diff options
author | mkwst <mkwst@chromium.org> | 2016-03-21 07:15:24 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-03-21 14:16:53 +0000 |
commit | f71d0bde417518f99f977a0ecbf480b375cf49ca (patch) | |
tree | 3a5f5b5404ed5d9724d07c32570f7e637e45c731 /net | |
parent | 21138fcaeedd96af402c9715cfecf9a0a9eb9528 (diff) | |
download | chromium_src-f71d0bde417518f99f977a0ecbf480b375cf49ca.zip chromium_src-f71d0bde417518f99f977a0ecbf480b375cf49ca.tar.gz chromium_src-f71d0bde417518f99f977a0ecbf480b375cf49ca.tar.bz2 |
SameSite: Strict/Lax behavior.
This patch brings our "SameSite" implementation into line with
https://tools.ietf.org/html/draft-west-first-party-cookies-06 by teaching
CookieOptions about strict and lax request modes, and teaching URLRequestHttpJob
about the registrable-domain behaviors of both.
BUG=459154
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation
Review URL: https://codereview.chromium.org/1783813002
Cr-Commit-Position: refs/heads/master@{#382277}
Diffstat (limited to 'net')
-rw-r--r-- | net/base/registry_controlled_domains/registry_controlled_domain.cc | 8 | ||||
-rw-r--r-- | net/base/registry_controlled_domains/registry_controlled_domain.h | 11 | ||||
-rw-r--r-- | net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc | 18 | ||||
-rw-r--r-- | net/cookies/canonical_cookie.cc | 22 | ||||
-rw-r--r-- | net/cookies/canonical_cookie_unittest.cc | 64 | ||||
-rw-r--r-- | net/cookies/cookie_monster.cc | 9 | ||||
-rw-r--r-- | net/cookies/cookie_options.cc | 2 | ||||
-rw-r--r-- | net/cookies/cookie_options.h | 20 | ||||
-rw-r--r-- | net/cookies/cookie_store.cc | 3 | ||||
-rw-r--r-- | net/cookies/cookie_store_unittest.h | 3 | ||||
-rw-r--r-- | net/url_request/url_request_http_job.cc | 45 | ||||
-rw-r--r-- | net/url_request/url_request_unittest.cc | 96 |
12 files changed, 200 insertions, 101 deletions
diff --git a/net/base/registry_controlled_domains/registry_controlled_domain.cc b/net/base/registry_controlled_domains/registry_controlled_domain.cc index 0d98ead..8d379ba 100644 --- a/net/base/registry_controlled_domains/registry_controlled_domain.cc +++ b/net/base/registry_controlled_domains/registry_controlled_domain.cc @@ -52,6 +52,7 @@ #include "net/base/net_module.h" #include "net/base/url_util.h" #include "url/gurl.h" +#include "url/origin.h" #include "url/third_party/mozilla/url_parse.h" namespace net { @@ -215,6 +216,13 @@ bool SameDomainOrHost( host1.len); } +bool SameDomainOrHost(const url::Origin& origin1, + const url::Origin& origin2, + PrivateRegistryFilter filter) { + return SameDomainOrHost(GURL(origin1.Serialize()), GURL(origin2.Serialize()), + filter); +} + size_t GetRegistryLength( const GURL& gurl, UnknownRegistryFilter unknown_filter, diff --git a/net/base/registry_controlled_domains/registry_controlled_domain.h b/net/base/registry_controlled_domains/registry_controlled_domain.h index fa72f4c..24ffb70 100644 --- a/net/base/registry_controlled_domains/registry_controlled_domain.h +++ b/net/base/registry_controlled_domains/registry_controlled_domain.h @@ -122,6 +122,10 @@ class GURL; +namespace url { +class Origin; +}; + struct DomainRule; namespace net { @@ -183,8 +187,8 @@ NET_EXPORT std::string GetDomainAndRegistry(const GURL& gurl, NET_EXPORT std::string GetDomainAndRegistry(base::StringPiece host, PrivateRegistryFilter filter); -// This convenience function returns true if the two GURLs both have hosts -// and one of the following is true: +// These convenience functions return true if the two GURLs or Origins both have +// hosts and one of the following is true: // * They each have a known domain and registry, and it is the same for both // URLs. Note that this means the trailing dot, if any, must match too. // * They don't have known domains/registries, but the hosts are identical. @@ -192,6 +196,9 @@ NET_EXPORT std::string GetDomainAndRegistry(base::StringPiece host, // represent hosts "on the same site". NET_EXPORT bool SameDomainOrHost(const GURL& gurl1, const GURL& gurl2, PrivateRegistryFilter filter); +NET_EXPORT bool SameDomainOrHost(const url::Origin& origin1, + const url::Origin& origin2, + PrivateRegistryFilter