Issue 1783813002: SameSite: Strict/Lax behavior.

Issue 1783813002: SameSite: Strict/Lax behavior. (Closed)

Created:
4 years, 9 months ago by Mike West

Modified:
4 years, 9 months ago

Reviewers:
SGx420, jochen (gone - plz use gerrit), *mmenke, philipj_slow, sgx420

CC:
cbentzel+watch_chromium.org, chromium-reviews, clamy, creis+watch_chromium.org, darin-cc_chromium.org, jam, nasko+codewatch_chromium.org, nasko

Base URL:
https://chromium.googlesource.com/chromium/src.git@strict-lax

Target Ref:
refs/pending/heads/master

Project:
chromium

Visibility:
Public.

More Reviews

Description

SameSite: Strict/Lax behavior. This patch brings our "SameSite" implementation into line with https://tools.ietf.org/html/draft-west-first-party-cookies-06 by teaching CookieOptions about strict and lax request modes, and teaching URLRequestHttpJob about the registrable-domain behaviors of both. BUG=459154 CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation Committed: https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca Cr-Commit-Position: refs/heads/master@{#382277}

Patch Set 1 #

Patch Set 2 : WIP. #

Total comments: 2

Patch Set 3 : Moar. #

Total comments: 18

Patch Set 4 : mmenke #

Total comments: 7

Patch Set 5 : OOPIF. #

Total comments: 10

Patch Set 6 : Comment. #

Created: 4 years, 9 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+508 lines, -128 lines)			Patch
M	content/browser/frame_host/render_frame_message_filter.cc	View	1 2 3 4	2 chunks	+13 lines, -1 line	0 comments	Download
M	content/browser/frame_host/render_frame_message_filter_browsertest.cc	View	1 2 3 4	3 chunks	+44 lines, -13 lines	0 comments	Download
M	net/base/registry_controlled_domains/registry_controlled_domain.h	View		3 chunks	+9 lines, -2 lines	0 comments	Download
M	net/base/registry_controlled_domains/registry_controlled_domain.cc	View	1 2 3	2 chunks	+8 lines, -0 lines	0 comments	Download
M	net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc	View	1 2 3	3 chunks	+12 lines, -6 lines	0 comments	Download
M	net/cookies/canonical_cookie.cc	View	1 2 3	1 chunk	+15 lines, -7 lines	0 comments	Download
M	net/cookies/canonical_cookie_unittest.cc	View	1 2 3	2 chunks	+30 lines, -34 lines	0 comments	Download
M	net/cookies/cookie_monster.cc	View	1 2 3	3 chunks	+6 lines, -3 lines	0 comments	Download
M	net/cookies/cookie_options.h	View	1 2 3	4 chunks	+16 lines, -4 lines	0 comments	Download
M	net/cookies/cookie_options.cc	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	net/cookies/cookie_store.cc	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/cookies/cookie_store_unittest.h	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	net/url_request/url_request_http_job.cc	View	1 2 3 4 5	2 chunks	+35 lines, -10 lines	0 comments	Download
M	net/url_request/url_request_unittest.cc	View	1 2	4 chunks	+64 lines, -32 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/resources/echo-json.php	View	1 2 3 4 5	1 chunk	+7 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php	View	1 2 3 4 5	1 chunk	+14 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-to-opener.php	View	1 2 3 4 5	1 chunk	+11 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/resources/testharness-helpers.js	View	1 2 3	1 chunk	+19 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html	View	1 2 3 4 5	1 chunk	+75 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site.html	View	1 2 3	1 chunk	+26 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site-post.html	View	1 2 3	1 chunk	+32 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site.html	View	1 2 3	1 chunk	+21 lines, -0 lines	0 comments	Download
A	third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site-post.html	View	1 2 3	1 chunk	+26 lines, -0 lines	0 comments	Download
M	third_party/WebKit/Source/core/dom/Document.h	View	1 2 3 4	1 chunk	+1 line, -1 line	0 comments	Download
M	third_party/WebKit/Source/core/dom/Document.cpp	View	1 2 3 4	1 chunk	+19 lines, -12 lines	0 comments	Download

Messages

Total messages: 53 (24 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Mike West

This is a WIP, building on the other patch you're reviewing. When you have time, ...

