LICENSE file.
 
 #include "components/content_settings/core/common/cookie_settings_base.h"
+
 #include "base/debug/stack_trace.h"
 #include "base/debug/task_trace.h"
 #include "base/feature_list.h"
+#include "base/logging.h"
 #include "components/content_settings/core/common/features.h"
 #include "net/base/net_errors.h"
 #include "net/base/static_cookie_policy.h"
@@ -96,6 +98,23 @@ bool CookieSettingsBase::IsCookieSessionOnly(const GURL& origin) const {
   return setting == CONTENT_SETTING_SESSION_ONLY;
 }
 
+net::CookieAccessSemantics
+CookieSettingsBase::GetCookieAccessSemanticsForDomain(
+    const GURL& cookie_domain) const {
+  ContentSetting setting;
+  GetSettingForLegacyCookieAccess(cookie_domain, &setting);
+  DCHECK(IsValidSettingForLegacyAccess(setting));
+  switch (setting) {
+    case CONTENT_SETTING_ALLOW:
+      return net::CookieAccessSemantics::LEGACY;
+    case CONTENT_SETTING_BLOCK:
+      return net::CookieAccessSemantics::NONLEGACY;
+    default:
+      NOTREACHED();
+  }
+  return net::CookieAccessSemantics::UNKNOWN;
+}
+
 // static
 bool CookieSettingsBase::IsValidSetting(ContentSetting setting) {
   return (setting == CONTENT_SETTING_ALLOW ||
@@ -110,4 +129,9 @@ bool CookieSettingsBase::IsAllowed(ContentSetting setting) {
           setting == CONTENT_SETTING_SESSION_ONLY);
 }
 
+// static
+bool CookieSettingsBase::IsValidSettingForLegacyAccess(ContentSetting setting) {
+  return (setting == CONTENT_SETTING_ALLOW || setting == CONTENT_SETTING_BLOCK);
+}
+
 }  // namespace content_settings

components/content_settings/core/common/cookie_settings_base.h

@@ -9,6 +9,7 @@
 
 #include "base/optional.h"
 #include "components/content_settings/core/common/content_settings.h"
+#include "net/cookies/cookie_constants.h"
 
 namespace url {
 class Origin;
@@ -106,11 +107,28 @@ class CookieSettingsBase {
                         content_settings::SettingSource* source,
                         ContentSetting* cookie_setting) const;
 
+  // Returns the cookie access semantics (legacy or nonlegacy) to be applied for
+  // cookies on the given domain.
+  //
+  // This may be called on any thread.
+  net::CookieAccessSemantics GetCookieAccessSemanticsForDomain(
+      const GURL& cookie_domain) const;
+
+  // Gets the setting that controls whether legacy access is allowed for a given
+  // cookie domain (provided as a URL).
+  virtual void GetSettingForLegacyCookieAccess(
+      const GURL& cookie_domain,
+      ContentSetting* setting) const = 0;
+
   // Determines whether |setting| is a valid content setting for cookies.
   static bool IsValidSetting(ContentSetting setting);
   // Determines whether |setting| means the cookie should be allowed.
   static bool IsAllowed(ContentSetting setting);
 
+  // Determines whether |setting| is a valid content setting for legacy cookie
+  // access.
+  static bool IsValidSettingForLegacyAccess(ContentSetting setting);
+
  private:
   virtual void GetCookieSettingInternal(
       const GURL& url,

components/content_settings/core/common/cookie_settings_base_unittest.cc

@@ -36,6 +36,10 @@ class CallbackCookieSettings : public CookieSettingsBase {
                                 ContentSetting* cookie_setting) const override {
     *cookie_setting = callback_.Run(url);
   }
+  void GetSettingForLegacyCookieAccess(const GURL& cookie_domain,
+                                       ContentSetting* setting) const override {
+    *setting = callback_.Run(cookie_domain);
+  }
 
  private:
   GetSettingCallback callback_;
@@ -118,6 +122,17 @@ TEST(CookieSettingsBaseTest, CookieAccessAllowedWithSessionOnlySetting) {
   EXPECT_TRUE(settings.IsCookieAccessAllowed(GURL(kDomain), GURL(kDomain)));
 }
 
