Issue 1773133002: SameSite: Implement 'Strict'/'Lax' attribute parsing.

Issue 1773133002: SameSite: Implement 'Strict'/'Lax' attribute parsing. (Closed)

Created:
4 years, 9 months ago by Mike West

Modified:
4 years, 9 months ago

Reviewers:
marq (ping after 24h), jochen (gone - plz use gerrit), *mmenke, Torne

CC:
achuith+watch_chromium.org, cbentzel+watch_chromium.org, chromium-apps-reviews_chromium.org, chromium-reviews, darin-cc_chromium.org, davemoore+watch_chromium.org, dzhioev+watch_chromium.org, extensions-reviews_chromium.org, jam, markusheintz_, oshima+watch_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/src.git@master

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

SameSite: Implement 'Strict'/'Lax' attribute parsing. https://tools.ietf.org/html/draft-west-first-party-cookies-06 introduced the notion of "Strict" or "Lax" enforcement of the "SameSite" attribute. This patch implements the infrastructure changes necessary to support that distinction, but does not yet implement the behavioral change (that is, after this patch, `SameSite` will be rejected, while `SameSite=Strict` and `SameSite=Lax` will have the same behavior that `SameSite` alone has today). Most of this patch is occupied with the fairly mechanical process of swapping out a new 'CookieSameSite' enum for the existing boolean in various constructors and setters. The most interesting piece is the change to the storage backend, which now stores 0, 1, or 2 in the database to represent the possible values, rather than 0 or 1 to represent the boolean. BUG=459154 Committed: https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f Cr-Commit-Position: refs/heads/master@{#381201}

Patch Set 1 #

Patch Set 2 : android #

Patch Set 3 : compile? #

Patch Set 4 : ios? #

Total comments: 31

Patch Set 5 : mmenke@ #

Patch Set 6 : bugs #

Total comments: 5

Patch Set 7 : mmenke@ #

Created: 4 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+467 lines, -302 lines)			Patch
M	android_webview/browser/net/aw_cookie_store_wrapper.h	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	android_webview/browser/net/aw_cookie_store_wrapper.cc	View	1 2	2 chunks	+2 lines, -2 lines	0 comments	Download
M	chrome/browser/android/cookies/cookies_fetcher.h	View	1	1 chunk	+1 line, -1 line	0 comments	Download
M	chrome/browser/android/cookies/cookies_fetcher.cc	View	1 2 3 4 5	4 chunks	+5 lines, -4 lines	0 comments	Download
M	chrome/browser/browsing_data/cookies_tree_model.cc	View	1 2 3 4	1 chunk	+2 lines, -2 lines	0 comments	Download
M	chrome/browser/chromeos/login/profile_auth_data.cc	View		1 chunk	+1 line, -1 line	0 comments	Download
M	chrome/browser/chromeos/login/profile_auth_data_unittest.cc	View	1 2 3 4 5	1 chunk	+2 lines, -2 lines	0 comments	Download
M	chrome/browser/extensions/api/cookies/cookies_api.cc	View	1 2 3 4 5	2 chunks	+3 lines, -5 lines	0 comments	Download
M	chrome/browser/extensions/api/cookies/cookies_unittest.cc	View	1 2 3 4 5	5 chunks	+14 lines, -11 lines	0 comments	Download
M	components/signin/core/browser/gaia_cookie_manager_service.cc	View	1 2 3 4 5	1 chunk	+4 lines, -4 lines	0 comments	Download
M	content/browser/net/quota_policy_cookie_store_unittest.cc	View	1 2 3 4 5	1 chunk	+4 lines, -4 lines	0 comments	Download
M	ios/net/cookies/cookie_cache_unittest.cc	View	1 2 3 4 5	1 chunk	+2 lines, -1 line	0 comments	Download
M	ios/net/cookies/cookie_store_ios.h	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	ios/net/cookies/cookie_store_ios.mm	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	ios/net/cookies/cookie_store_ios_unittest.mm	View	1 2 3 4 5	2 chunks	+2 lines, -3 lines	0 comments	Download
M	ios/net/cookies/system_cookie_util.mm	View	1 2 3 4 5	1 chunk	+4 lines, -2 lines	0 comments	Download
M	ios/net/cookies/system_cookie_util_unittest.mm	View	1 2 3 4 5	2 chunks	+2 lines, -4 lines	0 comments	Download
M	net/cookies/canonical_cookie.h	View		4 chunks	+4 lines, -4 lines	0 comments	Download
M	net/cookies/canonical_cookie.cc	View	1 2 3 4	5 chunks	+11 lines, -5 lines	0 comments	Download
M	net/cookies/canonical_cookie_unittest.cc	View	1 2 3 4 5 6	12 chunks	+53 lines, -42 lines	0 comments	Download
M	net/cookies/cookie_constants.h	View	1 2 3 4 5	1 chunk	+15 lines, -1 line	0 comments	Download
M	net/cookies/cookie_constants.cc	View	1 2 3 4 5	3 chunks	+15 lines, -2 lines	0 comments	Download
M	net/cookies/cookie_monster.h	View	1 2 3 4	2 chunks	+2 lines, -2 lines	0 comments	Download
M	net/cookies/cookie_monster.cc	View	1 2 3 4	5 chunks	+7 lines, -5 lines	0 comments	Download
M	net/cookies/cookie_monster_store_test.cc	View	1 2 3 4 5	2 chunks	+3 lines, -3 lines	0 comments	Download
M	net/cookies/cookie_monster_unittest.cc	View	1 2 3 4 5	12 chunks	+103 lines, -123 lines	0 comments	Download
M	net/cookies/cookie_store.h	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	net/cookies/cookie_store_test_helpers.h	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	net/cookies/cookie_store_test_helpers.cc	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download
M	net/cookies/cookie_store_unittest.h	View	1 2 3 4 5	2 chunks	+17 lines, -17 lines	0 comments	Download
M	net/cookies/parsed_cookie.h	View	1 2 3 4	2 chunks	+2 lines, -2 lines	0 comments	Download
M	net/cookies/parsed_cookie.cc	View	1 2 3 4 5	3 chunks	+9 lines, -4 lines	0 comments	Download
M	net/cookies/parsed_cookie_unittest.cc	View	1 2 3 4 5 6	11 chunks	+47 lines, -12 lines	0 comments	Download
M	net/extras/sqlite/sqlite_persistent_cookie_store.cc	View	1 2 3 4 5	4 chunks	+42 lines, -4 lines	0 comments	Download
M	net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc	View	1 2 3 4 5	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc	View	1 2 3 4 5	7 chunks	+80 lines, -22 lines	0 comments	Download
M	net/url_request/url_request_unittest.cc	View	1 2	1 chunk	+1 line, -1 line	0 comments	Download