4 years, 9 months ago (2016-03-14 15:24:10 UTC) #3

Mike West

mmenke@: This is now less WIP, and more ready to review. If you have time, ...

4 years, 9 months ago (2016-03-15 14:48:32 UTC) #10

mmenke

https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_host/render_frame_message_filter.cc File content/browser/frame_host/render_frame_message_filter.cc (right): https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_host/render_frame_message_filter.cc#newcode398 content/browser/frame_host/render_frame_message_filter.cc:398: net::CookieOptions::SameSiteMode::INCLUDE_STRICT_AND_LAX); Is this right? Seems like for an iframe ...

4 years, 9 months ago (2016-03-17 19:15:57 UTC) #13

mmenke

And sorry for the delay....Doesn't feel like I have that many reviews this week, but ...

4 years, 9 months ago (2016-03-17 19:16:38 UTC) #14

mmenke

On 2016/03/17 19:16:38, mmenke wrote: > And sorry for the delay....Doesn't feel like I have ...

4 years, 9 months ago (2016-03-17 19:20:29 UTC) #15

Mike West

A few brief comments; I'll send you code changes tomorrow. Thank you! https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_host/render_frame_message_filter.cc File content/browser/frame_host/render_frame_message_filter.cc ...

4 years, 9 months ago (2016-03-17 19:57:12 UTC) #16

A few brief comments; I'll send you code changes tomorrow. Thank you!

https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_h...
File content/browser/frame_host/render_frame_message_filter.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_h...
content/browser/frame_host/render_frame_message_filter.cc:398:
net::CookieOptions::SameSiteMode::INCLUDE_STRICT_AND_LAX);
On 2016/03/17 at 19:15:56, mmenke wrote:
> Is this right?  Seems like for an iframe with an origin that doesn't match
that of one of its parent frames, this should be
net::CookieOptions::SameSiteMode::INCLUDE_LAX.

Hrm. I think you're right, which is unfortunate, as it's going to make this more
complicated. Not much more complicated, though; we just need to compare the
registrable domains of |url| and |first_party_for_cookies|, as the latter takes
the kinds of things into account that you're mentioning.

https://codereview.chromium.org/1783813002/diff/80001/net/base/registry_contr...
File net/base/registry_controlled_domains/registry_controlled_domain.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/base/registry_contr...
net/base/registry_controlled_domains/registry_controlled_domain.cc:222: if
(origin1.unique() || origin2.unique())
On 2016/03/17 at 19:15:56, mmenke wrote:
> Why doesn't SameDomainOrHost need this check?  Also, is this check tested?

This is leftover from a previous version; we don't need this check (as unique
origins serialize to "null", which is an invalid GURL, which means that the GURL
version will return `false`).

https://codereview.chromium.org/1783813002/diff/80001/net/base/registry_contr...
net/base/registry_controlled_domains/registry_controlled_domain.cc:226: filter);
On 2016/03/17 at 19:15:56, mmenke wrote:
> This seems backwards.  Really seems like SameDomainOrHost(gurl1, gurl2) should
just be calling SameDomainOrHost(gurl1.GetOrigin(), gurl2.GetOrigin());

I thought about that, but we'd need to add some infrastructure to `url::Origin`.
In particular, `SameDomainOrHost` relies on `GetDomainOrRegistry`, which calls
out to `GURL::HostIsIPAddress`. That relies on some URL parsing infrastructure
that assumes it has a whole URL, and relies on canonicalizing the host
`url::Component`. It turned into a whole lot of code for something that's a lot
simpler to handle by going from an `url::Origin` to `GURL`.

I can go that route if you think it's worthwhile, but it will take a CL or three
to get through.

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/cookie_opti...
File net/cookies/cookie_options.h (right):

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/cookie_opti...
net/cookies/cookie_options.h:22: DO_NOT_INCLUDE
On 2016/03/17 at 19:15:56, mmenke wrote:
> SameSiteMode::DO_NOT_INCLUDE seems weird...Maybe SameSiteCookieMode?  The
"cookie" may seem redundant, but it's not a mode for what we do if the site is
the same, but what we do for same site cookies, so think it's clearer, if rather
verbose.