+TEST(CookieSettingsBaseTest, LegacyCookieAccessSemantics) {
+  CallbackCookieSettings settings1(
+      base::BindRepeating([](const GURL&) { return CONTENT_SETTING_ALLOW; }));
+  EXPECT_EQ(net::CookieAccessSemantics::LEGACY,
+            settings1.GetCookieAccessSemanticsForDomain(GURL()));
+  CallbackCookieSettings settings2(
+      base::BindRepeating([](const GURL&) { return CONTENT_SETTING_BLOCK; }));
+  EXPECT_EQ(net::CookieAccessSemantics::NONLEGACY,
+            settings2.GetCookieAccessSemanticsForDomain(GURL()));
+}
+
 TEST(CookieSettingsBaseTest, IsCookieSessionOnlyWithAllowSetting) {
   CallbackCookieSettings settings(
       base::BindRepeating([](const GURL&) { return CONTENT_SETTING_ALLOW; }));
@@ -150,5 +165,18 @@ TEST(CookieSettingsBaseTest, IsAllowed) {
   EXPECT_TRUE(CookieSettingsBase::IsAllowed(CONTENT_SETTING_SESSION_ONLY));
 }
 
+TEST(CookieSettingsBaseTest, IsValidLegacyAccessSetting) {
+  EXPECT_FALSE(CookieSettingsBase::IsValidSettingForLegacyAccess(
+      CONTENT_SETTING_DEFAULT));
+  EXPECT_FALSE(
+      CookieSettingsBase::IsValidSettingForLegacyAccess(CONTENT_SETTING_ASK));
+  EXPECT_TRUE(
+      CookieSettingsBase::IsValidSettingForLegacyAccess(CONTENT_SETTING_ALLOW));
+  EXPECT_TRUE(
+      CookieSettingsBase::IsValidSettingForLegacyAccess(CONTENT_SETTING_BLOCK));
+  EXPECT_FALSE(CookieSettingsBase::IsValidSettingForLegacyAccess(
+      CONTENT_SETTING_SESSION_ONLY));
+}
+
 }  // namespace
 }  // namespace content_settings

net/cookies/cookie_constants.h

@@ -41,6 +41,21 @@ enum class CookieSameSite {
   LAX_MODE_ALLOW_UNSAFE = 4,  // Allowed for effective SameSite only.
 };
 
+// What rules to apply when determining when whether access to a particular
+// cookie is allowed.
+// TODO(crbug.com/978172): Machinery to read the content setting and set the
+// appropriate CookieAccessSemantics on the cookie (will be added as a new
+// metadata field of CanonicalCookie).
+enum class CookieAccessSemantics {
+  // Has not been checked yet.
+  UNKNOWN = -1,
+  // Has been checked and the cookie should *not* be subject to legacy access
+  // rules.
+  NONLEGACY = 0,
+  // Has been checked and the cookie should be subject to legacy access rules.
+  LEGACY,
+};
+
 // Returns the Set-Cookie header priority token corresponding to |priority|.
 //
 // TODO(mkwst): Remove this once its callsites are refactored.

services/network/cookie_manager.cc

@@ -231,6 +231,11 @@ void CookieManager::BlockThirdPartyCookies(bool block) {
   cookie_settings_.set_block_third_party_cookies(block);
 }
 
+void CookieManager::SetContentSettingsForLegacyCookieAccess(
+    const ContentSettingsForOneType& settings) {
+  cookie_settings_.set_content_settings_for_legacy_cookie_access(settings);
+}
+
 // static
 void CookieManager::ConfigureCookieSettings(
     const network::mojom::CookieManagerParams& params,
@@ -243,6 +248,8 @@ void CookieManager::ConfigureCookieSettings(
       params.matching_scheme_cookies_allowed_schemes);
   out->set_third_party_cookies_allowed_schemes(
       params.third_party_cookies_allowed_schemes);
+  out->set_content_settings_for_legacy_cookie_access(
+      params.settings_for_legacy_cookie_access);
 }
 
 void CookieManager::CrashOnGetCookieList() {

services/network/cookie_manager.h

@@ -85,6 +85,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) CookieManager
                               AllowFileSchemeCookiesCallback callback) override;
   void SetForceKeepSessionState() override;
   void BlockThirdPartyCookies(bool block) override;
+  void SetContentSettingsForLegacyCookieAccess(
+      const ContentSettingsForOneType& settings) override;
 