Dependent Patchsets:

Issue 1783813002 Patch 80001

Messages

Total messages: 24 (9 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Mike West

We have too many platforms. :( Assuming I can make ChromeOS, Android, and iOS compile, ...

4 years, 9 months ago (2016-03-08 16:35:14 UTC) #2

Mike West

marq@: Would you mind stamping the trivial changes to //ios? torne@: Would you mind stamping ...

4 years, 9 months ago (2016-03-10 13:56:49 UTC) #5

mmenke

Just looked at net/ https://codereview.chromium.org/1773133002/diff/80001/net/cookies/canonical_cookie.cc File net/cookies/canonical_cookie.cc (right): https://codereview.chromium.org/1773133002/diff/80001/net/cookies/canonical_cookie.cc#newcode425 net/cookies/canonical_cookie.cc:425: if (SameSite() && !options.include_same_site()) Should ...

4 years, 9 months ago (2016-03-11 18:08:31 UTC) #9

mmenke

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/parsed_cookie.h File net/cookies/parsed_cookie.h (right): https://codereview.chromium.org/1773133002/diff/80001/net/cookies/parsed_cookie.h#newcode53 net/cookies/parsed_cookie.h:53: bool HasSameSite() const { return same_site_index_ != 0; } ...

4 years, 9 months ago (2016-03-11 18:09:07 UTC) #10

Mike West

Thanks, all! mmenke@: I believe that latest patchset addresses your feedback. Mind taking another look? ...

4 years, 9 months ago (2016-03-14 10:18:54 UTC) #12

Thanks, all!

mmenke@: I believe that latest patchset addresses your feedback. Mind taking
another look?

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/canonical_c...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/canonical_c...
net/cookies/canonical_cookie.cc:425: if (SameSite() &&
!options.include_same_site())
On 2016/03/11 at 18:08:30, mmenke wrote:
> Should check the value of SameSite here explicitly, now that it's not a bool..