I come from Blink. I was born in verbosity. :)

https://codereview.chromium.org/1783813002/diff/80001/net/url_request/url_req...
File net/url_request/url_request_unittest.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/url_request/url_req...
net/url_request/url_request_unittest.cc:2664: const std::string kCrossHost =
"cross-origin.test";
On 2016/03/17 at 19:15:57, mmenke wrote:
> I'm fine with these tests, but seems like we should have unit tests in
canonical_cookie_unittest.cc.

You're right. These are more or less integration tests... I'm happy to add some
more unit tests tomorrow.

> Also, should we have integration tests at the browser layer (Or, ick, layout
tests)?

I plan to write layout tests to help kickstart Mozilla's progress; I'm working
with folks there to try to teach their test engine about
cross-registrable-domain origins
(https://github.com/w3c/web-platform-tests/issues/2669). It's going to take some
time... :(

> Do we have tests that depend on the initiator being set correctly by the RDH?

That behavior shouldn't have changed with this CL, so I hope the existing tests
do the job. I assume I wrote tests... :) I can look them up in the morning.

Mike West

mmenke: Thanks! I've addressed your comments in the latest patchset. jochen: Would you mind taking ...

4 years, 9 months ago (2016-03-18 14:27:17 UTC) #17

mmenke: Thanks! I've addressed your comments in the latest patchset.

jochen: Would you mind taking a look at the layout tests I've added to this CL?
I can't put them up on WPT, as that server doesn't support multiple registrable
domains. Working on it, but it's worth putting them into our LayoutTests in the
meantime. WDYT?

https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_h...
File content/browser/frame_host/render_frame_message_filter.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/content/browser/frame_h...
content/browser/frame_host/render_frame_message_filter.cc:398:
net::CookieOptions::SameSiteMode::INCLUDE_STRICT_AND_LAX);
On 2016/03/17 at 19:57:11, Mike West wrote:
> On 2016/03/17 at 19:15:56, mmenke wrote:
> > Is this right?  Seems like for an iframe with an origin that doesn't match
that of one of its parent frames, this should be
net::CookieOptions::SameSiteMode::INCLUDE_LAX.

Done, and added a browser test to cover.

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/canonical_c...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/canonical_c...
net/cookies/canonical_cookie.cc:425: if (SameSite() ==
CookieSameSite::STRICT_MODE &&
On 2016/03/17 at 19:15:56, mmenke wrote:
> Suggest a switch statement, just to make clear how these are related to each
other.

I've turned this into a switch, but I'm not actually sure it's any clearer...
WDYT?

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/cookie_opti...
File net/cookies/cookie_options.h (right):

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/cookie_opti...
net/cookies/cookie_options.h:22: DO_NOT_INCLUDE
On 2016/03/17 at 19:57:12, Mike West wrote:
> On 2016/03/17 at 19:15:56, mmenke wrote:
> > SameSiteMode::DO_NOT_INCLUDE seems weird...Maybe SameSiteCookieMode?  The
"cookie" may seem redundant, but it's not a mode for what we do if the site is
the same, but what we do for same site cookies, so think it's clearer, if rather
verbose.
> 
> I come from Blink. I was born in verbosity. :)

Done.

https://codereview.chromium.org/1783813002/diff/80001/net/url_request/url_req...
File net/url_request/url_request_http_job.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/url_request/url_req...
net/url_request/url_request_http_job.cc:742:
registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
On 2016/03/17 at 19:15:57, mmenke wrote:
> Add draft RFC link here?  (Could add it near either enum instead, but think
it's easiest to follow the enums here, then from one enum to here to the other
one)

I added a comment block at the top of this section which I hope helps.

It might make sense to move all of this to `URLRequest`, actually, just leaving
something like
`options.set_same_site_cookie_mode(request_.same_site_cookie_mode())`. I didn't
do that here because I recall you wanting to slim down `URLRequest`'s surface
area, and this piece is really only used once.

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
File content/browser/frame_host/render_frame_message_filter.cc (right):

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
content/browser/frame_host/render_frame_message_filter.cc:402: // initiated in a
strict or lax same-site context.,[
Honestly, I need to think about whether or not this is a bug. I think it is, but
maybe the behavior makes sense? Idunno. It's not clear that we need to reason
about the initiator after we've already opened and rendered a document.

mmenke

content/browser/ and net/ LGTM, but you should have someone who knows layout tests review the ...