   // Configures |out| based on |params|. (This doesn't honor
   // allow_file_scheme_cookies, which affects the cookie store rather than the

services/network/cookie_settings.cc

@@ -7,6 +7,9 @@
 #include <functional>
 
 #include "base/bind.h"
+#include "net/base/net_errors.h"
+#include "net/base/static_cookie_policy.h"
+#include "net/cookies/cookie_util.h"
 
 namespace network {
 namespace {
@@ -28,12 +31,32 @@ CookieSettings::CreateDeleteCookieOnExitPredicate() const {
                              std::cref(content_settings_));
 }
 
+void CookieSettings::GetSettingForLegacyCookieAccess(
+    const GURL& cookie_domain,
+    ContentSetting* setting) const {
+  DCHECK(setting);
+
+  // Default to match what was registered in the ContentSettingsRegistry.
+  *setting = net::cookie_util::IsSameSiteByDefaultCookiesEnabled()
+                 ? CONTENT_SETTING_BLOCK
+                 : CONTENT_SETTING_ALLOW;
+
+  for (const auto& entry : settings_for_legacy_cookie_access_) {
+    if (entry.primary_pattern.Matches(cookie_domain)) {
+      *setting = entry.GetContentSetting();
+      DCHECK(IsValidSettingForLegacyAccess(*setting));
+      return;
+    }
+  }
+}
+
 void CookieSettings::GetCookieSettingInternal(
     const GURL& url,
     const GURL& first_party_url,
     bool is_third_party_request,
     content_settings::SettingSource* source,
     ContentSetting* cookie_setting) const {
+  DCHECK(cookie_setting);
   if (base::Contains(secure_origin_cookies_allowed_schemes_,
                      first_party_url.scheme()) &&
       url.SchemeIsCryptographic()) {

services/network/cookie_settings.h

@@ -53,12 +53,21 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) CookieSettings
         third_party_cookies_allowed_schemes.end());
   }
 
+  void set_content_settings_for_legacy_cookie_access(
+      const ContentSettingsForOneType& settings) {
+    settings_for_legacy_cookie_access_ = settings;
+  }
+
   // Returns a predicate that takes the domain of a cookie and a bool whether
   // the cookie is secure and returns true if the cookie should be deleted on
   // exit.
   SessionCleanupCookieStore::DeleteCookiePredicate
   CreateDeleteCookieOnExitPredicate() const;
 
+  // content_settings::CookieSettingsBase:
+  void GetSettingForLegacyCookieAccess(const GURL& cookie_domain,
+                                       ContentSetting* setting) const override;
+
  private:
   // content_settings::CookieSettingsBase:
   void GetCookieSettingInternal(const GURL& url,
@@ -75,6 +84,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) CookieSettings
   std::set<std::string> secure_origin_cookies_allowed_schemes_;
   std::set<std::string> matching_scheme_cookies_allowed_schemes_;
   std::set<std::string> third_party_cookies_allowed_schemes_;
+  ContentSettingsForOneType settings_for_legacy_cookie_access_;
 
   DISALLOW_COPY_AND_ASSIGN(CookieSettings);
 };

services/network/cookie_settings_unittest.cc

@@ -4,6 +4,10 @@
 
 #include "services/network/cookie_settings.h"
 
+#include "base/test/scoped_feature_list.h"
+#include "net/base/features.h"
+#include "net/cookies/cookie_constants.h"
+#include "net/cookies/cookie_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace network {
@@ -11,14 +15,19 @@ namespace {
 
 constexpr char kURL[] = "http://foo.com";
 constexpr char kOtherURL[] = "http://other.com";
+constexpr char kDomain[] = "example.com";
+constexpr char kDotDomain[] = ".example.com";
+constexpr char kSubDomain[] = "www.corp.example.com";
+constexpr char kOtherDomain[] = "not-example.com";
+constexpr char kDomainWildcardPattern[] = "[*.]example.com";
 
-ContentSettingPatternSource CreateSetting(const std::string& url,
-                                          const std::string& secondary_url,
+ContentSettingPatternSource CreateSetting(const std::string& primary_pattern,
+                                          const std::string& secondary_pattern,
                                           ContentSetting setting) {
   return ContentSettingPatternSource(
-      ContentSettingsPattern::FromString(url),
-      ContentSettingsPattern::FromString(secondary_url), base::Value(setting),
-      std::string(), false);
+      ContentSettingsPattern::FromString(primary_pattern),
+      ContentSettingsPattern::FromString(secondary_pattern),
+      base::Value(setting), std::string(), false /* incognito */);
 }
 
