Merge pull request #7387 from brave/ephemeral-cookie-storage-mimimal-network-cookies

mrobinson · web-flow · commit 61efb6a6bec6 · 2020-12-16T14:37:08.000+01:00
Add ephemeral storage support for network cookies
diff --git a/browser/ephemeral_storage/ephemeral_storage_browsertest.cc b/browser/ephemeral_storage/ephemeral_storage_browsertest.cc
@@ -18,6 +18,7 @@
 #include "components/prefs/pref_service.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/storage_partition.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/test/browser_test.h"
 #include "content/public/test/test_navigation_observer.h"
@@ -115,19 +116,23 @@ class EphemeralStorageBrowserTest : public InProcessBrowserTest {
         content_settings, brave_shields::ControlType::ALLOW, GURL());
   }
 
+  void SetValuesInFrame(RenderFrameHost* frame,
+                        std::string storage_value,
+                        std::string cookie_value) {
+    SetStorageValueInFrame(frame, storage_value, StorageType::Local);
+    SetStorageValueInFrame(frame, storage_value, StorageType::Session);
+    SetCookieInFrame(frame, cookie_value);
+  }
+
   void SetValuesInFrames(WebContents* web_contents,
                          std::string storage_value,
                          std::string cookie_value) {
-    auto set_values_in_frame = [&](RenderFrameHost* frame) {
-      SetStorageValueInFrame(frame, storage_value, StorageType::Local);
-      SetStorageValueInFrame(frame, storage_value, StorageType::Session);
-      SetCookieInFrame(frame, cookie_value);
-    };
-
-    RenderFrameHost* main_frame = web_contents->GetMainFrame();
-    set_values_in_frame(main_frame);
-    set_values_in_frame(content::ChildFrameAt(main_frame, 0));
-    set_values_in_frame(content::ChildFrameAt(main_frame, 1));
+    RenderFrameHost* main = web_contents->GetMainFrame();
+    SetValuesInFrame(main, storage_value, cookie_value);
+    SetValuesInFrame(content::ChildFrameAt(main, 0), storage_value,
+                     cookie_value);
+    SetValuesInFrame(content::ChildFrameAt(main, 1), storage_value,
+                     cookie_value);
   }
 
   struct ValuesFromFrame {
@@ -449,3 +454,103 @@ IN_PROC_BROWSER_TEST_F(EphemeralStorageBrowserTest,
   EXPECT_EQ("", private_values.iframe_1.cookies);
   EXPECT_EQ("", private_values.iframe_2.cookies);
 }
+
+IN_PROC_BROWSER_TEST_F(EphemeralStorageBrowserTest,
+                       NavigationCookiesArePartitioned) {
+  AllowAllCookies();
+
+  GURL a_site_set_cookie_url = https_server_.GetURL(
+      "a.com", "/set-cookie?name=acom;path=/;SameSite=None;Secure");
+  GURL b_site_set_cookie_url = https_server_.GetURL(
+      "b.com", "/set-cookie?name=bcom;path=/;SameSite=None;Secure");
+
+  ui_test_utils::NavigateToURL(browser(), a_site_set_cookie_url);
+  ui_test_utils::NavigateToURL(browser(), b_site_set_cookie_url);
+  ui_test_utils::NavigateToURL(browser(), a_site_ephemeral_storage_url_);
+
+  std::string a_cookie =
+      content::GetCookies(browser()->profile(), GURL("https://a.com/"));
+  std::string b_cookie =
+      content::GetCookies(browser()->profile(), GURL("https://b.com/"));
+  EXPECT_EQ("name=acom", a_cookie);
+  EXPECT_EQ("name=bcom", b_cookie);
+
+  // The third-party iframe should not have the b.com cookie that was set on the
+  // main frame.
+  auto* web_contents = browser()->tab_strip_model()->GetActiveWebContents();
+  RenderFrameHost* main_frame = web_contents->GetMainFrame();
+  RenderFrameHost* iframe_a = content::ChildFrameAt(main_frame, 0);
+  RenderFrameHost* iframe_b = content::ChildFrameAt(main_frame, 1);
+  ASSERT_EQ("", GetCookiesInFrame(iframe_a));
+  ASSERT_EQ("", GetCookiesInFrame(iframe_b));
+
+  // Setting the cookie directly on the third-party iframe should only set the
+  // cookie in the ephemeral storage area for that frame.