4 years, 9 months ago (2016-03-18 15:58:13 UTC) #19

content/browser/ and net/ LGTM, but you should have someone who knows layout
tests review the layout test code, as I can't make anything out of them.

https://codereview.chromium.org/1783813002/diff/80001/net/base/registry_contr...
File net/base/registry_controlled_domains/registry_controlled_domain.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/base/registry_contr...
net/base/registry_controlled_domains/registry_controlled_domain.cc:226: filter);
On 2016/03/17 19:57:12, Mike West wrote:
> On 2016/03/17 at 19:15:56, mmenke wrote:
> > This seems backwards.  Really seems like SameDomainOrHost(gurl1, gurl2)
should
> just be calling SameDomainOrHost(gurl1.GetOrigin(), gurl2.GetOrigin());
> 
> I thought about that, but we'd need to add some infrastructure to
`url::Origin`.
> In particular, `SameDomainOrHost` relies on `GetDomainOrRegistry`, which calls
> out to `GURL::HostIsIPAddress`. That relies on some URL parsing infrastructure
> that assumes it has a whole URL, and relies on canonicalizing the host
> `url::Component`. It turned into a whole lot of code for something that's a
lot
> simpler to handle by going from an `url::Origin` to `GURL`.
> 
> I can go that route if you think it's worthwhile, but it will take a CL or
three
> to get through.

Didn't respond to this, but I think it's fine for now.  Longer term, may be
worth doing, though.

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/canonical_c...
File net/cookies/canonical_cookie.cc (right):

https://codereview.chromium.org/1783813002/diff/80001/net/cookies/canonical_c...
net/cookies/canonical_cookie.cc:425: if (SameSite() ==
CookieSameSite::STRICT_MODE &&
On 2016/03/18 14:27:17, Mike West wrote:
> On 2016/03/17 at 19:15:56, mmenke wrote:
> > Suggest a switch statement, just to make clear how these are related to each
> other.
> 
> I've turned this into a switch, but I'm not actually sure it's any clearer...
> WDYT?

I think it's marginally better, but not really a huge improvement.  IF you
disagree, feel free to revert.

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
File content/browser/frame_host/render_frame_message_filter.cc (right):

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
content/browser/frame_host/render_frame_message_filter.cc:378: const GURL&
first_party_for_cookies,
first_party_for_cookies is the main frame URL here?

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
content/browser/frame_host/render_frame_message_filter.cc:402: // initiated in a
strict or lax same-site context.,[
On 2016/03/18 14:27:17, Mike West wrote:
> Honestly, I need to think about whether or not this is a bug. I think it is,
but
> maybe the behavior makes sense? Idunno. It's not clear that we need to reason
> about the initiator after we've already opened and rendered a document.

My feeling is that the cookies we send while requesting the HTML file should
exactly match the cookies that the HTML file can access, modulo new cookies and
expiring cookies.  Anything else seems weird to me.

If the thinking is that the iframe knows its an iframe, and can behavior
correspondingly, seems like we could just send that information as a request
header instead of a new SameSite value - that makes the cookie security model
consistent.  If the idea is we should hide cookies based on the "initiator",
seems like should be defined the same way for HTTP and HTML.

https://codereview.chromium.org/1783813002/diff/120001/content/browser/frame_...
content/browser/frame_host/render_frame_message_filter.cc:402: // initiated in a
strict or lax same-site context.,[
nit:  Remove the ",["

https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_re...
File net/url_request/url_request_http_job.cc (right):

https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_re...
net/url_request/url_request_http_job.cc:729: // Set |options|'
SameSiteCookieMode according to the rules laid out in
As-is, this comment really confused me as I tried to parse it.  |options|'s? 
|options| is a variable name, so it's singular.  Or maybe just remove
|options|'?

https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_re...
net/url_request/url_request_http_job.cc:744: // once the feature is no longer
behind a flag: https://crbug.com/459154.
Just a comment on the design of this stuff:  Letting an iframe access a lax
cookie, but then hiding it from POSTs generated by that iframe seems like a
behavior that's going to cause developer confusion.

Mike West

clamy@/nasko@: It looks like the newly-added tests are failing under site isolation; any ideas where ...

4 years, 9 months ago (2016-03-19 11:23:56 UTC) #21

Mike West

On 2016/03/19 at 11:23:56, Mike West wrote: > clamy@/nasko@: It looks like the newly-added tests ...

