SameSite: Strict/Lax behavior. This patch brings our "SameSite" implementation into line with https://tools.ietf.org/html/draft-west-first-party-cookies-06 by teaching CookieOptions about strict and lax request modes, and teaching URLRequestHttpJob about the registrable-domain behaviors of both. BUG=459154 CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation Review URL: https://codereview.chromium.org/1783813002 Cr-Commit-Position: refs/heads/master@{#382277}

commit: f71d0bde417518f99f977a0ecbf480b375cf49ca [log] [tgz]
author: mkwst <[email protected]> Mon Mar 21 14:15:24 2016
committer: Commit bot <[email protected]> Mon Mar 21 14:16:53 2016
tree: 3a5f5b5404ed5d9724d07c32570f7e637e45c731
parent: 21138fcaeedd96af402c9715cfecf9a0a9eb9528 [diff] [blame]
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 714283a3..3cbeca5 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc

@@ -2659,83 +2659,110 @@
   network_delegate.set_experimental_cookie_features_enabled(true);
   default_context_.set_network_delegate(&network_delegate);
 
-  // Set up a 'SameSite' cookie (on '127.0.0.1', as that's where
-  // LocalHttpTestServer points).
+  const std::string kHost = "example.test";
+  const std::string kSubHost = "subdomain.example.test";
+  const std::string kCrossHost = "cross-origin.test";
+
+  // Set up two 'SameSite' cookies on 'example.test'
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite=Strict"),
+        test_server.GetURL(kHost,
+                           "/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+                           "LaxSameSiteCookie=1;SameSite=Lax"),
         DEFAULT_PRIORITY, &d));
     req->Start();
     base::RunLoop().Run();
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    EXPECT_EQ(1, network_delegate.set_cookie_count());
+    EXPECT_EQ(2, network_delegate.set_cookie_count());
   }
 
-  // Verify that the cookie is sent for same-site requests.
+  // Verify that both cookies are sent for same-site requests.
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(test_server.GetURL("/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kHost, "/")));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") !=
-                std::string::npos);
+    EXPECT_NE(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is not sent for cross-site requests.
+  // Verify that both cookies are sent for same-registrable-domain requests.
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(GURL("http://cross-site.test/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kSubHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kSubHost, "/")));
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") ==
-                std::string::npos);
+    EXPECT_NE(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is sent for cross-site initiators when the
+  // Verify that neither cookie is not sent for cross-site requests.
+  {
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kCrossHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
+    req->Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Verify that the lax cookie is sent for cross-site initiators when the
   // method is "safe".
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
+    req->set_method("GET");
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_FALSE(d.data_received().find("SameSiteCookieToSet=1") ==
-                 std::string::npos);
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
 
-  // Verify that the cookie is not sent for cross-site initiators when the
+  // Verify that neither cookie is sent for cross-site initiators when the
   // method is unsafe (e.g. POST).
   {
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
-    req->set_first_party_for_cookies(test_server.GetURL("/"));
-    req->set_initiator(url::Origin(GURL("http://cross-site.test/")));
+        test_server.GetURL(kHost, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->set_first_party_for_cookies(test_server.GetURL(kHost, "/"));
+    req->set_initiator(url::Origin(test_server.GetURL(kCrossHost, "/")));
     req->set_method("POST");
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") ==
-                std::string::npos);
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
@@ -2754,13 +2781,14 @@
 
     TestDelegate d;
     scoped_ptr<URLRequest> req(default_context_.CreateRequest(
-        test_server.GetURL("/set-cookie?SameSiteCookieToSet=1;SameSite"),
+        test_server.GetURL("/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+                           "LaxSameSiteCookie=1;SameSite=Lax"),
         DEFAULT_PRIORITY, &d));
     req->Start();
     base::RunLoop().Run();
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
-    EXPECT_EQ(1, network_delegate.set_cookie_count());
+    EXPECT_EQ(2, network_delegate.set_cookie_count());
   }
 
   // Verify that the cookie is sent for same-site requests.
@@ -2775,7 +2803,9 @@
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_TRUE(d.data_received().find("SameSiteCookieToSet=1") !=
+    EXPECT_TRUE(d.data_received().find("StrictSameSiteCookie=1") !=
+                std::string::npos);
+    EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") !=
                 std::string::npos);
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
@@ -2793,8 +2823,10 @@
     req->Start();
     base::RunLoop().Run();
 
-    EXPECT_NE(d.data_received().find("SameSiteCookieToSet=1"),
+    EXPECT_NE(d.data_received().find("StrictSameSiteCookie=1"),
               std::string::npos);
+    EXPECT_TRUE(d.data_received().find("LaxSameSiteCookie=1") !=
+                std::string::npos);
     EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
     EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
   }
commit	f71d0bde417518f99f977a0ecbf480b375cf49ca	[log] [tgz]
author	mkwst <[email protected]>	Mon Mar 21 14:15:24 2016
committer	Commit bot <[email protected]>	Mon Mar 21 14:16:53 2016
tree	3a5f5b5404ed5d9724d07c32570f7e637e45c731
parent	21138fcaeedd96af402c9715cfecf9a0a9eb9528 [diff] [blame]