+  GURL b_site_set_ephemeral_cookie_url = https_server_.GetURL(
+      "b.com", "/set-cookie?name=bcom_ephemeral;path=/;SameSite=None;Secure");
+  NavigateIframeToURL(web_contents, "third_party_iframe_a",
+                      b_site_set_ephemeral_cookie_url);
+  ASSERT_EQ("name=bcom_ephemeral", GetCookiesInFrame(iframe_a));
+  ASSERT_EQ("name=bcom_ephemeral", GetCookiesInFrame(iframe_b));
+
+  // The cookie set in the ephemeral area should not visible in the main
+  // cookie storage.
+  b_cookie = content::GetCookies(browser()->profile(), GURL("https://b.com/"));
+  EXPECT_EQ("name=bcom", b_cookie);
+
+  // Navigating to a new TLD should clear all ephemeral cookies.
+  ui_test_utils::NavigateToURL(browser(), b_site_ephemeral_storage_url_);
+  ui_test_utils::NavigateToURL(browser(), a_site_ephemeral_storage_url_);
+
+  ValuesFromFrames values_after = GetValuesFromFrames(web_contents);
+  EXPECT_EQ("name=acom", values_after.main_frame.cookies);
+  EXPECT_EQ("", values_after.iframe_1.cookies);
+  EXPECT_EQ("", values_after.iframe_2.cookies);
+}
+
+IN_PROC_BROWSER_TEST_F(EphemeralStorageBrowserTest,
+                       FirstPartyNestedInThirdParty) {
+  AllowAllCookies();
+
+  auto* web_contents = browser()->tab_strip_model()->GetActiveWebContents();
+
+  GURL a_site_set_cookie_url = https_server_.GetURL(
+      "a.com", "/set-cookie?name=acom;path=/;SameSite=None;Secure");
+  ui_test_utils::NavigateToURL(browser(), a_site_set_cookie_url);
+  ui_test_utils::NavigateToURL(browser(), a_site_ephemeral_storage_url_);
+
+  RenderFrameHost* site_a_main_frame = web_contents->GetMainFrame();
+  RenderFrameHost* nested_frames_tab =
+      content::ChildFrameAt(site_a_main_frame, 3);
+  ASSERT_NE(nested_frames_tab, nullptr);
+  RenderFrameHost* first_party_nested_acom =
+      content::ChildFrameAt(nested_frames_tab, 2);
+  ASSERT_NE(first_party_nested_acom, nullptr);
+
+  WebContents* site_b_tab = LoadURLInNewTab(b_site_ephemeral_storage_url_);
+  RenderFrameHost* site_b_main_frame = site_b_tab->GetMainFrame();
+  RenderFrameHost* third_party_nested_acom =
+      content::ChildFrameAt(site_b_main_frame, 2);
+  ASSERT_NE(first_party_nested_acom, nullptr);
+
+  ASSERT_EQ("name=acom", GetCookiesInFrame(site_a_main_frame));
+  ASSERT_EQ("name=acom", GetCookiesInFrame(first_party_nested_acom));
+  ASSERT_EQ("", GetCookiesInFrame(third_party_nested_acom));
+
+  SetValuesInFrame(site_a_main_frame, "first-party-a.com",
+                   "name=first-party-a.com");
+  SetValuesInFrame(third_party_nested_acom, "third-party-a.com",
+                   "name=third-party-a.com");
+
+  ValuesFromFrame first_party_values =
+      GetValuesFromFrame(first_party_nested_acom);
+  EXPECT_EQ("first-party-a.com", first_party_values.local_storage);
+  EXPECT_EQ("first-party-a.com", first_party_values.session_storage);
+  EXPECT_EQ("name=first-party-a.com", first_party_values.cookies);
+
+  ValuesFromFrame third_party_values =
+      GetValuesFromFrame(third_party_nested_acom);
+  EXPECT_EQ("third-party-a.com", third_party_values.local_storage);
+  EXPECT_EQ("third-party-a.com", third_party_values.session_storage);
+  EXPECT_EQ("name=third-party-a.com", third_party_values.cookies);
+}
diff --git a/chromium_src/net/url_request/url_request_http_job.cc b/chromium_src/net/url_request/url_request_http_job.cc
@@ -0,0 +1,54 @@
+/* Copyright (c) 2020 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "net/url_request/url_request_http_job.h"
+
+#include "base/bind.h"
+#include "net/base/features.h"
+#include "net/base/isolation_info.h"
+#include "net/cookies/cookie_monster.h"
+#include "net/url_request/url_request.h"
+
+namespace {