4 years, 9 months ago (2016-03-21 08:08:34 UTC) #22

Mike West

philipj@: Would you mind taking a look at just the layout tests? You know things ...

4 years, 9 months ago (2016-03-21 08:38:56 UTC) #24

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1783813002/160001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1783813002/160001

4 years, 9 months ago (2016-03-21 08:59:20 UTC) #27

philipj_slow

Didn't dig too deeply into what this new stuff is, but the tests LGTM with ...

4 years, 9 months ago (2016-03-21 09:18:23 UTC) #28

commit-bot: I haz the power

Dry run: Try jobs failed on following builders: linux_blink_oilpan_rel on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_blink_oilpan_rel/builds/19446)

4 years, 9 months ago (2016-03-21 10:15:39 UTC) #30

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1783813002/200001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1783813002/200001

4 years, 9 months ago (2016-03-21 10:58:07 UTC) #34

Mike West

https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php File third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php (right): https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php#newcode5 third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php:5: echo json_encode($_COOKIE, JSON_PRETTY_PRINT); I think our linux trybots don't ...

4 years, 9 months ago (2016-03-21 11:03:13 UTC) #37

philipj_slow

https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html File third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html (right): https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html#newcode20 third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html:20: document.cookie = STRICT_DOM + "=1; SameSite=Strict; domain=" + TEST_HOST ...

4 years, 9 months ago (2016-03-21 11:17:47 UTC) #38

philipj_slow

4 years, 9 months ago (2016-03-21 11:17:47 UTC) #39

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1783813002/220001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1783813002/220001

4 years, 9 months ago (2016-03-21 11:18:25 UTC) #42

Mike West

On 2016/03/21 at 11:17:47, philipj wrote: > https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html > File third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html (right): > > https://codereview.chromium.org/1783813002/diff/160001/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html#newcode20 ...

4 years, 9 months ago (2016-03-21 11:19:06 UTC) #43

commit-bot: I haz the power

Dry run: This issue passed the CQ dry run.

4 years, 9 months ago (2016-03-21 13:10:58 UTC) #45

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1783813002/220001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1783813002/220001

4 years, 9 months ago (2016-03-21 14:06:30 UTC) #48

commit-bot: I haz the power

Patchset 6 (id:??) landed as https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca Cr-Commit-Position: refs/heads/master@{#382277}

4 years, 9 months ago (2016-03-21 14:17:01 UTC) #51

Mike West

https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_request_http_job.cc File net/url_request/url_request_http_job.cc (right): https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_request_http_job.cc#newcode744 net/url_request/url_request_http_job.cc:744: // once the feature is no longer behind a ...

4 years, 9 months ago (2016-03-21 14:41:01 UTC) #52

mmenke

4 years, 9 months ago (2016-03-22 15:42:30 UTC) #53

Message was sent while issue was closed.

On 2016/03/21 14:41:01, Mike West wrote:
>
https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_re...
> File net/url_request/url_request_http_job.cc (right):
> 
>
https://codereview.chromium.org/1783813002/diff/120001/net/url_request/url_re...
> net/url_request/url_request_http_job.cc:744: // once the feature is no longer
> behind a flag: https://crbug.com/459154.
> On 2016/03/18 at 15:58:13, mmenke wrote:
> > Just a comment on the design of this stuff:  Letting an iframe access a lax
> cookie, but then hiding it from POSTs generated by that iframe seems like a
> behavior that's going to cause developer confusion.
> 
> I don't think there's a scenario in which an request in an iframe would be
> same-site enough to get a lax cookie but not a strict cookie. The document is
> either same-site with its embedder, in which case it gets both, or it's not
> same-site with its embedder, in which case it gets neither.
> 
> Strict/lax only has effect on things like redirects and popups, which create a
> top-level browsing context whose "first-party for cookies" matches the URL
> that's being loaded (modulo the `URLRequest::FirstPartyURLPolicy`). I agree
that
> this might cause confusion, but my hope is that the majority of the confusion
> will actually be on the part of attackers trying to execute CSRF attacks. :)
> 
> I've updated the comment in an effort to make that more clear.

Ahh...I missed that Lax was for main frame only (And double-checking, that
squares with the url_request_http_job code.  The code is sufficiently different
from the RFC that this is non-obvious).

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages