Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(27)

Issue 876973003: Implement the "first-party-only" cookie flag. (Closed)

Created:
5 years, 10 months ago by Mike West
Modified:
5 years, 10 months ago
CC:
cbentzel+watch_chromium.org, chromium-reviews, erikwright (departed)
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Implement the "First-Party-Only" cookie attribute. First-party-only cookies allow servers to mitigate the risk of cross-site request forgery and related information leakage attacks by asserting that a particular cookie should only be sent in a "first-party" context. This patch adds support for the 'First-Party-Only' attribute to the CookieMonster and CookieStore, but does not yet wire up requests such that the flag has any effect. https://codereview.chromium.org/940373002 will do so by correctly setting the first-party URL on the CookieOptions object used to load cookies for a request. Spec: https://tools.ietf.org/html/draft-west-first-party-cookies Intent to Implement: https://groups.google.com/a/chromium.org/d/msg/blink-dev/vT98riFhhT0/3Q-lADqsh0UJ BUG=459154 TBR=dpolukhin@chromium.org Committed: https://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b Cr-Commit-Position: refs/heads/master@{#317544}

Patch Set 1 : #

Patch Set 2 : Compile. Also, pass tests, please. #

Patch Set 3 : Without clang-format noise. #

Patch Set 4 : Tiny bug. #

Total comments: 4

Patch Set 5 : Feedback. #

Total comments: 2

Patch Set 6 : FirstPartyOnly. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+461 lines, -299 lines) Patch
M chrome/android/java/src/org/chromium/chrome/browser/cookies/CanonicalCookie.java View 1 2 3 4 5 5 chunks +12 lines, -12 lines 0 comments Download
M chrome/android/java/src/org/chromium/chrome/browser/cookies/CookiesFetcher.java View 1 2 3 4 5 3 chunks +11 lines, -19 lines 0 comments Download
M chrome/browser/android/cookies/cookies_fetcher.h View 1 2 3 4 5 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/android/cookies/cookies_fetcher.cc View 1 2 3 4 5 4 chunks +16 lines, -27 lines 0 comments Download
M chrome/browser/chromeos/login/profile_auth_data_unittest.cc View 1 2 3 4 1 chunk +8 lines, -22 lines 0 comments Download
M chrome/browser/extensions/api/cookies/cookies_api.cc View 1 2 3 4 5 1 chunk +4 lines, -0 lines 0 comments Download
M chrome/browser/extensions/api/cookies/cookies_unittest.cc View 4 chunks +18 lines, -33 lines 0 comments Download
M content/browser/net/sqlite_persistent_cookie_store.cc View 1 2 3 4 5 8 chunks +64 lines, -37 lines 0 comments Download
M content/browser/net/sqlite_persistent_cookie_store_perftest.cc View 1 chunk +3 lines, -5 lines 0 comments Download
M content/browser/net/sqlite_persistent_cookie_store_unittest.cc View 5 chunks +35 lines, -47 lines 0 comments Download
M net/cookies/canonical_cookie.h View 1 2 3 4 5 4 chunks +4 lines, -0 lines 0 comments Download
M net/cookies/canonical_cookie.cc View 1 2 3 4 5 8 chunks +30 lines, -13 lines 0 comments Download
M net/cookies/canonical_cookie_unittest.cc View 1 2 3 4 5 6 chunks +98 lines, -20 lines 0 comments Download
M net/cookies/cookie_monster.h View 1 2 2 chunks +2 lines, -0 lines 0 comments Download
M net/cookies/cookie_monster.cc View 1 2 3 4 5 12 chunks +14 lines, -3 lines 0 comments Download
M net/cookies/cookie_monster_store_test.cc View 1 2 3 4 5 2 chunks +4 lines, -2 lines 0 comments Download
M net/cookies/cookie_monster_unittest.cc View 1 2 3 4 5 21 chunks +66 lines, -45 lines 0 comments Download
M net/cookies/cookie_options.h View 1 2 3 4 5 2 chunks +23 lines, -4 lines 0 comments Download
M net/cookies/parsed_cookie.h View 1 2 3 4 5 3 chunks +3 lines, -0 lines 0 comments Download
M net/cookies/parsed_cookie.cc View 1 2 3 4 5 6 chunks +12 lines, -1 line 0 comments Download
M net/cookies/parsed_cookie_unittest.cc View 1 2 3 4 5 9 chunks +15 lines, -7 lines 0 comments Download
M net/url_request/url_request_http_job.cc View 1 2 3 4 5 1 chunk +6 lines, -0 lines 0 comments Download
M tools/metrics/histograms/histograms.xml View 1 chunk +12 lines, -2 lines 0 comments Download

Messages

Total messages: 29 (10 generated)
Mike West
Hi Erik, would you mind taking a look at this patch? It's a low priority ...
5 years, 10 months ago (2015-02-17 10:54:38 UTC) #3
Mike West
Patchset #2 is the patch, plus the required clang-formatting. It's a bit noisy (but the ...
5 years, 10 months ago (2015-02-17 15:18:27 UTC) #7
Mike West
Ping! +mmenke@, just in case you have some free time you'd like to fill with ...
5 years, 10 months ago (2015-02-19 06:58:30 UTC) #9
erikwright (departed)
https://codereview.chromium.org/876973003/diff/140001/net/cookies/canonical_cookie_unittest.cc File net/cookies/canonical_cookie_unittest.cc (right): https://codereview.chromium.org/876973003/diff/140001/net/cookies/canonical_cookie_unittest.cc#newcode259 net/cookies/canonical_cookie_unittest.cc:259: expiration_time, last_access_time, secure, httponly, firstparty, Should a test be ...
5 years, 10 months ago (2015-02-19 17:46:39 UTC) #10
erikwright (departed)
Sorry, took Friday off, Monday holiday, sick Tue+Wed. LGTM. I think landing the clang-format first ...
5 years, 10 months ago (2015-02-19 17:51:27 UTC) #11
Mike West
On 2015/02/19 at 17:51:27, erikwright wrote: > Sorry, took Friday off, Monday holiday, sick Tue+Wed. ...
5 years, 10 months ago (2015-02-19 17:56:48 UTC) #12
mmenke
On 2015/02/19 17:56:48, Mike West wrote: > On 2015/02/19 at 17:51:27, erikwright wrote: > > ...
5 years, 10 months ago (2015-02-19 18:53:54 UTC) #13
Mike West
On Thu, Feb 19, 2015 at 7:53 PM, <mmenke@chromium.org> wrote: > > I'll happily defer ...
5 years, 10 months ago (2015-02-19 19:04:06 UTC) #14
mmenke
https://codereview.chromium.org/876973003/diff/140001/net/url_request/url_request_http_job.cc File net/url_request/url_request_http_job.cc (right): https://codereview.chromium.org/876973003/diff/140001/net/url_request/url_request_http_job.cc#newcode635 net/url_request/url_request_http_job.cc:635: // first-party-url to the first-party-for-cookies value. crbug.com/459154 So we ...
5 years, 10 months ago (2015-02-19 21:04:36 UTC) #15
Mike West
bauerb@: Would you mind taking a look at the small changes to chrome/android and chrome/browser/android ...
5 years, 10 months ago (2015-02-20 10:36:01 UTC) #18
Bernhard Bauer
Android LGTM, but if I may make a small suggestion: Could we name the flag ...
5 years, 10 months ago (2015-02-20 11:10:17 UTC) #19
Mike West
On 2015/02/20 at 11:10:17, bauerb wrote: > Android LGTM, but if I may make a ...
5 years, 10 months ago (2015-02-20 11:33:32 UTC) #20
Bernhard Bauer
Nice, thanks!
5 years, 10 months ago (2015-02-20 12:10:44 UTC) #22
Mike West
On 2015/02/20 at 12:10:44, bauerb wrote: > Nice, thanks! https://github.com/mikewest/internetdrafts/commit/58d3818315e6ff61bf975985c590bb6ab6f262a9 I've updated the CL description ...
5 years, 10 months ago (2015-02-20 12:32:48 UTC) #23
Ilya Sherman
histograms.xml LGTM, though I wonder whether we really need so many migration time histograms...
5 years, 10 months ago (2015-02-20 21:36:33 UTC) #24
Mike West
TBRing dpolukhin@chromium.org for the trivial change to chrome/browser/chromeos/login/profile_auth_data_unittest.cc (simply adding one boolean entry to the ...
5 years, 10 months ago (2015-02-23 05:06:59 UTC) #25
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/876973003/180001
5 years, 10 months ago (2015-02-23 05:07:28 UTC) #27
commit-bot: I haz the power
Committed patchset #6 (id:180001)
5 years, 10 months ago (2015-02-23 05:10:43 UTC) #28
commit-bot: I haz the power
5 years, 10 months ago (2015-02-23 05:11:39 UTC) #29
Message was sent while issue was closed.
Patchset 6 (id:??) landed as
https://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b
Cr-Commit-Position: refs/heads/master@{#317544}

Powered by Google App Engine
This is Rietveld 408576698