Don't permit setting `SameSite` cookies from cross-site contexts.
This is almost entirely based on Mike West's preliminary version:
https://chromium-review.googlesource.com/c/chromium/src/+/1528244
The new enforcement blocks the setup portion of some existing WPT tests,
which verified read behavior, so the helper they use was changed to always
set them in a same-site context by PostMessage'ing to a helper window.
Bug: 837412
Change-Id: Iba95d65ec4d0916fb4dfa581efaede50654792d3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1534237
Commit-Queue: Maks Orlovich <[email protected]>
Reviewed-by: Matt Menke <[email protected]>
Reviewed-by: Camille Lamy <[email protected]>
Reviewed-by: Philip Jägenstedt <[email protected]>
Cr-Commit-Position: refs/heads/master@{#653228}diff --git a/net/cookies/cookie_monster.cc b/net/cookies/cookie_monster.cc
index e7ad8df..1241126 100644
--- a/net/cookies/cookie_monster.cc
+++ b/net/cookies/cookie_monster.cc
@@ -1194,10 +1194,12 @@
return;
}
- if (cc->IsHttpOnly() && options.exclude_httponly()) {
- MaybeRunCookieCallback(
- std::move(callback),
- CanonicalCookie::CookieInclusionStatus::EXCLUDE_HTTP_ONLY);
+ CanonicalCookie::CookieInclusionStatus status =
+ cc->IsSetPermittedInContext(options);
+ if (status != CanonicalCookie::CookieInclusionStatus::INCLUDE) {
+ // IsSetPermittedInContext already logs if it rejects a cookie, so
+ // CookieMonster doesn't need to.
+ MaybeRunCookieCallback(std::move(callback), status);
return;
}
@@ -1219,7 +1221,7 @@
base::Time creation_date_to_inherit;
- CanonicalCookie::CookieInclusionStatus status = DeleteAnyEquivalentCookie(
+ status = DeleteAnyEquivalentCookie(
key, *cc, secure_source, options.exclude_httponly(), already_expired,
&creation_date_to_inherit);