Yup. Adding a TODO as well to point to the fact that this doesn't yet
distinguish behavior between "strict" and "lax".

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
File net/cookies/cookie_constants.cc (right):

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.cc:19: }  // namespace
On 2016/03/11 at 18:08:30, mmenke wrote:
> nit:  Add a blank line after the start / before the end of the namespace/ 
(Without any line breaks in between, seems fine to leave those out, but now that
we have one, seems like the start/end of the namespace is as significant as any
other cluster of things inside it)

Done.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.cc:48: NET_EXPORT const std::string
CookieSameSiteToString(CookieSameSite samesite) {
On 2016/03/11 at 18:08:30, mmenke wrote:
> This method isn't used anywhere (Neither is CookiePriorityToString, looks
like, other than in tests, but that's another matter...).  Get rid of it?

Hrm. You're right. I thought we needed both for serialization somewhere, but
dropping that seems fine as it only ends up happening in tests. I'll give you a
separate CL for the existing method.

> Remove all NET_EXPORTs from this file...  They should be with the declaration,
not the definition.

Done.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.cc:63: std::string comp =
base::ToLowerASCII(samesite);
On 2016/03/11 at 18:08:30, mmenke wrote:
> comp seems to violate the Google style guide.
> 
> I'd suggest just using base::EqualsCaseInsensitiveASCII.  Think it's clearer,
and we really don't get much from the difference.

Sure.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
File net/cookies/cookie_constants.h (right):

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.h:21: enum CookieSameSite {
On 2016/03/11 at 18:08:30, mmenke wrote:
> Can we make this an enum class instead?  Seems simpler to do it now rather
than later, and the type safety checks are nifty.

Sure.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.h:22: COOKIE_SAME_SITE_NONE = 0,
On 2016/03/11 at 18:08:30, mmenke wrote:
> SAME_SITE_NONE seems kinda weird as a property of a cookie.  Sounds almost
like we're not sending cookies to the "same site".  Could call it
COOKIE_RESTRICT_SAME_SITE_DISABLED or something...or could keep it as-is.  Just
thought I'd mention the name seems a little weird.

`CookieSameSite::NO_RESTRICTION`?

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_cons...
net/cookies/cookie_constants.h:36: NET_EXPORT const std::string
CookieSameSiteToString(CookieSameSite samesite);
On 2016/03/11 at 18:08:30, mmenke wrote:
> This const seems weird (As does the one in CookiePriorityToString).  Doesn't
seem to get us anything.

Removed.

> same_site is what we use everywhere else (x4, for this file and the CC file)

Changed.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_mons...
File net/cookies/cookie_monster_unittest.cc (right):

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/cookie_mons...
net/cookies/cookie_monster_unittest.cc:861: COOKIE_SAME_SITE_NONE,
COOKIE_PRIORITY_DEFAULT));
On 2016/03/11 at 18:08:31, mmenke wrote:
> You're using NONE here, but DEFAULT above.  Is there a reason for this?

No. No good reason, here or elsewhere.

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/parsed_cook...
File net/cookies/parsed_cookie.h (right):

https://codereview.chromium.org/1773133002/diff/80001/net/cookies/parsed_cook...
net/cookies/parsed_cookie.h:53: bool HasSameSite() const { return
same_site_index_ != 0; }
On 2016/03/11 at 18:09:07, mmenke wrote:
> Also, is this needed?

Not anymore. Removed.

https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlit...
File net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc (right):

https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlit...
net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc:644: // Put the
cookies into a map, by name, so we can easily find them.
On 2016/03/11 at 18:08:31, mmenke wrote:
> nit:  --"we"

1. Ugh. I continue to not like this rule. :/
2. This was copy/pasted from elsewhere. Would you like me to change it in
existing methods as well?

https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlit...
net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc:649: }
On 2016/03/11 at 18:08:31, mmenke wrote:
> optional:  Suggest just using a range loop, and making the map store copies of
the cookies....  Think that makes the loop a little cleaner.

Done.

https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlit...
net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc:651: // Validate
that each cookie has the correct samesite.
On 2016/03/11 at 18:08:31, mmenke wrote:
> SameSite?

Indeed.

https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlit...
net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc:654: ASSERT_TRUE(it
!= cookie_map.end());
On 2016/03/11 at 18:08:31, mmenke wrote:
> Combining these two lines seems a little simpler, for all of these:
> 
> ASSERT_TRUE(cookie_map.find(kNoneName) != cookie_map.end()).
> 
> Or even:  ASSERT_EQ(1u, cookie_map.count(kNoneName));

Yup. Makes sense.