filter); // Finds the length in bytes of the registrar portion of the host in the // given GURL. Returns std::string::npos if the GURL is invalid or has no diff --git a/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc b/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc index 42af173..0d553cb 100644 --- a/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc +++ b/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc @@ -5,6 +5,7 @@ #include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "testing/gtest/include/gtest/gtest.h" #include "url/gurl.h" +#include "url/origin.h" namespace { namespace test1 { @@ -67,12 +68,6 @@ size_t GetRegistryLengthFromHostIncludingPrivate( return GetRegistryLength(host, unknown_filter, INCLUDE_PRIVATE_REGISTRIES); } -bool CompareDomains(const std::string& url1, const std::string& url2) { - GURL g1 = GURL(url1); - GURL g2 = GURL(url2); - return SameDomainOrHost(g1, g2, EXCLUDE_PRIVATE_REGISTRIES); -} - } // namespace class RegistryControlledDomainTest : public testing::Test { @@ -82,6 +77,17 @@ class RegistryControlledDomainTest : public testing::Test { SetFindDomainGraph(graph, sizeof(Graph)); } + bool CompareDomains(const std::string& url1, const std::string& url2) { + SCOPED_TRACE(url1 + " " + url2); + GURL g1 = GURL(url1); + GURL g2 = GURL(url2); + url::Origin o1 = url::Origin(g1); + url::Origin o2 = url::Origin(g2); + EXPECT_EQ(SameDomainOrHost(o1, o2, EXCLUDE_PRIVATE_REGISTRIES), + SameDomainOrHost(g1, g2, EXCLUDE_PRIVATE_REGISTRIES)); + return SameDomainOrHost(g1, g2, EXCLUDE_PRIVATE_REGISTRIES); + } + void TearDown() override { SetFindDomainGraph(); } }; diff --git a/net/cookies/canonical_cookie.cc b/net/cookies/canonical_cookie.cc index 5647a22..89b5b4d 100644 --- a/net/cookies/canonical_cookie.cc +++ b/net/cookies/canonical_cookie.cc @@ -422,13 +422,21 @@ bool CanonicalCookie::IncludeForRequestURL(const GURL& url, if (!IsOnPath(url.path())) return false; // Don't include same-site cookies for cross-site requests. - // - // TODO(mkwst): This currently treats both "strict" and "lax" SameSite cookies - // in the same way. https://codereview.chromium.org/1783813002 will eventually - // distinguish between them based on attributes of the request. - if (SameSite() != CookieSameSite::NO_RESTRICTION && - !options.include_same_site()) { - return false; + switch (SameSite()) { + case CookieSameSite::STRICT_MODE: + if (options.same_site_cookie_mode() != + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX) { + return false; + } + break; + case CookieSameSite::LAX_MODE: + if (options.same_site_cookie_mode() == + CookieOptions::SameSiteCookieMode::DO_NOT_INCLUDE) { + return false; + } + break; + default: + break; } return true; diff --git a/net/cookies/canonical_cookie_unittest.cc b/net/cookies/canonical_cookie_unittest.cc index 11a20df8..a7e82fd 100644 --- a/net/cookies/canonical_cookie_unittest.cc +++ b/net/cookies/canonical_cookie_unittest.cc @@ -85,7 +85,8 @@ TEST(CanonicalCookieTest, Create) { // Test creating SameSite cookies. CookieOptions same_site_options; - same_site_options.set_include_same_site(); + same_site_options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); cookie = CanonicalCookie::Create(url, "A=2; SameSite=Strict", creation_time, same_site_options); EXPECT_TRUE(cookie.get()); @@ -445,45 +446,40 @@ TEST(CanonicalCookieTest, IncludeForRequestURL) { } TEST(CanonicalCookieTest, IncludeSameSiteForSameSiteURL) { - GURL insecure_url("http://example.test"); - GURL secure_url("https://example.test"); - GURL secure_url_with_path("https://example.test/foo/bar/index.html"); - GURL third_party_url("https://not-example.test"); + GURL url("https://example.test"); base::Time creation_time = base::Time::Now(); CookieOptions options; scoped_ptr<CanonicalCookie> cookie; - // Same-site cookies are not included for cross-site requests, - // even if other properties match: - cookie = CanonicalCookie::Create(secure_url, "A=2; SameSite=Strict", - creation_time, options); - EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_FALSE(cookie->IncludeForRequestURL(secure_url, options)); - cookie = CanonicalCookie::Create(secure_url, "A=2; Secure; SameSite=Strict", - creation_time, options); - EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_FALSE(cookie->IncludeForRequestURL(secure_url, options)); - cookie = CanonicalCookie::Create(secure_url_with_path, - "A=2; SameSite=Strict; path=/foo/bar", - creation_time, options); + // `SameSite=Strict` cookies are included for a URL only if the options' + // SameSiteCookieMode is INCLUDE_STRICT_AND_LAX. + cookie = CanonicalCookie::Create(url, "A=2; SameSite=Strict", creation_time, + options); EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_FALSE(cookie->IncludeForRequestURL(secure_url, options)); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::DO_NOT_INCLUDE); + EXPECT_FALSE(cookie->IncludeForRequestURL(url, options)); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_LAX); + EXPECT_FALSE(cookie->IncludeForRequestURL(url, options)); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + EXPECT_TRUE(cookie->IncludeForRequestURL(url, options)); - // Same-site cookies are included for same-site requests: - options.set_include_same_site(); - cookie = CanonicalCookie::Create(secure_url, "A=2; SameSite=Strict", - creation_time, options); - EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_TRUE(cookie->IncludeForRequestURL(secure_url, options)); - cookie = CanonicalCookie::Create(secure_url, "A=2; Secure; SameSite=Strict", - creation_time, options); - EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_TRUE(cookie->IncludeForRequestURL(secure_url, options)); - cookie = CanonicalCookie::Create(secure_url_with_path, - "A=2; SameSite=Strict; path=/foo/bar", - creation_time, options); - EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie->SameSite()); - EXPECT_TRUE(cookie->IncludeForRequestURL(secure_url_with_path, options)); + // `SameSite=Lax` cookies are included for a URL only if the options' + // SameSiteCookieMode is INCLUDE_STRICT_AND_LAX. + cookie = + CanonicalCookie::Create(url, "A=2; SameSite=Lax", creation_time, options); + EXPECT_EQ(CookieSameSite::LAX_MODE, cookie->SameSite()); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::DO_NOT_INCLUDE); + EXPECT_FALSE(cookie->IncludeForRequestURL(url, options)); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_LAX); + EXPECT_TRUE(cookie->IncludeForRequestURL(url, options)); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + EXPECT_TRUE(cookie->IncludeForRequestURL(url, options)); } TEST(CanonicalCookieTest, PartialCompare) { diff --git a/net/cookies/cookie_monster.cc b/net/cookies/cookie_monster.cc index a4f99dc..aaecaf9 100644 --- a/net/cookies/cookie_monster.cc +++ b/net/cookies/cookie_monster.cc @@ -1044,7 +1044,8 @@ bool CookieMonster::SetCookieWithDetails(const GURL& url, CookieOptions options; options.set_include_httponly(); - options.set_include_same_site(); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); if (enforce_strict_secure) options.set_enforce_strict_secure(); return SetCanonicalCookie(std::move(cc), options); @@ -1198,7 +1199,8 @@ void CookieMonster::DeleteCookie(const GURL& url, CookieOptions options; options.set_include_httponly(); - options.set_include_same_site(); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); // Get the cookies for this host and its domain(s). std::vector<CanonicalCookie*> cookies; FindCookiesForHostAndDomain(url, options, &cookies); @@ -2327,7 +2329,8 @@ void CookieMonster::RunCookieChangedCallbacks(const CanonicalCookie& cookie, CookieOptions opts; opts.set_include_httponly(); - opts.set_include_same_site(); + opts.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); // Note that the callbacks in hook_map_ are wrapped with RunAsync(), so they // are guaranteed to not take long - they just post a RunAsync task back to // the appropriate thread's message loop and return. diff --git a/net/cookies/cookie_options.cc b/net/cookies/cookie_options.cc index 103b768..8698afd 100644 --- a/net/cookies/cookie_options.cc +++ b/net/cookies/cookie_options.cc @@ -10,7 +10,7 @@ namespace net { CookieOptions::CookieOptions() : exclude_httponly_(true), - include_same_site_(false), + same_site_cookie_mode_(SameSiteCookieMode::DO_NOT_INCLUDE), enforce_strict_secure_(false), update_access_time_(true), server_time_() {} diff --git a/net/cookies/cookie_options.h b/net/cookies/cookie_options.h index 801e958..d1c6afc 100644 --- a/net/cookies/cookie_options.h +++ b/net/cookies/cookie_options.h @@ -9,12 +9,19 @@ #include "base/time/time.h" #include "net/base/net_export.h" +#include "net/cookies/cookie_constants.h" #include "url/gurl.h" namespace net { class NET_EXPORT CookieOptions { public: + enum class SameSiteCookieMode { + INCLUDE_STRICT_AND_LAX, + INCLUDE_LAX, + DO_NOT_INCLUDE + }; + // Creates a CookieOptions object which: // // * Excludes HttpOnly cookies @@ -25,7 +32,8 @@ class NET_EXPORT CookieOptions { // These settings can be altered by calling: // // * |set_{include,exclude}_httponly()| - // * |set_include_same_site()| + // * |set_same_site_cookie_mode( + // CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX)| // * |set_enforce_prefixes()| // * |set_do_not_update_access_time()| CookieOptions(); @@ -35,8 +43,12 @@ class NET_EXPORT CookieOptions { bool exclude_httponly() const { return exclude_httponly_; } // Default is to exclude 'same_site' cookies. - void set_include_same_site() { include_same_site_ = true; } - bool include_same_site() const { return include_same_site_; } + void set_same_site_cookie_mode(SameSiteCookieMode mode) { + same_site_cookie_mode_ = mode; + } + SameSiteCookieMode same_site_cookie_mode() const { + return same_site_cookie_mode_; + } // TODO(jww): Remove once we decide whether to ship modifying 'secure' cookies // only from secure schemes. https://crbug.com/546820 @@ -57,7 +69,7 @@ class NET_EXPORT CookieOptions { private: bool exclude_httponly_; - bool include_same_site_; + SameSiteCookieMode same_site_cookie_mode_; bool enforce_strict_secure_; bool update_access_time_; base::Time server_time_; diff --git a/net/cookies/cookie_store.cc b/net/cookies/cookie_store.cc index 85f0192..8a3af08 100644 --- a/net/cookies/cookie_store.cc +++ b/net/cookies/cookie_store.cc @@ -55,7 +55,8 @@ void CookieStore::GetAllCookiesForURLAsync( const GetCookieListCallback& callback) { CookieOptions options; options.set_include_httponly(); - options.set_include_same_site(); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); options.set_do_not_update_access_time(); GetCookieListWithOptionsAsync(url, options, callback); } diff --git a/net/cookies/cookie_store_unittest.h b/net/cookies/cookie_store_unittest.h index b226d31..ce8008f 100644 --- a/net/cookies/cookie_store_unittest.h +++ b/net/cookies/cookie_store_unittest.h @@ -388,7 +388,8 @@ TYPED_TEST_P(CookieStoreTest, SetCookieWithDetailsAsync) { // make that difficult. CookieOptions options; options.set_include_httponly(); - options.set_include_same_site(); + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); options.set_do_not_update_access_time(); CookieList cookies = diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc index ccc38d5..6946575 100644 --- a/net/url_request/url_request_http_job.cc +++ b/net/url_request/url_request_http_job.cc @@ -26,6 +26,7 @@ #include "net/base/net_errors.h" #include "net/base/network_delegate.h" #include "net/base/network_quality_estimator.h" +#include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "net/base/sdch_manager.h" #include "net/base/sdch_net_log_params.h" #include "net/base/url_util.h" @@ -725,19 +726,43 @@ void URLRequestHttpJob::AddCookieHeaderAndStart() { CookieOptions options; options.set_include_httponly(); - // TODO(mkwst): If same-site cookies aren't enabled, pretend the request is - // same-site regardless, in order to include all cookies. Drop this check - // once we decide whether or not we're shipping this feature: - // https://crbug.com/459154 + // Set SameSiteCookieMode according to the rules laid out in + // https://tools.ietf.org/html/draft-west-first-party-cookies: + // + // * Include both "strict" and "lax" same-site cookies if the request's + // |url|, |initiator|, and |first_party_for_cookies| all have the same + // registrable domain. + // + // * Include only "lax" same-site cookies if the request's |URL| and + // |first_party_for_cookies| have the same registrable domain, _and_ the + // request's |method| is "safe" ("GET" or "HEAD"). + // + // Note that this will generally be the case only for cross-site requests + // which target a top-level browsing context. + // + // * Otherwise, do not include same-site cookies. url::Origin requested_origin(request_->url()); + url::Origin site_for_cookies(request_->first_party_for_cookies()); + if (!network_delegate() || !network_delegate()->AreExperimentalCookieFeaturesEnabled()) { - options.set_include_same_site(); - } else if (requested_origin.IsSameOriginWith( - url::Origin(request_->first_party_for_cookies())) && - (IsMethodSafe(request_->method()) || - requested_origin.IsSameOriginWith(request_->initiator()))) { - options.set_include_same_site(); + // TODO(mkwst): If same-site cookies aren't enabled, then tag the request + // as including both strict and lax same-site cookies. Drop this check + // once the feature is no longer behind a flag: https://crbug.com/459154. + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + } else if (registry_controlled_domains::SameDomainOrHost( + requested_origin, site_for_cookies, + registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { + if (registry_controlled_domains::SameDomainOrHost( + requested_origin, request_->initiator(), + registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_STRICT_AND_LAX); + } else if (IsMethodSafe(request_->method())) { + options.set_same_site_cookie_mode( + CookieOptions::SameSiteCookieMode::INCLUDE_LAX); + } } cookie_store->GetCookieListWithOptionsAsync( diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index 714283a..3cbeca5 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -2659,83 +2659,110 @@ TEST_F(URLRequestTest, SameSiteCookiesEnabled) { network_delegate.set_experimental_cookie_features_enabled(true); default_context_.set_network_delegate(&network_delegate); - // Set up a 'SameSite' cookie (on '127.0.0.1', as that's where - // LocalHttpTestServer points). + const std::string kHost = "example.test"; + const std::string kSubHost = "subdomain.example.test"; + const std::string kCrossHost = "cross-origin.test"; + + // Set up two 'SameSite' cookies on 'example.test' { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite=Strict"), + test_server.GetURL(kHost, + "/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&" + "LaxSameSiteCookie=1;SameSite=Lax"), DEFAULT_PRIORITY, &d)); req->Start(); base::RunLoop().Run(); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); - EXPECT_EQ(1, network_delegate.set_cookie_count()); + EXPECT_EQ(2, network_delegate.set_cookie_count()); } - // Verify that the cookie is sent for same-site requests. + // Verify that both cookies are sent for same-site requests. { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); - req->set_first_party_for_cookies(test_server.GetURL("/")); - req->set_initiator(url::Origin(test_server.GetURL("/"))); + test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); + req->set_first_party_for_cookies(test_server.GetURL(kHost, "/")); + req->set_initiator(url::Origin(test_server.GetURL(kHost, "/"))); req->Start(); base::RunLoop().Run(); - EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") != - std::string::npos); + EXPECT_NE(std::string::npos, + d.data_received().find("StrictSameSiteCookie=1")); + EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1")); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } - // Verify that the cookie is not sent for cross-site requests. + // Verify that both cookies are sent for same-registrable-domain requests. { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); - req->set_first_party_for_cookies(GURL("http://cross-site.test/")); - req->set_initiator(url::Origin(GURL("http://cross-site.test/"))); + test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); + req->set_first_party_for_cookies(test_server.GetURL(kSubHost, "/")); + req->set_initiator(url::Origin(test_server.GetURL(kSubHost, "/"))); req->Start(); base::RunLoop().Run(); - EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") == - std::string::npos); + EXPECT_NE(std::string::npos, + d.data_received().find("StrictSameSiteCookie=1")); + EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1")); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } - // Verify that the cookie is sent for cross-site initiators when the + // Verify that neither cookie is not sent for cross-site requests. + { + TestDelegate d; + scoped_ptr<URLRequest> req(default_context_.CreateRequest( + test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); + req->set_first_party_for_cookies(test_server.GetURL(kCrossHost, "/")); + req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/"))); + req->Start(); + base::RunLoop().Run(); + + EXPECT_EQ(std::string::npos, + d.data_received().find("StrictSameSiteCookie=1")); + EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1")); + EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); + EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); + } + + // Verify that the lax cookie is sent for cross-site initiators when the // method is "safe". { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); - req->set_first_party_for_cookies(test_server.GetURL("/")); - req->set_initiator(url::Origin(GURL("http://cross-site.test/"))); + test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); + req->set_first_party_for_cookies(test_server.GetURL(kHost, "/")); + req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/"))); + req->set_method("GET"); req->Start(); base::RunLoop().Run(); - EXPECT_FALSE(d.data_received().find("SameSiteCookieToSet=1") == - std::string::npos); + EXPECT_EQ(std::string::npos, + d.data_received().find("StrictSameSiteCookie=1")); + EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1")); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } - // Verify that the cookie is not sent for cross-site initiators when the + // Verify that neither cookie is sent for cross-site initiators when the // method is unsafe (e.g. POST). { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); - req->set_first_party_for_cookies(test_server.GetURL("/")); - req->set_initiator(url::Origin(GURL("http://cross-site.test/"))); + test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d)); + req->set_first_party_for_cookies(test_server.GetURL(kHost, "/")); + req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/"))); req->set_method("POST"); req->Start(); base::RunLoop().Run(); - EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") == - std::string::npos); + EXPECT_EQ(std::string::npos, + d.data_received().find("StrictSameSiteCookie=1")); + EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1")); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } @@ -2754,13 +2781,14 @@ TEST_F(URLRequestTest, SameSiteCookiesDisabled) { TestDelegate d; scoped_ptr<URLRequest> req(default_context_.CreateRequest( - test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite"), + test_server.GetURL("/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&" + "LaxSameSiteCookie=1;SameSite=Lax"), DEFAULT_PRIORITY, &d)); req->Start(); base::RunLoop().Run(); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); - EXPECT_EQ(1, network_delegate.set_cookie_count()); + EXPECT_EQ(2, network_delegate.set_cookie_count()); } // Verify that the cookie is sent for same-site requests. @@ -2775,7 +2803,9 @@ TEST_F(URLRequestTest, SameSiteCookiesDisabled) { req->Start(); base::RunLoop().Run(); - EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") != + EXPECT_TRUE(d.data_received().find("StrictSameSiteCookie=1") != + std::string::npos); + EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") != std::string::npos); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); @@ -2793,8 +2823,10 @@ TEST_F(URLRequestTest, SameSiteCookiesDisabled) { req->Start(); base::RunLoop().Run(); - EXPECT_NE(d.data_received().find("SameSiteCookieToSet=1"), + EXPECT_NE(d.data_received().find("StrictSameSiteCookie=1"), std::string::npos); + EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") != + std::string::npos); EXPECT_EQ(0, network_delegate.blocked_get_cookies_count()); EXPECT_EQ(0, network_delegate.blocked_set_cookie_count()); } |