Implement and test CanonicalCookie::IsCanonical()

Implement and test CanonicalCookie::IsCanonical()

This is done for data validation including but not limited to the
cookies servicification effort.

BUG=721395, 723734
R=mmenke@chromium.org

Review-Url: https://codereview.chromium.org/2898953008
Cr-Commit-Position: refs/heads/master@{#480238}
Committed: https://chromium.googlesource.com/chromium/src/+/1e64af8eed07578f01b933d654180659c0fe962c

[Randy Smith (Not in Mondays), 2017-05-25 19:36:08]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-05-25 19:36:46]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Randy Smith (Not in Mondays), 2017-05-25 19:38:10]

Matt: When I engaged with the question of how to slice
https://codereview.chromium.org/2882063002, I realized that it most reasonably
sliced into four different CLs: Adding CanonicalCookie::IsCanonical() (this
one), the secure/http_only refactor you mentioned, fixes to sqlite, and adding
the CM method.  I decided that the effort to actually slice that thin given that
I was going to be breaking it apart wasn't particular worse for four than two,
so I went for four.  Hopefully all of these will be easier to review.

[mmenke, 2017-05-25 19:40:11]

On 2017/05/25 19:38:10, Randy Smith (Not in Mondays) wrote:
> Matt: When I engaged with the question of how to slice
> https://codereview.chromium.org/2882063002, I realized that it most reasonably
> sliced into four different CLs: Adding CanonicalCookie::IsCanonical() (this
> one), the secure/http_only refactor you mentioned, fixes to sqlite, and adding
> the CM method.  I decided that the effort to actually slice that thin given
that
> I was going to be breaking it apart wasn't particular worse for four than two,
> so I went for four.  Hopefully all of these will be easier to review.

Awesome!  Thanks so much.

[mmenke, 2017-05-25 19:49:56]

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:404: bool CanonicalCookie::IsCanonical() const {
Is there a single method I should be comparing this logic to?

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:405: if (name_.empty())
Don't we support "Set-Cookie: =foo" and "Set-Cookie: foo", which both do the
same thing?

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:417: CanonicalizeHost(domain_,
&ignored).empty()) {
What if CanonicalizeHost(domain_) != domain_?

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:422: return false;
Do we always set path to be non-empty, even when none is provided?

Regardless, this should at least be (path_.empty() || path_[0] != '/')

[mmenke, 2017-05-25 21:25:21]

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:405: if (name_.empty())
On 2017/05/25 19:49:56, mmenke wrote:
> Don't we support "Set-Cookie: =foo" and "Set-Cookie: foo", which both do the
> same thing?

Fun table that indicates we support both of these: 
http://inikulin.github.io/cookie-compat/

[commit-bot: I haz the power, 2017-05-25 22:07:49]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-05-25 22:07:50]

Dry run: This issue passed the CQ dry run.

[mmenke, 2017-05-26 17:02:17]

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cookie.h
File net/cookies/canonical_cookie.h (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.h:149: bool IsCanonical() const;
We should DCHECK on this at the end of CanonicalCookie::Create (Since it should
only be returning canonical cookies).  That should hopefully help us catch most
false negatives, though doesn't help much with potential false positives... 
Maybe we could create a fuzzer for that?  Call CanonicalCookie::Create, and if
it fails, manually construct a CanonicalCookie with the unsafe constructor that
looks much like what Create would have returned on success, and make sure it's
not canonical?

[Randy Smith (Not in Mondays), 2017-06-07 23:31:28]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[Randy Smith (Not in Mondays), 2017-06-07 23:31:41]

Incorporated comments; PTAL.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:404: bool CanonicalCookie::IsCanonical() const {
On 2017/05/25 19:49:56, mmenke wrote:
> Is there a single method I should be comparing this logic to?

I modeled it after SetCookieWithDetails minus the checks against URL.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:405: if (name_.empty())
On 2017/05/25 21:25:21, mmenke wrote:
> On 2017/05/25 19:49:56, mmenke wrote:
> > Don't we support "Set-Cookie: =foo" and "Set-Cookie: foo", which both do the
> > same thing?
> 
> Fun table that indicates we support both of these: 
> http://inikulin.github.io/cookie-compat/

Nice catch; my bad.  This snuck in a couple of CLs ago (see DCHECKs added in
CanonicalCookie::Create in https://codereview.chromium.org/2861063003) and
caused http://crbug.com/723734.  I've removed the check  above and add some
tests to make sure this remains true, at least until we explicitly try to change
the behavior.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:417: CanonicalizeHost(domain_,
&ignored).empty()) {
On 2017/05/25 19:49:56, mmenke wrote:
> What if CanonicalizeHost(domain_) != domain_?

Oh, tricky.  So as noted above I'm copying this logic from SetCookieWithDetails
and subtracting out the verification against the URL.  SetCookieWithDetails (in
GetCookieDomainWithSring()) has the above check, and then just adopts the domain
returned by CanonicalizeHost() (prefixed with a "." if is isn't already there
:-} :-J).  I think modifying the incoming domain is incompatible with the sense
of the CC constructor API.  So I think I agree with you that
CanonicalizeHost(domain_) != domain_ should be a failure from this function.  
But that's depending on a property of CanonicalizeHost() we haven't really
depended on before (loosely its idempotence).  I think I'll put that in, and
presume that if there's a problem it'll show up in testing, but if you think of
any gotchas in this space, please raise a flag.

Done.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:417: CanonicalizeHost(domain_,
&ignored).empty()) {
Also note that the DCHECK(IsCanonical()) you suggested for CC::Create turned up
the fact that we were (in the case of strange schemes, specifically "foo:" in
the tests) creating cookies with empty domains.  I went back and read
SetCookieWithDetails() more carefully and realized that it actually *allowed*
empty domains despite the line "if (domain.empty()) return false;" part way
through :-J.  I've filed http://crbug.com/730633 to track the WTF aspects of
this, and modified the logic above to allow empty domains.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.cc:422: return false;
On 2017/05/25 19:49:56, mmenke wrote:
> Do we always set path to be non-empty, even when none is provided?

Yes, at least at a couple of places in the stack--see
CanonicalCookie::CanonPathWithString.  

> Regardless, this should at least be (path_.empty() || path_[0] != '/')

Right!  Done.

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cookie.h
File net/cookies/canonical_cookie.h (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.h:149: bool IsCanonical() const;
On 2017/05/26 17:02:17, mmenke wrote:
> We should DCHECK on this at the end of CanonicalCookie::Create (Since it
should
> only be returning canonical cookies).  That should hopefully help us catch
most
> false negatives, though doesn't help much with potential false positives... 
> Maybe we could create a fuzzer for that?  Call CanonicalCookie::Create, and if
> it fails, manually construct a CanonicalCookie with the unsafe constructor
that
> looks much like what Create would have returned on success, and make sure it's
> not canonical?

DCHECK added.  I agree that a fuzzer might be a way to catch false positives,
but that would be a fair amount of work.  How important do you think it is?

(I tried to add some tests for CC::Create paralleling the ones for
IsCanonical(), but the parsing of the cookie line defeated my attempts.)

[commit-bot: I haz the power, 2017-06-07 23:32:05]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-08 00:14:53]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-08 00:14:54]

Dry run: Try jobs failed on following builders:
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)

[Randy Smith (Not in Mondays), 2017-06-08 15:33:46]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-08 15:33:59]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-08 16:51:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-08 16:51:18]

Dry run: Try jobs failed on following builders:
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)

[mmenke, 2017-06-08 18:00:23]

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cookie.h
File net/cookies/canonical_cookie.h (right):

https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
net/cookies/canonical_cookie.h:149: bool IsCanonical() const;
On 2017/06/07 23:31:40, Randy Smith (Not in Mondays) wrote:
> On 2017/05/26 17:02:17, mmenke wrote:
> > We should DCHECK on this at the end of CanonicalCookie::Create (Since it
> should
> > only be returning canonical cookies).  That should hopefully help us catch
> most
> > false negatives, though doesn't help much with potential false positives... 
> > Maybe we could create a fuzzer for that?  Call CanonicalCookie::Create, and
if
> > it fails, manually construct a CanonicalCookie with the unsafe constructor
> that
> > looks much like what Create would have returned on success, and make sure
it's
> > not canonical?
> 
> DCHECK added.  I agree that a fuzzer might be a way to catch false positives,
> but that would be a fair amount of work.  How important do you think it is?
> 
> (I tried to add some tests for CC::Create paralleling the ones for
> IsCanonical(), but the parsing of the cookie line defeated my attempts.)

So I'm very shaky on the accuracy of this function.

I assume the intention is to validate things the network process receives, which
is why I want some way to automatically validate that this is actually correct.

My opinion is we either need to add automatic validation (DCHECKs, fuzzers, or
something), or I'm not going to be able to sign off on this without a fair bit
of digging.  At which point, I'll probably also once again suggest we also
validate it with DCHECKs, though I may have better informed suggestions on how
to do that.

[mmenke, 2017-06-08 18:02:08]

On 2017/06/08 18:00:23, mmenke wrote:
>
https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cookie.h
> File net/cookies/canonical_cookie.h (right):
> 
>
https://codereview.chromium.org/2898953008/diff/1/net/cookies/canonical_cooki...
> net/cookies/canonical_cookie.h:149: bool IsCanonical() const;
> On 2017/06/07 23:31:40, Randy Smith (Not in Mondays) wrote:
> > On 2017/05/26 17:02:17, mmenke wrote:
> > > We should DCHECK on this at the end of CanonicalCookie::Create (Since it
> > should
> > > only be returning canonical cookies).  That should hopefully help us catch
> > most
> > > false negatives, though doesn't help much with potential false
positives... 
> > > Maybe we could create a fuzzer for that?  Call CanonicalCookie::Create,
and
> if
> > > it fails, manually construct a CanonicalCookie with the unsafe constructor
> > that
> > > looks much like what Create would have returned on success, and make sure
> it's
> > > not canonical?
> > 
> > DCHECK added.  I agree that a fuzzer might be a way to catch false
positives,
> > but that would be a fair amount of work.  How important do you think it is?
> > 
> > (I tried to add some tests for CC::Create paralleling the ones for
> > IsCanonical(), but the parsing of the cookie line defeated my attempts.)
> 
> So I'm very shaky on the accuracy of this function.
> 
> I assume the intention is to validate things the network process receives,
which
> is why I want some way to automatically validate that this is actually
correct.
> 
> My opinion is we either need to add automatic validation (DCHECKs, fuzzers, or
> something), or I'm not going to be able to sign off on this without a fair bit
> of digging.  At which point, I'll probably also once again suggest we also
> validate it with DCHECKs, though I may have better informed suggestions on how
> to do that.

Ahh, you added the DCHECK on construction, didn't realize that.  So that seems
to address my biggest concern.  There may still be things it falsely claims are
canonical.  I want to think a bit about that before signing off.

[Randy Smith (Not in Mondays), 2017-06-08 19:47:25]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-08 19:48:02]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-08 20:24:05]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-08 20:24:06]

Dry run: Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[Randy Smith (Not in Mondays), 2017-06-09 03:57:47]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-09 03:58:10]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-09 07:02:59]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-09 07:03:00]

Dry run: This issue passed the CQ dry run.

[Randy Smith (Not in Mondays), 2017-06-09 11:16:15]

rdsmith@chromium.org changed reviewers:
+ droger@chromium.org

[Randy Smith (Not in Mondays), 2017-06-09 11:16:15]

David, would you review the PS 4->5 diff?

[droger, 2017-06-09 12:14:15]

lgtm

[mmenke, 2017-06-09 18:25:49]

A Mojo cookie hookup to the renderer process will doubless need a security
review, once we're actually using this logic.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:243: std::unique_ptr<CanonicalCookie>
cc(base::WrapUnique(new CanonicalCookie(
base::MakeUnique (pre-existing issue)

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:248: DCHECK(cc->IsCanonical());
Random comment:  Come to think of it, we do have some fuzzer coverage of this
DCHECK, in the URLRequest fuzzer, though it can't set secure or extension
cookies.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
I don't think this is enough.

In particular, disallow CRs/LFs and embedded NULLs, which all seems like they
could be rather problematic.  What happens if someone tries to set such cookies
via document.cookie?

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:419: // the absence of a domain attribute), but
are needed for chrome
are -> is.  Also, should Chrome be capitalized, or be chrome/ instead?  Doesn't
really matter.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:421: if (!url::HostIsIPAddress(domain_) &&
!domain_.empty() &&
instead of url::HostIsIPAddress, can't we just grab this from
CanonHostInfo::IsIPAddress(), to save some work?

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
If the URL is an IP address, shouldn't canonical_domain == domain_?

My only concern here is domains that can be expressed in multiple ways.  i.e.
[::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).  Just
because domain_ is an IP address doesn't mean it can necessarily be part of a
canonical cookie.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:426: if (path_.empty() || path_[0] != '/')
Hrm...I guess we do nothing about invalid characters anywhere in the cookie
code, unless I'm missing something?  So we depend on the site to do any
normalization when they specify a path (i.e., escape rules, like " " -> "%20)

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
What if there's no creation time, or the creation time is far in the future? 
The main concern is that may much with GC, or that a compromised renderer could
create a forever cookie, that will never expire, due to always passing the
30-day checks.

Of course, just dropping them could cause problems if the clock changes, or
clocks are off.  Are there cases where consumers really want to set a cookie
with a weird creation time?  If not, can just have the API to set a
CanonicalCookie overwrite the time itself.  I'm less concerned about funky
expiration times, since that's what GC is for, and that's based mostly on
creation time.

We'll presumably want to overwrite last_access_data.  The only other fields that
look to be of potential concern when set by a compromised renderer are domain
and secure, but those can already be set be such a renderer, so that's nothing
new.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie_unittest.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:600: EXPECT_TRUE(CanonicalCookie("A",
"B", "x.y", "/path", base::Time(),
Some of these should use IP addresses, both v4 and v6 (I think the v6 format
used by the cookie store/url::CanonicalHost includes braces?)

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:600: EXPECT_TRUE(CanonicalCookie("A",
"B", "x.y", "/path", base::Time(),
Also, if we choose to anything about the base last-access times, should test
that, too.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:610: EXPECT_FALSE(CanonicalCookie("A ",
"B", "x.y", "/path", base::Time(),
I think these each need comments - fixuring out which field is wrong is a bit of
a where's waldo search.

[mmenke, 2017-06-09 19:00:47]

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
On 2017/06/09 18:25:49, mmenke wrote:
> I don't think this is enough.
> 
> In particular, disallow CRs/LFs and embedded NULLs, which all seems like they
> could be rather problematic.  What happens if someone tries to set such
cookies
> via document.cookie?

Also, may be worth testing if there are any paths where we let web platform
consumers set cookies with semi-colons or commas (or quotes?) in cookie name or
value strings.

[Randy Smith (Not in Mondays), 2017-06-09 19:38:33]

Completely agreed about the security review for the renderer->Mojo switch, but
that's several CLs down the pike.  Even the CL that creates the mojo service
won't shift the renderer over, and that's the furthest one I've started working
on yet.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:243: std::unique_ptr<CanonicalCookie>
cc(base::WrapUnique(new CanonicalCookie(
On 2017/06/09 18:25:49, mmenke wrote:
> base::MakeUnique (pre-existing issue)

Done.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:248: DCHECK(cc->IsCanonical());
On 2017/06/09 18:25:49, mmenke wrote:
> Random comment:  Come to think of it, we do have some fuzzer coverage of this
> DCHECK, in the URLRequest fuzzer, though it can't set secure or extension
> cookies.

Acknowledged.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
On 2017/06/09 18:25:49, mmenke wrote:
> I don't think this is enough.
> 
> In particular, disallow CRs/LFs and embedded NULLs, which all seems like they
> could be rather problematic.  What happens if someone tries to set such
cookies
> via document.cookie?

Sorry, could you say a bit more?  I may be confused, but it looks to me as if
ParseTokenString(x) will indeed return something that != x if x contains CRs,
LFs, or nulls.   I've added a couple of tests in cc_unittest.cc to confirm this,
and cookies constructed with those characters in the name aren't canonical.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
On 2017/06/09 19:00:47, mmenke wrote:
> On 2017/06/09 18:25:49, mmenke wrote:
> > I don't think this is enough.
> > 
> > In particular, disallow CRs/LFs and embedded NULLs, which all seems like
they
> > could be rather problematic.  What happens if someone tries to set such
> cookies
> > via document.cookie?
> 
> Also, may be worth testing if there are any paths where we let web platform
> consumers set cookies with semi-colons or commas (or quotes?) in cookie name
or
> value strings.  

See comments elsewhere about currently web platform consumers (Set-Cookie:
header and document.cookie) using SetCookieWithOptions() and hence going through
parsing.  But I'm not sure what you mean by "testing"?  How would one test that?

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:419: // the absence of a domain attribute), but
are needed for chrome
On 2017/06/09 18:25:49, mmenke wrote:
> are -> is.  Also, should Chrome be capitalized, or be chrome/ instead? 
Doesn't
> really matter.

Done.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:421: if (!url::HostIsIPAddress(domain_) &&
!domain_.empty() &&
On 2017/06/09 18:25:49, mmenke wrote:
> instead of url::HostIsIPAddress, can't we just grab this from
> CanonHostInfo::IsIPAddress(), to save some work?

Done.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/09 18:25:49, mmenke wrote:
> If the URL is an IP address, shouldn't canonical_domain == domain_?
>
> My only concern here is domains that can be expressed in multiple ways.  i.e.
> [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).  Just
> because domain_ is an IP address doesn't mean it can necessarily be part of a
> canonical cookie.

Is the issue what "canonical" means, i.e. that you could have two equivalent
hosts that are IP addresses and represented differently, and hence they wouldn't
look like the same cookie?  If so, yes, that's an issue, but it's an issue that
exists in the current code, and I'm not particularly inclined to shave the yak
unless you think it's specifically important?

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:426: if (path_.empty() || path_[0] != '/')
On 2017/06/09 18:25:49, mmenke wrote:
> Hrm...I guess we do nothing about invalid characters anywhere in the cookie
> code, unless I'm missing something?  So we depend on the site to do any
> normalization when they specify a path (i.e., escape rules, like " " -> "%20)

That sounds right to me, though if there's anything this exercise has taught me
it's that I'm not very well grounded in all the nuances of the cookie code.  
There's some protection on the path through which web sites set cookies (because
it uses SetCookieWithOptions(), which means the cookie code is parsing the
cookie line, and that parsing presumably doesn't something about invalid
characters).  And direct renderer setting of cookies uses the same interface (as
makes sense for setting through document.cookies).  

Which means that we're going to need to add that validation before we switch the
renderer pathway over to Mojo, since currently the parsing's done in the browser
and that'll move it to the renderer.  I'd rather do that in a separate CL (so
this is pretty purely a refactor of what we currently have), but I'll take a
note that it'll need to be done.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
On 2017/06/09 18:25:49, mmenke wrote:
> What if there's no creation time, or the creation time is far in the future? 
> The main concern is that may much with GC, or that a compromised renderer
could
> create a forever cookie, that will never expire, due to always passing the
> 30-day checks.

As noted above, I'd like to put in the Mojo-required renderer checks in a
separate CL that's more closely associated with the shift to mojo, and leave
this as being just a refactor of/based on the current code.  Is that reasonable,
or do you think that this CL is incomplete without those checks?

> Of course, just dropping them could cause problems if the clock changes, or
> clocks are off.  Are there cases where consumers really want to set a cookie
> with a weird creation time?  If not, can just have the API to set a
> CanonicalCookie overwrite the time itself.  I'm less concerned about funky
> expiration times, since that's what GC is for, and that's based mostly on
> creation time.
> 
> We'll presumably want to overwrite last_access_data.  The only other fields
that
> look to be of potential concern when set by a compromised renderer are domain
> and secure, but those can already be set be such a renderer, so that's nothing
> new.

Some of the issues you're raising are handled in
https://codereview.chromium.org/2882063002; specifically, in that CL a null
creation time is taken as "set the creation time when you push the cookie into
the monster".  (And CC already has a method for overriding the last access
time.)

Historically, renderers (and the net) haven't had a way of setting creation
time, so my inclination is to have a specific check on reception of renderer
messages for a null creation time (in a later CL).  Let me know if you don't
think that addresses the set of issues you're concerned about.

ETA: Thinking about this from a slightly more general perspective, I don't think
that variations in creation time or last access time will affect whether a
cookie is *canonical*; it's that we want to have different privileges able to
set those values or not.  Which may mean that we'll want a null last access time
to have a specific ("Figure it out for me") meaning, and then assert that the
renderer must always provide a null last access time.

From that perspective, the validation around illegal characters that we talk
about above *should* be part of the definition of a canonical cookie, and if you
want I'm willing to expand this CL to take care of that if you'd like, though I
still think it's reasonable to have it in a different CL when the privilege
issue comes up (mostly because CookieMonster::SetCookieWithDetails() does
nothing in this space, and as I mention elsewhere, that's my initial model for
IsCanonical() and SetCanonicalCookie()).

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie_unittest.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:600: EXPECT_TRUE(CanonicalCookie("A",
"B", "x.y", "/path", base::Time(),
On 2017/06/09 18:25:49, mmenke wrote:
> Some of these should use IP addresses, both v4 and v6 (I think the v6 format
> used by the cookie store/url::CanonicalHost includes braces?)

Done, though give them a scan--I have no confidence I've explored the space
thoroughly.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:600: EXPECT_TRUE(CanonicalCookie("A",
"B", "x.y", "/path", base::Time(),
On 2017/06/09 18:25:49, mmenke wrote:
> Also, if we choose to anything about the base last-access times, should test
> that, too.

Current belief is that we're not going to do anything about that in this CL;
will test if we end up doing something.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:610: EXPECT_FALSE(CanonicalCookie("A ",
"B", "x.y", "/path", base::Time(),
On 2017/06/09 18:25:49, mmenke wrote:
> I think these each need comments - fixuring out which field is wrong is a bit
of
> a where's waldo search.

Completely fair--even writing them was that.  I developed a discipline of always
copying the "EXPECT_TRUE" at the top and changing it.  Done.

[Randy Smith (Not in Mondays), 2017-06-09 19:39:23]

Sorry, also: Comments incorporated, PTAL?  & I'm not running try jobs yet as
that'll require merging past the test tweak CLs I recently landed, which'll be a
bit of a pain; obviously, I won't land without getting back to green try jobs.

[mmenke, 2017-06-09 19:53:59]

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 18:25:49, mmenke wrote:
> > I don't think this is enough.
> > 
> > In particular, disallow CRs/LFs and embedded NULLs, which all seems like
they
> > could be rather problematic.  What happens if someone tries to set such
> cookies
> > via document.cookie?
> 
> Sorry, could you say a bit more?  I may be confused, but it looks to me as if
> ParseTokenString(x) will indeed return something that != x if x contains CRs,
> LFs, or nulls.   I've added a couple of tests in cc_unittest.cc to confirm
this,
> and cookies constructed with those characters in the name aren't canonical.

Oops, I missed the FindFirstTerminator call, and was digging into ParseToken
instead.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:410: ParsedCookie::ParseValueString(path_) !=
path_) {
On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 19:00:47, mmenke wrote:
> > On 2017/06/09 18:25:49, mmenke wrote:
> > > I don't think this is enough.
> > > 
> > > In particular, disallow CRs/LFs and embedded NULLs, which all seems like
> they
> > > could be rather problematic.  What happens if someone tries to set such
> > cookies
> > > via document.cookie?
> > 
> > Also, may be worth testing if there are any paths where we let web platform
> > consumers set cookies with semi-colons or commas (or quotes?) in cookie name
> or
> > value strings.  
> 
> See comments elsewhere about currently web platform consumers (Set-Cookie:
> header and document.cookie) using SetCookieWithOptions() and hence going
through
> parsing.  But I'm not sure what you mean by "testing"?  How would one test
that?

If they go through SetCookieWithOptions, that's enough for me.  So yea, I think
we should ban ";", at least, in name and value (Not sure about commas or quotes
- depends on whether they're allowed in set-cookie lines).

One would test it by trying to set a cookie with the values, to see if it's
possible (Reading specs wouldn't be enough, given our....flexible relationship
to the spec).

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 18:25:49, mmenke wrote:
> > If the URL is an IP address, shouldn't canonical_domain == domain_?
> >
> > My only concern here is domains that can be expressed in multiple ways. 
i.e.
> > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).  Just
> > because domain_ is an IP address doesn't mean it can necessarily be part of
a
> > canonical cookie.
> 
> Is the issue what "canonical" means, i.e. that you could have two equivalent
> hosts that are IP addresses and represented differently, and hence they
wouldn't
> look like the same cookie?  If so, yes, that's an issue, but it's an issue
that
> exists in the current code, and I'm not particularly inclined to shave the yak
> unless you think it's specifically important?

I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This is
entirely dependent on what CanonicalizeHost does.  Just remove the IP address
check, and I think we're fine, regardless?

Hrm...It looks like CanonicalCookie deliberately skips canonicalization when the
domain is an IP address, sorry, I missed that, so this looks right.

My concern is that CanonicalCookie::Create may have a different notion of what's
canonical than this function.  Ideally, this would only say true iff such a
cookie could be created with CanonicalCookie::Create(), in my opinion.  Do you
have a different notion of what this should do?

[mmenke, 2017-06-09 20:05:04]

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/09 19:53:59, mmenke wrote:
> On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/09 18:25:49, mmenke wrote:
> > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > >
> > > My only concern here is domains that can be expressed in multiple ways. 
> i.e.
> > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).  Just
> > > because domain_ is an IP address doesn't mean it can necessarily be part
of
> a
> > > canonical cookie.
> > 
> > Is the issue what "canonical" means, i.e. that you could have two equivalent
> > hosts that are IP addresses and represented differently, and hence they
> wouldn't
> > look like the same cookie?  If so, yes, that's an issue, but it's an issue
> that
> > exists in the current code, and I'm not particularly inclined to shave the
yak
> > unless you think it's specifically important?
> 
> I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This is
> entirely dependent on what CanonicalizeHost does.  Just remove the IP address
> check, and I think we're fine, regardless?
> 
> Hrm...It looks like CanonicalCookie deliberately skips canonicalization when
the
> domain is an IP address, sorry, I missed that, so this looks right.
> 
> My concern is that CanonicalCookie::Create may have a different notion of
what's
> canonical than this function.  Ideally, this would only say true iff such a
> cookie could be created with CanonicalCookie::Create(), in my opinion.  Do you
> have a different notion of what this should do?