+
+bool ShouldUseEphemeralStorage(net::URLRequestHttpJob* http_job) {
+  if (!base::FeatureList::IsEnabled(net::features::kBraveEphemeralStorage))
+    return false;
+
+  const net::IsolationInfo& isolation_info =
+      http_job->request()->isolation_info();
+  if (!isolation_info.top_frame_origin().has_value() ||
+      !isolation_info.frame_origin().has_value())
+    return false;
+  if (*isolation_info.top_frame_origin() == *isolation_info.frame_origin())
+    return false;
+
+  return true;
+}
+
+}  // namespace
+
+#define BRAVE_ADDCOOKIEHEADERANDSTART                                          \
+  if (ShouldUseEphemeralStorage(this))                                         \
+    static_cast<CookieMonster*>(cookie_store)                                  \
+        ->GetEphemeralCookieListWithOptionsAsync(                              \
+            request_->url(),                                                   \
+            request()->isolation_info().top_frame_origin()->GetURL(), options, \
+            base::BindOnce(&URLRequestHttpJob::SetCookieHeaderAndStart,        \
+                           weak_factory_.GetWeakPtr(), options));              \
+  else
+
+#define BRAVE_SAVECOOKIESANDNOTIFYHEADERSCOMPLETE                              \
+  if (ShouldUseEphemeralStorage(this))                                         \
+    static_cast<CookieMonster*>(request_->context()->cookie_store())           \
+        ->SetEphemeralCanonicalCookieAsync(                                    \
+            std::move(cookie), request_->url(),                                \
+            request()->isolation_info().top_frame_origin()->GetURL(), options, \
+            base::BindOnce(&URLRequestHttpJob::OnSetCookieResult,              \
+                           weak_factory_.GetWeakPtr(), options,                \
+                           cookie_to_return, cookie_string));                  \
+  else
+
+#include "../../../../../net/url_request/url_request_http_job.cc"
diff --git a/patches/net-url_request-url_request_http_job.cc.patch b/patches/net-url_request-url_request_http_job.cc.patch
@@ -0,0 +1,20 @@
+diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
+index f5e754f4ea0288a685a6932b00f692e3c6638621..d7da91c3607d205fd19cae3be369d4e58989f8bb 100644
+--- a/net/url_request/url_request_http_job.cc
++++ b/net/url_request/url_request_http_job.cc
+@@ -583,6 +583,7 @@ void URLRequestHttpJob::AddCookieHeaderAndStart() {
+         net::cookie_util::ComputeSameSiteContextForRequest(
+             request_->method(), request_->url(), request_->site_for_cookies(),
+             request_->initiator(), force_ignore_site_for_cookies));
++    BRAVE_ADDCOOKIEHEADERANDSTART
+     cookie_store->GetCookieListWithOptionsAsync(
+         request_->url(), options,
+         base::BindOnce(&URLRequestHttpJob::SetCookieHeaderAndStart,
+@@ -770,6 +771,7 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
+       continue;
+     }
+ 
++    BRAVE_SAVECOOKIESANDNOTIFYHEADERSCOMPLETE
+     request_->context()->cookie_store()->SetCanonicalCookieAsync(
+         std::move(cookie), request_->url(), options,
+         base::BindOnce(&URLRequestHttpJob::OnSetCookieResult,
diff --git a/test/data/ephemeral_storage.html b/test/data/ephemeral_storage.html
@@ -2,4 +2,6 @@
 <body>
 <iframe src="/cross-site/b.com/simple.html" id="third_party_iframe_a"></iframe>
 <iframe src="/cross-site/b.com/simple.html" id="third_party_iframe_b"></iframe>
+<iframe src="/cross-site/a.com/simple.html" id="first_party_iframe"></iframe>
+<iframe src="/cross-site/b.com/ephemeral_storage.html" id="nested_iframe"></iframe>
 </body></html>