Mike West

https://codereview.chromium.org/1773133002/diff/160001/net/cookies/cookie_constants.h File net/cookies/cookie_constants.h (right): https://codereview.chromium.org/1773133002/diff/160001/net/cookies/cookie_constants.h#newcode24 net/cookies/cookie_constants.h:24: STRICT_MODE = 2, Windows has a "STRICT" macro. So.. ...

4 years, 9 months ago (2016-03-14 15:15:08 UTC) #15

mmenke

On 2016/03/14 15:15:08, Mike West wrote: > https://codereview.chromium.org/1773133002/diff/160001/net/cookies/cookie_constants.h > File net/cookies/cookie_constants.h (right): > > https://codereview.chromium.org/1773133002/diff/160001/net/cookies/cookie_constants.h#newcode24 ...

4 years, 9 months ago (2016-03-14 16:25:05 UTC) #16

mmenke

LGTM https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc File net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc (right): https://codereview.chromium.org/1773133002/diff/80001/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc#newcode644 net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc:644: // Put the cookies into a map, by ...

4 years, 9 months ago (2016-03-14 20:14:50 UTC) #17

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1773133002/180001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1773133002/180001

4 years, 9 months ago (2016-03-15 08:35:28 UTC) #20

Mike West

Thanks! https://codereview.chromium.org/1773133002/diff/160001/net/cookies/canonical_cookie_unittest.cc File net/cookies/canonical_cookie_unittest.cc (right): https://codereview.chromium.org/1773133002/diff/160001/net/cookies/canonical_cookie_unittest.cc#newcode89 net/cookies/canonical_cookie_unittest.cc:89: cookie = CanonicalCookie::Create(url, "A=2; SameSite=Strict", creation_time, On 2016/03/14 ...

4 years, 9 months ago (2016-03-15 09:41:11 UTC) #21

commit-bot: I haz the power

Description was changed from ========== SameSite: Implement 'Strict'/'Lax' attribute parsing. https://tools.ietf.org/html/draft-west-first-party-cookies-06 introduced the notion of ...

4 years, 9 months ago (2016-03-15 10:09:37 UTC) #23

Message was sent while issue was closed.

Description was changed from

==========
SameSite: Implement 'Strict'/'Lax' attribute parsing.

https://tools.ietf.org/html/draft-west-first-party-cookies-06 introduced
the notion of "Strict" or "Lax" enforcement of the "SameSite" attribute.
This patch implements the infrastructure changes necessary to support
that distinction, but does not yet implement the behavioral change
(that is, after this patch, `SameSite` will be rejected, while
`SameSite=Strict` and `SameSite=Lax` will have the same behavior that
`SameSite` alone has today).

Most of this patch is occupied with the fairly mechanical process of
swapping out a new 'CookieSameSite' enum for the existing boolean in
various constructors and setters. The most interesting piece is the
change to the storage backend, which now stores 0, 1, or 2 in the
database to represent the possible values, rather than 0 or 1 to
represent the boolean.

BUG=459154
==========

to

==========
SameSite: Implement 'Strict'/'Lax' attribute parsing.

https://tools.ietf.org/html/draft-west-first-party-cookies-06 introduced
the notion of "Strict" or "Lax" enforcement of the "SameSite" attribute.
This patch implements the infrastructure changes necessary to support
that distinction, but does not yet implement the behavioral change
(that is, after this patch, `SameSite` will be rejected, while
`SameSite=Strict` and `SameSite=Lax` will have the same behavior that
`SameSite` alone has today).

Most of this patch is occupied with the fairly mechanical process of
swapping out a new 'CookieSameSite' enum for the existing boolean in
various constructors and setters. The most interesting piece is the
change to the storage backend, which now stores 0, 1, or 2 in the
database to represent the possible values, rather than 0 or 1 to
represent the boolean.

BUG=459154

Committed: https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f
Cr-Commit-Position: refs/heads/master@{#381201}
==========

commit-bot: I haz the power

4 years, 9 months ago (2016-03-15 10:09:38 UTC) #24

Message was sent while issue was closed.

Patchset 7 (id:??) landed as
https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f
Cr-Commit-Position: refs/heads/master@{#381201}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages