[DurableStorage] Don't grant durable if origin cannot write cookies.

chrome/browser/storage/durable_storage_permission_context.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/storage/durable_storage_permission_context.h"
 
 #include <algorithm>
 
 #include "base/logging.h"
 #include "chrome/browser/bookmarks/bookmark_model_factory.h"
+#include "chrome/browser/content_settings/cookie_settings_factory.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/content_settings/tab_specific_content_settings.h"
 #include "chrome/browser/permissions/permission_request_id.h"
 #include "chrome/browser/profiles/profile.h"
 #include "components/bookmarks/browser/bookmark_model.h"
+#include "components/content_settings/core/browser/cookie_settings.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/content_settings/core/browser/website_settings_registry.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/permission_type.h"
 #include "content/public/common/origin_util.h"
 #include "url/gurl.h"
 
 using bookmarks::BookmarkModel;
 
 DurableStoragePermissionContext::DurableStoragePermissionContext(
     Profile* profile)
     : PermissionContextBase(profile,
                             content::PermissionType::DURABLE_STORAGE,
                             CONTENT_SETTINGS_TYPE_DURABLE_STORAGE) {}
 
 void DurableStoragePermissionContext::DecidePermission(
     content::WebContents* web_contents,
     const PermissionRequestID& id,
     const GURL& requesting_origin,
     const GURL& embedding_origin,

[jww, 2016/10/01 04:46:20]

Is embedding_origin guaranteed to be the top-level? I *think* first_party in the
call to IsSettingCookieAllowed is meant to be the top level origin, not just the
origin that has embedded the requester.

That is, if we have the setup:

top level frame
    |-> middle frame
        |-> requesting frame

I believe first_party should be the URL of "top level frame."

[dmurph, 2016/10/04 22:00:45]

Ok, so I removed this check, and we just check the requesting origin.

     bool user_gesture,
     const BrowserPermissionCallback& callback) {
   DCHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::UI));
 
+  scoped_refptr<content_settings::CookieSettings> cookie_settings =
+      CookieSettingsFactory::GetForProfile(profile());
+
+  // Don't grant durable if we can't write cookies.
+  if (!cookie_settings->IsSettingCookieAllowed(requesting_origin,
+                                               embedding_origin)) {

[michaeln, 2016/09/30 22:19:03]

The comment in the .h file says "or already granted", but i don't see any code
for that?

"Durability" is an attribute of an origin's stored data, but
IsSettingCookieAllowed() is dependent on the cross-origin-ness of a documents
parent document. True and False can't be the right answer at the same time.

If the permission has already been granted for an origin. I'm not sure a call
from a nested iframe should result in its revocation?

I think it probably makes sense that a call from a nested iframe can't initially
establish the permission.

[michaeln, 2016/09/30 22:21:21]

just read the bug... maybe use IsSettingCookiesAllowed(requesting_origin,
requesting_origin) to eliminate 3rd party considerations

[jww, 2016/10/01 04:46:20]

I don't know what dmurph@'s actually intent here, but if you're referring to
https://crbug.com/521183, it does say that the permission decision should match
the decision for cookies, so I don't think 3rd party considerations should
necessarily be eliminated.

Note that this isn't just for the "First-party cookie" attribute, but it is also
used for things like Web UI.

[dmurph, 2016/10/04 22:00:45]

Ok, so I'm now also blocking granting this permission if we're in an embedded
frame, so this should solve both cases. (This is what the push notification
permission does).

[dmurph, 2016/10/04 22:00:45]

This comment was wrong - we only call this if the content setting is DEFAULT -
if we're block or allow, we don't call this. See:
https://cs.chromium.org/chromium/src/chrome/browser/permissions/permission_co...

+    NotifyPermissionSet(id, requesting_origin, embedding_origin, callback,
+                        false /* persist */, CONTENT_SETTING_DEFAULT);
+    return;
+  }
+
   // TODO(dgrogan): Remove bookmarks check in favor of site engagement. In the
   // meantime maybe grant permission to A2HS origins as well.
   BookmarkModel* model =
       BookmarkModelFactory::GetForBrowserContextIfExists(profile());
   if (model) {
     std::vector<bookmarks::BookmarkModel::URLAndTitle> bookmarks;
     model->GetBookmarks(&bookmarks);
     if (IsOriginBookmarked(bookmarks, requesting_origin)) {
       NotifyPermissionSet(id, requesting_origin, embedding_origin, callback,
                           true /* persist */, CONTENT_SETTING_ALLOW);
@@ skipping 28 matching lines @@
     const std::vector<bookmarks::BookmarkModel::URLAndTitle>& bookmarks,
     const GURL& origin) {
   BookmarkModel::URLAndTitle looking_for;
   looking_for.url = origin;
   return std::binary_search(bookmarks.begin(), bookmarks.end(), looking_for,
                             [](const BookmarkModel::URLAndTitle& a,
                                const BookmarkModel::URLAndTitle& b) {
                               return a.url.GetOrigin() < b.url.GetOrigin();
                             });
 }