So...this is really weird:  CanonicalCookie::Create quite deliberately does not
canonicalize hosts that are IP address, so it would allow cookies to be set on a
domain of "[0::1]", but GURL *does* canonicalize domains.  So normally, it's
impossible to set a cookie on the domain "[0::1]", because it will be normalized
to "[::1]" by GURL.  However, this code will let cookies be set on the domain.

[Randy Smith (Not in Mondays), 2017-06-11 15:35:24]

Matt: I'd value your reactions to my responses below while I execute on this CL
in parallel (see CC def response).  Note that I haven't responded to all of your
comments (specifically, I'm taking the SetCookieWithOptions discussion as moot
given the definition of IsCanonical() discussion).

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/09 19:53:59, mmenke wrote:
> On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/09 18:25:49, mmenke wrote:
> > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > >
> > > My only concern here is domains that can be expressed in multiple ways. 
> i.e.
> > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).  Just
> > > because domain_ is an IP address doesn't mean it can necessarily be part
of
> a
> > > canonical cookie.
> > 
> > Is the issue what "canonical" means, i.e. that you could have two equivalent
> > hosts that are IP addresses and represented differently, and hence they
> wouldn't
> > look like the same cookie?  If so, yes, that's an issue, but it's an issue
> that
> > exists in the current code, and I'm not particularly inclined to shave the
yak
> > unless you think it's specifically important?
> 
> I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This is
> entirely dependent on what CanonicalizeHost does.  Just remove the IP address
> check, and I think we're fine, regardless?
> 
> Hrm...It looks like CanonicalCookie deliberately skips canonicalization when
the
> domain is an IP address, sorry, I missed that, so this looks right.
> 
> My concern is that CanonicalCookie::Create may have a different notion of
what's
> canonical than this function.  Ideally, this would only say true iff such a
> cookie could be created with CanonicalCookie::Create(), in my opinion.  Do you
> have a different notion of what this should do?

That's an excellent clarifying question.  I think that the set of canonical
cookies as defined by IsCanonical() should be the set createable by
CanonicalCookie::Create closed over what happens when cookies get put into and
removed from the cookie store.  I'll take a stab at defining that more
precisely:
* Everything CC::Create can produce except
* Creation times may be arbitrary or null (that's looking forward; null means
"figure it out for me when entering it into the store")
* Access and modification times must be null or after creation times unless
creation time is null, in which case they must be null.

I'll take a stab at bringing IsCanonical() in line with the above (and dealing
with any test failures :-}), but I'd value your reaction to the definition above
in the meantime.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/09 20:05:04, mmenke wrote:
> On 2017/06/09 19:53:59, mmenke wrote:
> > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > >
> > > > My only concern here is domains that can be expressed in multiple ways. 
> > i.e.
> > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's). 
Just
> > > > because domain_ is an IP address doesn't mean it can necessarily be part
> of
> > a
> > > > canonical cookie.
> > > 
> > > Is the issue what "canonical" means, i.e. that you could have two
equivalent
> > > hosts that are IP addresses and represented differently, and hence they
> > wouldn't
> > > look like the same cookie?  If so, yes, that's an issue, but it's an issue
> > that
> > > exists in the current code, and I'm not particularly inclined to shave the
> yak
> > > unless you think it's specifically important?
> > 
> > I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This
is
> > entirely dependent on what CanonicalizeHost does.  Just remove the IP
address
> > check, and I think we're fine, regardless?
> > 
> > Hrm...It looks like CanonicalCookie deliberately skips canonicalization when
> the
> > domain is an IP address, sorry, I missed that, so this looks right.
> > 
> > My concern is that CanonicalCookie::Create may have a different notion of
> what's
> > canonical than this function.  Ideally, this would only say true iff such a
> > cookie could be created with CanonicalCookie::Create(), in my opinion.  Do
you
> > have a different notion of what this should do?
> 
> So...this is really weird:  CanonicalCookie::Create quite deliberately does
not
> canonicalize hosts that are IP address, so it would allow cookies to be set on
a
> domain of "[0::1]", but GURL *does* canonicalize domains.  So normally, it's
> impossible to set a cookie on the domain "[0::1]", because it will be
normalized
> to "[::1]" by GURL.  However, this code will let cookies be set on the domain.

Yeah, that fits with my understanding, and it sounds wrong to me, but I'm not
inclined to change it; it's a pre-existing to this CL wart.  Let me know if that
bothers you.

[mmenke, 2017-06-12 15:27:00]

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/11 15:35:24, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 19:53:59, mmenke wrote:
> > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > >
> > > > My only concern here is domains that can be expressed in multiple ways. 
> > i.e.
> > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's). 
Just
> > > > because domain_ is an IP address doesn't mean it can necessarily be part
> of
> > a
> > > > canonical cookie.
> > > 
> > > Is the issue what "canonical" means, i.e. that you could have two
equivalent
> > > hosts that are IP addresses and represented differently, and hence they
> > wouldn't
> > > look like the same cookie?  If so, yes, that's an issue, but it's an issue
> > that
> > > exists in the current code, and I'm not particularly inclined to shave the
> yak
> > > unless you think it's specifically important?
> > 
> > I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This
is
> > entirely dependent on what CanonicalizeHost does.  Just remove the IP
address
> > check, and I think we're fine, regardless?
> > 
> > Hrm...It looks like CanonicalCookie deliberately skips canonicalization when
> the
> > domain is an IP address, sorry, I missed that, so this looks right.
> > 
> > My concern is that CanonicalCookie::Create may have a different notion of
> what's
> > canonical than this function.  Ideally, this would only say true iff such a
> > cookie could be created with CanonicalCookie::Create(), in my opinion.  Do
you
> > have a different notion of what this should do?
> 
> That's an excellent clarifying question.  I think that the set of canonical
> cookies as defined by IsCanonical() should be the set createable by
> CanonicalCookie::Create closed over what happens when cookies get put into and
> removed from the cookie store.  I'll take a stab at defining that more
> precisely:
> * Everything CC::Create can produce except
> * Creation times may be arbitrary or null (that's looking forward; null means
> "figure it out for me when entering it into the store")
> * Access and modification times must be null or after creation times unless
> creation time is null, in which case they must be null.
> 
> I'll take a stab at bringing IsCanonical() in line with the above (and dealing
> with any test failures :-}), but I'd value your reaction to the definition
above
> in the meantime.

I think that's reasonable, and should be documented.  Note that this would
include canonicalizing IP address host names, since CanonicalCookie::Create
takes a GURL, rather than a string hostname.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/11 15:35:24, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 20:05:04, mmenke wrote:
> > On 2017/06/09 19:53:59, mmenke wrote:
> > > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > > >
> > > > > My only concern here is domains that can be expressed in multiple
ways. 
> > > i.e.
> > > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's). 
> Just
> > > > > because domain_ is an IP address doesn't mean it can necessarily be
part
> > of
> > > a
> > > > > canonical cookie.
> > > > 
> > > > Is the issue what "canonical" means, i.e. that you could have two
> equivalent
> > > > hosts that are IP addresses and represented differently, and hence they
> > > wouldn't
> > > > look like the same cookie?  If so, yes, that's an issue, but it's an
issue
> > > that
> > > > exists in the current code, and I'm not particularly inclined to shave
the
> > yak
> > > > unless you think it's specifically important?
> > > 
> > > I'm not sure if canonicalizing domain names canonicalizes IPs or not. 
This
> is
> > > entirely dependent on what CanonicalizeHost does.  Just remove the IP
> address
> > > check, and I think we're fine, regardless?
> > > 
> > > Hrm...It looks like CanonicalCookie deliberately skips canonicalization
when
> > the
> > > domain is an IP address, sorry, I missed that, so this looks right.
> > > 
> > > My concern is that CanonicalCookie::Create may have a different notion of
> > what's
> > > canonical than this function.  Ideally, this would only say true iff such
a
> > > cookie could be created with CanonicalCookie::Create(), in my opinion.  Do
> you
> > > have a different notion of what this should do?
> > 
> > So...this is really weird:  CanonicalCookie::Create quite deliberately does
> not
> > canonicalize hosts that are IP address, so it would allow cookies to be set
on
> a
> > domain of "[0::1]", but GURL *does* canonicalize domains.  So normally, it's
> > impossible to set a cookie on the domain "[0::1]", because it will be
> normalized
> > to "[::1]" by GURL.  However, this code will let cookies be set on the
domain.
> 
> Yeah, that fits with my understanding, and it sounds wrong to me, but I'm not
> inclined to change it; it's a pre-existing to this CL wart.  Let me know if
that
> bothers you.

I agree this CL shouldn't try to change behavior, or work around existing warts,
however, only allowing cookies to be set on normalized IP addresses *does* seem
to be existing behavior, just because CanonicalCookie::Create takes a GURL,
rather than a hostname.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 18:25:49, mmenke wrote:
> > What if there's no creation time, or the creation time is far in the future?

> > The main concern is that may much with GC, or that a compromised renderer
> could
> > create a forever cookie, that will never expire, due to always passing the
> > 30-day checks.
> 
> As noted above, I'd like to put in the Mojo-required renderer checks in a
> separate CL that's more closely associated with the shift to mojo, and leave
> this as being just a refactor of/based on the current code.  Is that
reasonable,
> or do you think that this CL is incomplete without those checks?

I think that's fine.  Part of the trouble I'm having with this CL is the code
isn't even used, so I have to speculate on how it will be used (Or punt that
part of the review until it's actually used, which means I'll be reviewing a lot
of code that the CL doesn't actually modify, which seems kinda funky).

> > Of course, just dropping them could cause problems if the clock changes, or
> > clocks are off.  Are there cases where consumers really want to set a cookie
> > with a weird creation time?  If not, can just have the API to set a
> > CanonicalCookie overwrite the time itself.  I'm less concerned about funky
> > expiration times, since that's what GC is for, and that's based mostly on
> > creation time.
> > 
> > We'll presumably want to overwrite last_access_data.  The only other fields
> that
> > look to be of potential concern when set by a compromised renderer are
domain
> > and secure, but those can already be set be such a renderer, so that's
nothing
> > new.
> 
> Some of the issues you're raising are handled in
> https://codereview.chromium.org/2882063002; specifically, in that CL a null
> creation time is taken as "set the creation time when you push the cookie into
> the monster".  (And CC already has a method for overriding the last access
> time.)
> 
> Historically, renderers (and the net) haven't had a way of setting creation
> time, so my inclination is to have a specific check on reception of renderer
> messages for a null creation time (in a later CL).  Let me know if you don't
> think that addresses the set of issues you're concerned about.

I think this is reasonable.  We should be very clear in function docs just what
this does and does not check, though.

> ETA: Thinking about this from a slightly more general perspective, I don't
think
> that variations in creation time or last access time will affect whether a
> cookie is *canonical*; it's that we want to have different privileges able to
> set those values or not.  Which may mean that we'll want a null last access
time
> to have a specific ("Figure it out for me") meaning, and then assert that the
> renderer must always provide a null last access time.
> 
> From that perspective, the validation around illegal characters that we talk
> about above *should* be part of the definition of a canonical cookie, and if
you
> want I'm willing to expand this CL to take care of that if you'd like, though
I
> still think it's reasonable to have it in a different CL when the privilege
> issue comes up (mostly because CookieMonster::SetCookieWithDetails() does
> nothing in this space, and as I mention elsewhere, that's my initial model for
> IsCanonical() and SetCanonicalCookie()).  

I'd prefer to do it in this CL, mostly because I think it's easier to make sure
we have good testing of this method on a CL that just adds this method, rather
than in a CL that does other stuff, and it also highlights any issue with the
checks earlier, so we can fix them now, if need be, rather than having to deal
with that in a CL where changes here aren't the focus.

[mmenke, 2017-06-12 15:28:48]

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
On 2017/06/12 15:27:00, mmenke wrote:
> On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/09 18:25:49, mmenke wrote:
> > > What if there's no creation time, or the creation time is far in the
future?
> 
> > > The main concern is that may much with GC, or that a compromised renderer
> > could
> > > create a forever cookie, that will never expire, due to always passing the
> > > 30-day checks.
> > 
> > As noted above, I'd like to put in the Mojo-required renderer checks in a
> > separate CL that's more closely associated with the shift to mojo, and leave
> > this as being just a refactor of/based on the current code.  Is that
> reasonable,
> > or do you think that this CL is incomplete without those checks?
> 
> I think that's fine.  Part of the trouble I'm having with this CL is the code
> isn't even used, so I have to speculate on how it will be used (Or punt that
> part of the review until it's actually used, which means I'll be reviewing a
lot
> of code that the CL doesn't actually modify, which seems kinda funky).
> 
> > > Of course, just dropping them could cause problems if the clock changes,
or
> > > clocks are off.  Are there cases where consumers really want to set a
cookie
> > > with a weird creation time?  If not, can just have the API to set a
> > > CanonicalCookie overwrite the time itself.  I'm less concerned about funky
> > > expiration times, since that's what GC is for, and that's based mostly on
> > > creation time.
> > > 
> > > We'll presumably want to overwrite last_access_data.  The only other
fields
> > that
> > > look to be of potential concern when set by a compromised renderer are
> domain
> > > and secure, but those can already be set be such a renderer, so that's
> nothing
> > > new.
> > 
> > Some of the issues you're raising are handled in
> > https://codereview.chromium.org/2882063002; specifically, in that CL a null
> > creation time is taken as "set the creation time when you push the cookie
into
> > the monster".  (And CC already has a method for overriding the last access
> > time.)
> > 
> > Historically, renderers (and the net) haven't had a way of setting creation
> > time, so my inclination is to have a specific check on reception of renderer
> > messages for a null creation time (in a later CL).  Let me know if you don't
> > think that addresses the set of issues you're concerned about.
> 
> I think this is reasonable.  We should be very clear in function docs just
what
> this does and does not check, though.
> 
> > ETA: Thinking about this from a slightly more general perspective, I don't
> think
> > that variations in creation time or last access time will affect whether a
> > cookie is *canonical*; it's that we want to have different privileges able
to
> > set those values or not.  Which may mean that we'll want a null last access
> time
> > to have a specific ("Figure it out for me") meaning, and then assert that
the
> > renderer must always provide a null last access time.
> > 
> > From that perspective, the validation around illegal characters that we talk
> > about above *should* be part of the definition of a canonical cookie, and if
> you
> > want I'm willing to expand this CL to take care of that if you'd like,
though
> I
> > still think it's reasonable to have it in a different CL when the privilege
> > issue comes up (mostly because CookieMonster::SetCookieWithDetails() does
> > nothing in this space, and as I mention elsewhere, that's my initial model
for
> > IsCanonical() and SetCanonicalCookie()).  
> 
> I'd prefer to do it in this CL, mostly because I think it's easier to make
sure
> we have good testing of this method on a CL that just adds this method, rather
> than in a CL that does other stuff, and it also highlights any issue with the
> checks earlier, so we can fix them now, if need be, rather than having to deal
> with that in a CL where changes here aren't the focus.

Another option would be to land this largely as-is, and then fix it up in
another CL that does nothing else, which I'm also fine with.

[Randy Smith (Not in Mondays), 2017-06-13 15:06:02]

Responding to your comments, but no code changes, and mostly nothing you need to
respond to until I finish the code changes.  The only thing I'll call your
attention to is the wart that I'm attempting to dodge fixing in CC::Create(). 
Arguably what I should do is split off yet another CL to fix that wart, and then
get back to working on this one--let me know if you'd strongly like me to do
that, but given how many different CLs this attempt has sparked so far, I'd
still prefer to ignore it.

(Yaks.  Why did it have to be Yaks?)

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/11 15:35:24, Randy Smith (Not in Mondays) wrote:
> On 2017/06/09 19:53:59, mmenke wrote:
> > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > >
> > > > My only concern here is domains that can be expressed in multiple ways. 
> > i.e.
> > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's). 
Just
> > > > because domain_ is an IP address doesn't mean it can necessarily be part
> of
> > a
> > > > canonical cookie.
> > > 
> > > Is the issue what "canonical" means, i.e. that you could have two
equivalent
> > > hosts that are IP addresses and represented differently, and hence they
> > wouldn't
> > > look like the same cookie?  If so, yes, that's an issue, but it's an issue
> > that
> > > exists in the current code, and I'm not particularly inclined to shave the
> yak
> > > unless you think it's specifically important?
> > 
> > I'm not sure if canonicalizing domain names canonicalizes IPs or not.  This
is
> > entirely dependent on what CanonicalizeHost does.  Just remove the IP
address
> > check, and I think we're fine, regardless?
> > 
> > Hrm...It looks like CanonicalCookie deliberately skips canonicalization when
> the
> > domain is an IP address, sorry, I missed that, so this looks right.
> > 
> > My concern is that CanonicalCookie::Create may have a different notion of
> what's
> > canonical than this function.  Ideally, this would only say true iff such a
> > cookie could be created with CanonicalCookie::Create(), in my opinion.  Do
you
> > have a different notion of what this should do?
> 
> That's an excellent clarifying question.  I think that the set of canonical
> cookies as defined by IsCanonical() should be the set createable by
> CanonicalCookie::Create closed over what happens when cookies get put into and
> removed from the cookie store.  I'll take a stab at defining that more
> precisely:
> * Everything CC::Create can produce except
> * Creation times may be arbitrary or null (that's looking forward; null means
> "figure it out for me when entering it into the store")
> * Access and modification times must be null or after creation times unless
> creation time is null, in which case they must be null.

Ignore the above about modification times; they don't exist.  I am not planning
to put any constraints on expiry times; they can exist even if the creation time
is null (through use of expires rather than max age).

> I'll take a stab at bringing IsCanonical() in line with the above (and dealing
> with any test failures :-}), but I'd value your reaction to the definition
above
> in the meantime.

Just a quick note: As best I can tell, CanonicalCookie::Create() relies on
creation_time being non-null (see the call to CanonExpiration()) but does not
assert or document that it so relies.  I don't plan on trying to fix
CanonicalCookie::Create() in this CL, but I do plan to allow canonical cookies
to have times as noted above despite the slightly strange behavior of
CC::Create().  I don't like the inconsistency, but neither do I want to get
caught in too large a yak shave, and I think null creation times for CCs are a
fine thing, and could be useful--specifically, it allows only a single CC copy
on setting a CC on the cookie store while making sure that creation times are
unique within a cookie store.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
On 2017/06/12 15:27:00, mmenke wrote:
> On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/09 18:25:49, mmenke wrote:
> > > What if there's no creation time, or the creation time is far in the
future?
> 
> > > The main concern is that may much with GC, or that a compromised renderer
> > could
> > > create a forever cookie, that will never expire, due to always passing the
> > > 30-day checks.
> > 
> > As noted above, I'd like to put in the Mojo-required renderer checks in a
> > separate CL that's more closely associated with the shift to mojo, and leave
> > this as being just a refactor of/based on the current code.  Is that
> reasonable,
> > or do you think that this CL is incomplete without those checks?
> 
> I think that's fine.  Part of the trouble I'm having with this CL is the code
> isn't even used, so I have to speculate on how it will be used (Or punt that
> part of the review until it's actually used, which means I'll be reviewing a
lot
> of code that the CL doesn't actually modify, which seems kinda funky).

I see that as part of the basic philosophical tension between doing a lot of
small CLs vs. one big CL.  I'm happy to go with your preference, but I don't see
a way to provide cake for both having and eating :-} :-J.

I'll note that *some* of how this CL will be used (not the renderer checks,
which are down the line) will be occurring in
https://codereview.chromium.org/2882063002, and I'd actually be happy to duck
back and forth between the two CLs based on your prompting if you'd like to
review them in parallel.  Let me know if you want to do that, and I'll bring
them both to "reviewable level" before I next ping you on either.  

But for the renderer checks, yeah, I think you'll need to use your imagination
or review this code again when we get to those CLs (though I don't intend to put
any of the renderer specific checks in the main cookie code).  I'd suggest
thinking of this CL as if its consumers are all privileged, and we'll deal with
the unprivileged consumers later, and separately.
> 
> > > Of course, just dropping them could cause problems if the clock changes,
or
> > > clocks are off.  Are there cases where consumers really want to set a
cookie
> > > with a weird creation time?  If not, can just have the API to set a
> > > CanonicalCookie overwrite the time itself.  I'm less concerned about funky
> > > expiration times, since that's what GC is for, and that's based mostly on
> > > creation time.
> > > 
> > > We'll presumably want to overwrite last_access_data.  The only other
fields
> > that
> > > look to be of potential concern when set by a compromised renderer are
> domain
> > > and secure, but those can already be set be such a renderer, so that's
> nothing
> > > new.
> > 
> > Some of the issues you're raising are handled in
> > https://codereview.chromium.org/2882063002; specifically, in that CL a null
> > creation time is taken as "set the creation time when you push the cookie
into
> > the monster".  (And CC already has a method for overriding the last access
> > time.)
> > 
> > Historically, renderers (and the net) haven't had a way of setting creation
> > time, so my inclination is to have a specific check on reception of renderer
> > messages for a null creation time (in a later CL).  Let me know if you don't
> > think that addresses the set of issues you're concerned about.
> 
> I think this is reasonable.  We should be very clear in function docs just
what
> this does and does not check, though.
> 
> > ETA: Thinking about this from a slightly more general perspective, I don't
> think
> > that variations in creation time or last access time will affect whether a
> > cookie is *canonical*; it's that we want to have different privileges able
to
> > set those values or not.  Which may mean that we'll want a null last access
> time
> > to have a specific ("Figure it out for me") meaning, and then assert that
the
> > renderer must always provide a null last access time.
> > 
> > From that perspective, the validation around illegal characters that we talk
> > about above *should* be part of the definition of a canonical cookie, and if
> you
> > want I'm willing to expand this CL to take care of that if you'd like,
though
> I
> > still think it's reasonable to have it in a different CL when the privilege
> > issue comes up (mostly because CookieMonster::SetCookieWithDetails() does
> > nothing in this space, and as I mention elsewhere, that's my initial model
for
> > IsCanonical() and SetCanonicalCookie()).  
> 
> I'd prefer to do it in this CL, mostly because I think it's easier to make
sure
> we have good testing of this method on a CL that just adds this method, rather
> than in a CL that does other stuff, and it also highlights any issue with the
> checks earlier, so we can fix them now, if need be, rather than having to deal
> with that in a CL where changes here aren't the focus.

Yeah, I had basically come to this same conclusion, free-running on defining
IsCanonical() based on CC::Create().  Accepted.

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:429: return true;
On 2017/06/12 15:28:48, mmenke wrote:
> On 2017/06/12 15:27:00, mmenke wrote:
> > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > What if there's no creation time, or the creation time is far in the
> future?
> > 
> > > > The main concern is that may much with GC, or that a compromised
renderer
> > > could
> > > > create a forever cookie, that will never expire, due to always passing
the
> > > > 30-day checks.
> > > 
> > > As noted above, I'd like to put in the Mojo-required renderer checks in a
> > > separate CL that's more closely associated with the shift to mojo, and
leave
> > > this as being just a refactor of/based on the current code.  Is that
> > reasonable,
> > > or do you think that this CL is incomplete without those checks?
> > 
> > I think that's fine.  Part of the trouble I'm having with this CL is the
code
> > isn't even used, so I have to speculate on how it will be used (Or punt that
> > part of the review until it's actually used, which means I'll be reviewing a
> lot
> > of code that the CL doesn't actually modify, which seems kinda funky).
> > 
> > > > Of course, just dropping them could cause problems if the clock changes,
> or
> > > > clocks are off.  Are there cases where consumers really want to set a
> cookie
> > > > with a weird creation time?  If not, can just have the API to set a
> > > > CanonicalCookie overwrite the time itself.  I'm less concerned about
funky
> > > > expiration times, since that's what GC is for, and that's based mostly
on
> > > > creation time.
> > > > 
> > > > We'll presumably want to overwrite last_access_data.  The only other
> fields
> > > that
> > > > look to be of potential concern when set by a compromised renderer are
> > domain
> > > > and secure, but those can already be set be such a renderer, so that's
> > nothing
> > > > new.
> > > 
> > > Some of the issues you're raising are handled in
> > > https://codereview.chromium.org/2882063002; specifically, in that CL a
null
> > > creation time is taken as "set the creation time when you push the cookie
> into
> > > the monster".  (And CC already has a method for overriding the last access
> > > time.)
> > > 
> > > Historically, renderers (and the net) haven't had a way of setting
creation
> > > time, so my inclination is to have a specific check on reception of
renderer
> > > messages for a null creation time (in a later CL).  Let me know if you
don't
> > > think that addresses the set of issues you're concerned about.
> > 
> > I think this is reasonable.  We should be very clear in function docs just
> what
> > this does and does not check, though.
> > 
> > > ETA: Thinking about this from a slightly more general perspective, I don't
> > think
> > > that variations in creation time or last access time will affect whether a
> > > cookie is *canonical*; it's that we want to have different privileges able
> to
> > > set those values or not.  Which may mean that we'll want a null last
access
> > time
> > > to have a specific ("Figure it out for me") meaning, and then assert that
> the
> > > renderer must always provide a null last access time.
> > > 
> > > From that perspective, the validation around illegal characters that we
talk
> > > about above *should* be part of the definition of a canonical cookie, and
if
> > you
> > > want I'm willing to expand this CL to take care of that if you'd like,
> though
> > I
> > > still think it's reasonable to have it in a different CL when the
privilege
> > > issue comes up (mostly because CookieMonster::SetCookieWithDetails() does
> > > nothing in this space, and as I mention elsewhere, that's my initial model
> for
> > > IsCanonical() and SetCanonicalCookie()).  
> > 
> > I'd prefer to do it in this CL, mostly because I think it's easier to make
> sure
> > we have good testing of this method on a CL that just adds this method,
rather
> > than in a CL that does other stuff, and it also highlights any issue with
the
> > checks earlier, so we can fix them now, if need be, rather than having to
deal
> > with that in a CL where changes here aren't the focus.
> 
> Another option would be to land this largely as-is, and then fix it up in
> another CL that does nothing else, which I'm also fine with.

Not really any point; let's keep the CL conceptually coherent.  I've done enough
salami slicing, at least IMO.

[Randy Smith (Not in Mondays), 2017-06-13 20:35:56]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-13 20:36:29]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Randy Smith (Not in Mondays), 2017-06-13 20:37:35]

Matt: I think I've done a reasonable job at defining
CanonicalCookie::IsCanonical() in comments and bringing it into alignment with
CanonicalCookie::Create.  PTAL?

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
On 2017/06/12 15:27:00, mmenke wrote:
> On 2017/06/11 15:35:24, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/09 19:53:59, mmenke wrote:
> > > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > > >
> > > > > My only concern here is domains that can be expressed in multiple
ways. 
> > > i.e.
> > > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's). 
> Just
> > > > > because domain_ is an IP address doesn't mean it can necessarily be
part
> > of
> > > a
> > > > > canonical cookie.
> > > > 
> > > > Is the issue what "canonical" means, i.e. that you could have two
> equivalent
> > > > hosts that are IP addresses and represented differently, and hence they
> > > wouldn't
> > > > look like the same cookie?  If so, yes, that's an issue, but it's an
issue
> > > that
> > > > exists in the current code, and I'm not particularly inclined to shave
the
> > yak
> > > > unless you think it's specifically important?
> > > 
> > > I'm not sure if canonicalizing domain names canonicalizes IPs or not. 
This
> is
> > > entirely dependent on what CanonicalizeHost does.  Just remove the IP
> address
> > > check, and I think we're fine, regardless?
> > > 
> > > Hrm...It looks like CanonicalCookie deliberately skips canonicalization
when
> > the
> > > domain is an IP address, sorry, I missed that, so this looks right.
> > > 
> > > My concern is that CanonicalCookie::Create may have a different notion of
> > what's
> > > canonical than this function.  Ideally, this would only say true iff such
a
> > > cookie could be created with CanonicalCookie::Create(), in my opinion.  Do
> you
> > > have a different notion of what this should do?
> > 
> > That's an excellent clarifying question.  I think that the set of canonical
> > cookies as defined by IsCanonical() should be the set createable by
> > CanonicalCookie::Create closed over what happens when cookies get put into
and
> > removed from the cookie store.  I'll take a stab at defining that more
> > precisely:
> > * Everything CC::Create can produce except
> > * Creation times may be arbitrary or null (that's looking forward; null
means
> > "figure it out for me when entering it into the store")
> > * Access and modification times must be null or after creation times unless
> > creation time is null, in which case they must be null.
> > 
> > I'll take a stab at bringing IsCanonical() in line with the above (and
dealing
> > with any test failures :-}), but I'd value your reaction to the definition
> above
> > in the meantime.
> 
> I think that's reasonable, and should be documented.  Note that this would
> include canonicalizing IP address host names, since CanonicalCookie::Create
> takes a GURL, rather than a string hostname.

Huh.  Good point.  I think the only code modification required for this is to
remove the check above for HostIsIPAddress(); no matter what the domain must
equal the canonicalized domain (even if it's empty, since canonicalizing an
empty domain just returns an empty domain).  I'll put tests in for both these
cases.

[mmenke, 2017-06-13 20:43:46]

Will do.  I'll plan to take a look tomorrow.  Heading out early today - puff of
smoke, which I think was from my printer, set off my fire alarm early in the
morning (Well, early in the morning for me).

On 2017/06/13 20:37:35, Randy Smith (Not in Mondays) wrote:
> Matt: I think I've done a reasonable job at defining
> CanonicalCookie::IsCanonical() in comments and bringing it into alignment with
> CanonicalCookie::Create.  PTAL?
> 
>
https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
> File net/cookies/canonical_cookie.cc (right):
> 
>
https://codereview.chromium.org/2898953008/diff/100001/net/cookies/canonical_...
> net/cookies/canonical_cookie.cc:422: canonical_domain != domain_) {
> On 2017/06/12 15:27:00, mmenke wrote:
> > On 2017/06/11 15:35:24, Randy Smith (Not in Mondays) wrote:
> > > On 2017/06/09 19:53:59, mmenke wrote:
> > > > On 2017/06/09 19:38:32, Randy Smith (Not in Mondays) wrote:
> > > > > On 2017/06/09 18:25:49, mmenke wrote:
> > > > > > If the URL is an IP address, shouldn't canonical_domain == domain_?
> > > > > >
> > > > > > My only concern here is domains that can be expressed in multiple
> ways. 
> > > > i.e.
> > > > > > [::0] is the same as [0::0] or [0:0:0:0:0:0:0:0:0] (Plus some :0's).

> > Just
> > > > > > because domain_ is an IP address doesn't mean it can necessarily be
> part
> > > of
> > > > a
> > > > > > canonical cookie.
> > > > > 
> > > > > Is the issue what "canonical" means, i.e. that you could have two
> > equivalent
> > > > > hosts that are IP addresses and represented differently, and hence
they
> > > > wouldn't
> > > > > look like the same cookie?  If so, yes, that's an issue, but it's an
> issue
> > > > that
> > > > > exists in the current code, and I'm not particularly inclined to shave
> the
> > > yak
> > > > > unless you think it's specifically important?
> > > > 
> > > > I'm not sure if canonicalizing domain names canonicalizes IPs or not. 
> This
> > is
> > > > entirely dependent on what CanonicalizeHost does.  Just remove the IP
> > address
> > > > check, and I think we're fine, regardless?
> > > > 
> > > > Hrm...It looks like CanonicalCookie deliberately skips canonicalization
> when
> > > the
> > > > domain is an IP address, sorry, I missed that, so this looks right.
> > > > 
> > > > My concern is that CanonicalCookie::Create may have a different notion
of
> > > what's
> > > > canonical than this function.  Ideally, this would only say true iff
such
> a
> > > > cookie could be created with CanonicalCookie::Create(), in my opinion. 
Do
> > you
> > > > have a different notion of what this should do?
> > > 
> > > That's an excellent clarifying question.  I think that the set of
canonical
> > > cookies as defined by IsCanonical() should be the set createable by
> > > CanonicalCookie::Create closed over what happens when cookies get put into
> and
> > > removed from the cookie store.  I'll take a stab at defining that more
> > > precisely:
> > > * Everything CC::Create can produce except
> > > * Creation times may be arbitrary or null (that's looking forward; null
> means
> > > "figure it out for me when entering it into the store")
> > > * Access and modification times must be null or after creation times
unless
> > > creation time is null, in which case they must be null.
> > > 
> > > I'll take a stab at bringing IsCanonical() in line with the above (and
> dealing
> > > with any test failures :-}), but I'd value your reaction to the definition
> > above
> > > in the meantime.
> > 
> > I think that's reasonable, and should be documented.  Note that this would
> > include canonicalizing IP address host names, since CanonicalCookie::Create
> > takes a GURL, rather than a string hostname.
> 
> Huh.  Good point.  I think the only code modification required for this is to
> remove the check above for HostIsIPAddress(); no matter what the domain must
> equal the canonicalized domain (even if it's empty, since canonicalizing an
> empty domain just returns an empty domain).  I'll put tests in for both these
> cases.

[Randy Smith (Not in Mondays), 2017-06-13 21:05:04]

https://codereview.chromium.org/2898953008/diff/160001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/160001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:418: (creation_date_.is_null() || creation_date_
> last_access_date_)) {
I'll call out that, given that we allow callers to set creation date, I'm not
sure about this test; setting a creation date in the future would be a very easy
way to fail this check after a cookie is laundered through the store.  So it
probably makes sense to remove the comparison.  Let me know what you think.

[Randy Smith (Not in Mondays), 2017-06-13 21:28:56]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-13 21:29:30]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-13 23:11:40]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-13 23:11:41]

Dry run: This issue passed the CQ dry run.

[mmenke, 2017-06-15 21:30:24]

This looks pretty reasonable to me.  Want to take a more careful look tomorrow,
particularly around path and domain logic.

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:418: (creation_date_.is_null() || creation_date_
> last_access_date_)) {
On 2017/06/13 21:05:04, Randy Smith (Not in Mondays) wrote:
> I'll call out that, given that we allow callers to set creation date, I'm not
> sure about this test; setting a creation date in the future would be a very
easy
> way to fail this check after a cookie is laundered through the store.  So it
> probably makes sense to remove the comparison.  Let me know what you think.

Also, if there's a time change, creation date could be before
last_access_date....yea, I think it makes sense to remove it.

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:436: if (GetCookiePrefix(name_) ==
COOKIE_PREFIX_HOST &&
Check if IsSecure(), and also check if IsSecure() if the prefix is
CanonicalCookie::COOKIE_PREFIX_SECURE?

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
File net/cookies/canonical_cookie_unittest.cc (right):

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:47: TEST(CanonicalCookie,
CreateConstraints) {
What's this supposed to check?  Space in the name?  I'm not sure how that
follows from "CreateConstraints".  Maybe add a comment?  Or call it
"SpaceInName"?

[mmenke, 2017-06-15 21:44:37]

Oh, and what about domains that are completely invalid?