 TEST(CookieSettingsTest, GetCookieSettingDefault) {
@@ -186,5 +195,152 @@ TEST(CookieSettingsTest, GetCookieSettingMatchingSchemeCookiesAllowed) {
   EXPECT_EQ(setting, CONTENT_SETTING_BLOCK);
 }
 
+TEST(CookieSettingsTest, LegacyCookieAccessDefault) {
+  CookieSettings settings;
+  ContentSetting setting;
+  GURL cookie_domain =
+      net::cookie_util::CookieOriginToURL(kDomain, true /* is_https */);
+
+  // Test SameSite-by-default enabled (default semantics is NONLEGACY)
+  {
+    base::test::ScopedFeatureList feature_list;
+    feature_list.InitAndEnableFeature(net::features::kSameSiteByDefaultCookies);
+    settings.GetSettingForLegacyCookieAccess(cookie_domain, &setting);
+    EXPECT_EQ(setting, CONTENT_SETTING_BLOCK);
+    EXPECT_EQ(net::CookieAccessSemantics::NONLEGACY,
+              settings.GetCookieAccessSemanticsForDomain(cookie_domain));
+  }
+
+  // Test SameSite-by-default disabled (default semantics is LEGACY)
+  // TODO(crbug.com/953306): Remove this when legacy code path is removed.
+  {
+    base::test::ScopedFeatureList feature_list;
+    feature_list.InitAndDisableFeature(
+        net::features::kSameSiteByDefaultCookies);
+    settings.GetSettingForLegacyCookieAccess(cookie_domain, &setting);
+    EXPECT_EQ(setting, CONTENT_SETTING_ALLOW);
+    EXPECT_EQ(net::CookieAccessSemantics::LEGACY,
+              settings.GetCookieAccessSemanticsForDomain(cookie_domain));
+  }
+}
+
+// Test SameSite-by-default disabled (default semantics is LEGACY)
+// TODO(crbug.com/953306): Remove this when legacy code path is removed.
+TEST(CookieSettingsTest,
+     CookieAccessSemanticsForDomain_SameSiteByDefaultDisabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(net::features::kSameSiteByDefaultCookies);
+  CookieSettings settings;
+  settings.set_content_settings_for_legacy_cookie_access(
+      {CreateSetting(kDomain, "*", CONTENT_SETTING_BLOCK)});
+  const struct {
+    net::CookieAccessSemantics status;
+    std::string cookie_domain;
+  } kTestCases[] = {
+      // These two test cases are NONLEGACY because they match the setting.
+      {net::CookieAccessSemantics::NONLEGACY, kDomain},
+      {net::CookieAccessSemantics::NONLEGACY, kDotDomain},
+      // These two test cases default into LEGACY.
+      // Subdomain does not match pattern.
+      {net::CookieAccessSemantics::LEGACY, kSubDomain},
+      {net::CookieAccessSemantics::LEGACY, kOtherDomain}};
+  for (const auto& test : kTestCases) {
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, true /* is_https */)));
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, false /* is_https */)));
+  }
+}
+
+// Test SameSite-by-default enabled (default semantics is NONLEGACY)
+TEST(CookieSettingsTest,
+     CookieAccessSemanticsForDomain_SameSiteByDefaultEnabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(net::features::kSameSiteByDefaultCookies);
+  CookieSettings settings;
+  settings.set_content_settings_for_legacy_cookie_access(
+      {CreateSetting(kDomain, "*", CONTENT_SETTING_ALLOW)});
+  const struct {
+    net::CookieAccessSemantics status;
+    std::string cookie_domain;
+  } kTestCases[] = {
+      // These two test cases are LEGACY because they match the setting.
+      {net::CookieAccessSemantics::LEGACY, kDomain},
+      {net::CookieAccessSemantics::LEGACY, kDotDomain},
+      // These two test cases default into NONLEGACY.
+      // Subdomain does not match pattern.
+      {net::CookieAccessSemantics::NONLEGACY, kSubDomain},
+      {net::CookieAccessSemantics::NONLEGACY, kOtherDomain}};
+  for (const auto& test : kTestCases) {
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, true /* is_https */)));
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, false /* is_https */)));
+  }
+}
+
+// Test SameSite-by-default disabled (default semantics is LEGACY)
+// TODO(crbug.com/953306): Remove this when legacy code path is removed.
+TEST(CookieSettingsTest,
+     CookieAccessSemanticsForDomainWithWildcard_SameSiteByDefaultDisabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(net::features::kSameSiteByDefaultCookies);
+  CookieSettings settings;
+  settings.set_content_settings_for_legacy_cookie_access(
+      {CreateSetting(kDomainWildcardPattern, "*", CONTENT_SETTING_BLOCK)});
+  const struct {
+    net::CookieAccessSemantics status;
+    std::string cookie_domain;
+  } kTestCases[] = {
+      // These three test cases are NONLEGACY because they match the setting.
+      {net::CookieAccessSemantics::NONLEGACY, kDomain},
+      {net::CookieAccessSemantics::NONLEGACY, kDotDomain},
+      // Subdomain also matches pattern.
+      {net::CookieAccessSemantics::NONLEGACY, kSubDomain},
+      // This test case defaults into LEGACY.
+      {net::CookieAccessSemantics::LEGACY, kOtherDomain}};
+  for (const auto& test : kTestCases) {
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, true /* is_https */)));
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, false /* is_https */)));
+  }
+}
+
+// Test SameSite-by-default enabled (default semantics is NONLEGACY)
+TEST(CookieSettingsTest,
+     CookieAccessSemanticsForDomainWithWildcard_SameSiteByDefaultEnabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(net::features::kSameSiteByDefaultCookies);
+  CookieSettings settings;
+  settings.set_content_settings_for_legacy_cookie_access(
+      {CreateSetting(kDomainWildcardPattern, "*", CONTENT_SETTING_ALLOW)});
+  const struct {
+    net::CookieAccessSemantics status;
+    std::string cookie_domain;
+  } kTestCases[] = {
+      // These three test cases are LEGACY because they match the setting.
+      {net::CookieAccessSemantics::LEGACY, kDomain},
+      {net::CookieAccessSemantics::LEGACY, kDotDomain},
+      // Subdomain also matches pattern.
+      {net::CookieAccessSemantics::LEGACY, kSubDomain},
+      // This test case defaults into NONLEGACY.
+      {net::CookieAccessSemantics::NONLEGACY, kOtherDomain}};
+  for (const auto& test : kTestCases) {
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, true /* is_https */)));
+    EXPECT_EQ(test.status, settings.GetCookieAccessSemanticsForDomain(
+                               net::cookie_util::CookieOriginToURL(
+                                   test.cookie_domain, false /* is_https */)));
+  }
+}
+
 }  // namespace
 }  // namespace network

