Google Git
Sign in
chromium / chromium / src.git / d3bf638d6c628d1f5e735ba3f5435d3b0e20b2f1^! / . / net / cookies / cookie_monster.cc
commitd3bf638d6c628d1f5e735ba3f5435d3b0e20b2f1[log] [tgz]
authorLily Chen <[email protected]>Fri May 03 16:54:25 2019
committerCommit Bot <[email protected]>Fri May 03 16:54:25 2019
tree8b8037e6fbd684df9f21577ef1a667cfc96b8adc
parente7053a1f0f56dd0108133e8396dcaf49fd931f23 [diff] [blame]
Make CookiesWithoutSameSiteMustBeSecure reject regardless of source

This CL changes the CookiesWithoutSameSiteMustBeSecure flag's behavior.
Previously, a SameSite=None cookie set without Secure, would be treated
as Secure if set from a secure context, or rejected if set from an
insecure context. This CL changes that to always reject such a cookie
regardless of source scheme.

Bug: 954551
Change-Id: Ie035ebc97425f855665b81419ac717173e2dcba5
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1594693
Commit-Queue: Lily Chen <[email protected]>
Reviewed-by: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#656409}

diff --git a/net/cookies/cookie_monster.cc b/net/cookies/cookie_monster.cc
index 30a2fe0..5772e2ac 100644
--- a/net/cookies/cookie_monster.cc
+++ b/net/cookies/cookie_monster.cc

@@ -1210,25 +1210,18 @@
 
   // If both SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure
   // are enabled, non-SameSite cookies without the Secure attribute will be
-  // treated as secure if set from a secure context, or rejected if set from an
-  // insecure context.
+  // rejected.
   if (base::FeatureList::IsEnabled(features::kSameSiteByDefaultCookies) &&
       base::FeatureList::IsEnabled(
           features::kCookiesWithoutSameSiteMustBeSecure) &&
       cc->GetEffectiveSameSite() == CookieSameSite::NO_RESTRICTION &&
       !cc->IsSecure()) {
-    if (!secure_source) {
-      DVLOG(net::cookie_util::kVlogSetCookies)
-          << "SetCookie() rejecting insecure cookie with SameSite=None.";
-      status = CanonicalCookie::CookieInclusionStatus::
-          EXCLUDE_SAMESITE_NONE_INSECURE;
-      MaybeRunCookieCallback(std::move(callback), status);
-      return;
-    }
     DVLOG(net::cookie_util::kVlogSetCookies)
-        << "SetCookie() treating cookie without SameSite restrictions as "
-           "secure.";
-    cc->SetSecure(true);
+        << "SetCookie() rejecting insecure cookie with SameSite=None.";
+    status =
+        CanonicalCookie::CookieInclusionStatus::EXCLUDE_SAMESITE_NONE_INSECURE;
+    MaybeRunCookieCallback(std::move(callback), status);
+    return;
   }
 
   const std::string key(GetKey(cc->Domain()));