"@:ßÞ"

[mmenke, 2017-06-15 21:49:42]

On 2017/06/15 21:44:37, mmenke wrote:
> Oh, and what about domains that are completely invalid?
> 
> "@:ßÞ"

(From a security standpoint, I don't care about these, just wondering if we
should do anything about them)

[Randy Smith (Not in Mondays), 2017-06-16 15:25:02]

On 2017/06/15 21:44:37, mmenke wrote:
> Oh, and what about domains that are completely invalid?
> 
> "@:ßÞ"

I think that's taken care of by CanonicalizeHost, which reaches deep into url:
and I believe returns an empty domain (which won't match the input domain,
failing the canonical check).  I've added a test in IsCanonical() using some
garbage.

[Randy Smith (Not in Mondays), 2017-06-16 15:25:21]

Comments incorporated; PTAL.

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:418: (creation_date_.is_null() || creation_date_
> last_access_date_)) {
On 2017/06/15 21:30:24, mmenke wrote:
> On 2017/06/13 21:05:04, Randy Smith (Not in Mondays) wrote:
> > I'll call out that, given that we allow callers to set creation date, I'm
not
> > sure about this test; setting a creation date in the future would be a very
> easy
> > way to fail this check after a cookie is laundered through the store.  So it
> > probably makes sense to remove the comparison.  Let me know what you think.
> 
> Also, if there's a time change, creation date could be before
> last_access_date....yea, I think it makes sense to remove it.

Done.  I left the requirement that last_access_date_ be null if creation date
is.

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:436: if (GetCookiePrefix(name_) ==
COOKIE_PREFIX_HOST &&
On 2017/06/15 21:30:24, mmenke wrote:
> Check if IsSecure(), 

Whoops, didn't realize host cookies had to be secure.  Done.

> and also check if IsSecure() if the prefix is
> CanonicalCookie::COOKIE_PREFIX_SECURE?

Also good catch.  Done.

(I may have been over clever in how I wrote the tests--feel free to tell me to
break it out into clear, separate clauses.)

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
File net/cookies/canonical_cookie_unittest.cc (right):

https://codereview.chromium.org/2898953008/diff/180001/net/cookies/canonical_...
net/cookies/canonical_cookie_unittest.cc:47: TEST(CanonicalCookie,
CreateConstraints) {
On 2017/06/15 21:30:24, mmenke wrote:
> What's this supposed to check?  Space in the name?  I'm not sure how that
> follows from "CreateConstraints".  Maybe add a comment?  Or call it
> "SpaceInName"?

Changed to "SpaceInName".

(When I first wrote it I thought I'd be putting in more tests to make sure that
Create() obeyed what I thought of as its constraints, thus the original name.  I
may change it in some fashion if I end up putting in more tests later in this
review.)

[Randy Smith (Not in Mondays), 2017-06-16 15:25:28]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-16 15:25:44]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Randy Smith (Not in Mondays), 2017-06-16 15:26:24]

rdsmith@chromium.org changed reviewers:
+ sgurun@chromium.org

[Randy Smith (Not in Mondays), 2017-06-16 15:26:25]

Also, sgurun@, PTAL at android_webview/?

[mmenke, 2017-06-16 15:36:03]

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:412:
!ParsedCookie::IsValidCookieAttributeValue(domain_) ||
Should we just rely on CanonicalizeHost() to do all the sanity checking on the
domain name?  Not sure if we also need the two domain checks here.  Also worth
noting that domain_ can be taken from the URL, instead of as part of a
parameter.

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:438: // Fall through; host cookies must also be
secure.
I suggest not falling through, and trusting in the optimizer.  I think falling
through is much more likely to lead to regressions on modification.

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:441: return false;
Add tests for this, for both SECURE and HOST cookies?

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:443: default:;
I don't think that semi-colon is needed?

[commit-bot: I haz the power, 2017-06-16 17:18:53]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-16 17:18:55]

Dry run: This issue passed the CQ dry run.

[Randy Smith (Not in Mondays), 2017-06-16 19:39:26]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-16 19:39:50]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Randy Smith (Not in Mondays), 2017-06-16 19:40:05]

Next round; PTAL?

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:412:
!ParsedCookie::IsValidCookieAttributeValue(domain_) ||
On 2017/06/16 15:36:03, mmenke wrote:
> Should we just rely on CanonicalizeHost() to do all the sanity checking on the
> domain name?  Not sure if we also need the two domain checks here.  
> Also worth
> noting that domain_ can be taken from the URL, instead of as part of a
> parameter.

Hmmm.   I think your second point is the key one, specifically that along the
CC::Create() path, we might end up with a domain that hasn't gone through the
above checks because it was never part of a cookie attribute value, so these
checks might mark as non-canonical a cookie produced by CC::Create().  Ok,
removing checks with a comment.

As per our offline conversation, I'm not going to worry about the implications
of this for paths--it's both more complicated, and not as important, since we
don't send paths back to the server.  

(For the record, if there isn't a path attribute, the path we set is from the
URL to the rightmost '/'; see CanonPathWithString() in canonical_cookie.cc.)

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:438: // Fall through; host cookies must also be
secure.
On 2017/06/16 15:36:03, mmenke wrote:
> I suggest not falling through, and trusting in the optimizer.  I think falling
> through is much more likely to lead to regressions on modification.

Oh, you never let me have any fun.  Done.

(This comment should not be interpreted as in any way, shape, or form
*disagreeing* with you :-}.)

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:441: return false;
On 2017/06/16 15:36:03, mmenke wrote:
> Add tests for this, for both SECURE and HOST cookies?

Done.

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:443: default:;
On 2017/06/16 15:36:03, mmenke wrote:
> I don't think that semi-colon is needed?

I put in a "break" for consistency (which you may consider worse :-}).

[mmenke, 2017-06-16 19:48:04]

LGTM!

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
net/cookies/canonical_cookie.cc:443: default:;
On 2017/06/16 19:40:05, Randy Smith (Not in Mondays) wrote:
> On 2017/06/16 15:36:03, mmenke wrote:
> > I don't think that semi-colon is needed?
> 
> I put in a "break" for consistency (which you may consider worse :-}).

I'm perfectly happy with a break.

[commit-bot: I haz the power, 2017-06-16 19:50:35]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-16 19:50:37]

Dry run: Try jobs failed on following builders:
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)

[Randy Smith (Not in Mondays), 2017-06-16 21:41:50]

The CQ bit was checked by rdsmith@chromium.org to run a CQ dry run

[Randy Smith (Not in Mondays), 2017-06-16 21:42:10]

On 2017/06/16 19:48:04, mmenke wrote:
> LGTM!

Thank you!

> 
>
https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
> File net/cookies/canonical_cookie.cc (right):
> 
>
https://codereview.chromium.org/2898953008/diff/200001/net/cookies/canonical_...
> net/cookies/canonical_cookie.cc:443: default:;
> On 2017/06/16 19:40:05, Randy Smith (Not in Mondays) wrote:
> > On 2017/06/16 15:36:03, mmenke wrote:
> > > I don't think that semi-colon is needed?
> > 
> > I put in a "break" for consistency (which you may consider worse :-}).
> 
> I'm perfectly happy with a break.

[commit-bot: I haz the power, 2017-06-16 21:42:13]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[sgurun-gerrit only, 2017-06-16 22:05:48]

aw lgtm

[commit-bot: I haz the power, 2017-06-16 23:23:02]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-16 23:23:03]

Dry run: This issue passed the CQ dry run.

[Randy Smith (Not in Mondays), 2017-06-17 00:20:15]

The CQ bit was checked by rdsmith@chromium.org

[Randy Smith (Not in Mondays), 2017-06-17 00:20:15]

The patchset sent to the CQ was uploaded after l-g-t-m from droger@chromium.org,
mmenke@chromium.org
Link to the patchset: https://codereview.chromium.org/2898953008/#ps240001
(title: "Removed vestigial code.")

[commit-bot: I haz the power, 2017-06-17 00:20:34]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-17 00:25:31]

CQ is committing da patch.

Bot data: {"patchset_id": 240001, "attempt_start_ts": 1497658815087960,
"parent_rev": "4c7e1ad4f62150f722f97c80acc457faf8f947f1", "commit_rev":
"1e64af8eed07578f01b933d654180659c0fe962c"}

[commit-bot: I haz the power, 2017-06-17 00:25:47]

Description was changed from

==========
Implement and test CanonicalCookie::IsCanonical()

This is done for data validation including but not limited to the
cookies servicification effort.

BUG=721395, 723734
R=mmenke@chromium.org
==========

to

==========
Implement and test CanonicalCookie::IsCanonical()

This is done for data validation including but not limited to the
cookies servicification effort.

BUG=721395, 723734
R=mmenke@chromium.org

Review-Url: https://codereview.chromium.org/2898953008
Cr-Commit-Position: refs/heads/master@{#480238}
Committed:
https://chromium.googlesource.com/chromium/src/+/1e64af8eed07578f01b933d65418...
==========

[commit-bot: I haz the power, 2017-06-17 00:25:49]

Committed patchset #13 (id:240001) as
https://chromium.googlesource.com/chromium/src/+/1e64af8eed07578f01b933d65418...