services/network/public/mojom/cookie_manager.mojom

@@ -28,6 +28,11 @@ struct CookieManagerParams {
   // Whether or not to allow cookies for file:// URLs. Can be overridden by
   // CookieManager.AllowFileSchemeCookies().
   bool allow_file_scheme_cookies = false;
+
+  // Content settings for which domains are allowed to use legacy cookie
+  // access rules.
+  array<content_settings.mojom.ContentSettingPatternSource>
+      settings_for_legacy_cookie_access;
 };
 
 enum CookiePriority {
@@ -301,4 +306,9 @@ interface CookieManager {
 
   // Enables/Disables blocking of third-party cookies.
   BlockThirdPartyCookies(bool block);
+
+  // Sets content settings for which domains are allowed to use legacy cookie
+  // access rules.
+  SetContentSettingsForLegacyCookieAccess(
+      array<content_settings.mojom.ContentSettingPatternSource> settings);
 };

services/network/test/test_cookie_manager.h

@@ -49,6 +49,8 @@ class TestCookieManager : public network::mojom::CookieManager {
       const std::vector<::ContentSettingPatternSource>& settings) override {}
   void SetForceKeepSessionState() override {}
   void BlockThirdPartyCookies(bool block) override {}
+  void SetContentSettingsForLegacyCookieAccess(
+      const std::vector<::ContentSettingPatternSource>& settings) override {}
 
   void DispatchCookieChange(const net::CanonicalCookie& cookie,
                             network::mojom::CookieChangeCause cause);