New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 459154 link

Starred by 18 users

Issue metadata

Status: Fixed
Owner:
OOO until 4th
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Launch-OWP
Launch-Accessibility: ----
Launch-Exp-Leadership: ----
Launch-Leadership: ----
Launch-Legal: ----
Launch-M-Approved: ----
Launch-M-Target: ----
Launch-Privacy: ----
Launch-Security: ----
Launch-Test: ----
Launch-UI: ----
Rollout-Type: ----


Sign in to add a comment

Experiment with "SameSite" cookies.

Project Member Reported by mkwst@chromium.org, Feb 17 2015

Issue description

Change description:
First-party cookies allow servers to mitigate the risk of cross-site request forgery and related information leakage attacks by asserting that a particular cookie should only be sent in a "first-party" context.

Changes to API surface:
* Adds a 'first-party' attribute to cookie strings
* Will likely require (non-webfacing) changes to extension APIs.

Links:
Public standards discussion:
* Draft spec: https://tools.ietf.org/html/draft-west-first-party-cookies-00
* Brief discussion on HTTP WG mailing list ended in a recommendation to go off an "do a prototype in Chrome": https://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0752.html

Support in other browsers:
Internet Explorer: No signals.

Firefox: Positive signals in https://groups.google.com/d/msg/mozilla.dev.platform/yEqC74IgnqQ/JGOdN1_ce-cJ, similar proposal at https://github.com/mozmark/SameDomain-cookies/blob/master/samedomain.txt, bug at https://bugzilla.mozilla.org/show_bug.cgi?id=795346

Safari: No signals.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Feb 20 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/be84af3196d7b6ce5c49c02b2fa47685f8d417c9

commit be84af3196d7b6ce5c49c02b2fa47685f8d417c9
Author: mkwst <mkwst@chromium.org>
Date: Fri Feb 20 08:52:45 2015

clang-formatting files in //net/cookies to clear up a diff.

The change in https://codereview.chromium.org/876973003 is vaguely
incomprehensible because of all the clang-format changes. This patch
formats all the files that patch touches in the hopes of clearing up
the diff.

BUG= 459154 

Review URL: https://codereview.chromium.org/929303003

Cr-Commit-Position: refs/heads/master@{#317274}

[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/canonical_cookie_unittest.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster.h
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster_perftest.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster_store_test.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster_store_test.h
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_monster_unittest.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/cookie_options.h
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/parsed_cookie.cc
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/parsed_cookie.h
[modify] http://crrev.com/be84af3196d7b6ce5c49c02b2fa47685f8d417c9/net/cookies/parsed_cookie_unittest.cc

Project Member

Comment 2 by bugdroid1@chromium.org, Feb 23 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b

commit ae819bb3096b63a11b8c1ff47dd3b69f85ea241b
Author: mkwst <mkwst@chromium.org>
Date: Mon Feb 23 05:10:31 2015

Implement the "First-Party-Only" cookie attribute.

First-party-only cookies allow servers to mitigate the risk of cross-site
request forgery and related information leakage attacks by asserting that a
particular cookie should only be sent in a "first-party" context.

This patch adds support for the 'First-Party-Only' attribute to the
CookieMonster and CookieStore, but does not yet wire up requests such that
the flag has any effect. https://codereview.chromium.org/940373002 will do so
by correctly setting the first-party URL on the CookieOptions object used to
load cookies for a request.

Spec: https://tools.ietf.org/html/draft-west-first-party-cookies

Intent to Implement: https://groups.google.com/a/chromium.org/d/msg/blink-dev/vT98riFhhT0/3Q-lADqsh0UJ

BUG= 459154 
TBR=dpolukhin@chromium.org

Review URL: https://codereview.chromium.org/876973003

Cr-Commit-Position: refs/heads/master@{#317544}

[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/android/java/src/org/chromium/chrome/browser/cookies/CanonicalCookie.java
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/android/java/src/org/chromium/chrome/browser/cookies/CookiesFetcher.java
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/browser/android/cookies/cookies_fetcher.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/browser/android/cookies/cookies_fetcher.h
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/browser/chromeos/login/profile_auth_data_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/browser/extensions/api/cookies/cookies_api.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/chrome/browser/extensions/api/cookies/cookies_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/content/browser/net/sqlite_persistent_cookie_store.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/content/browser/net/sqlite_persistent_cookie_store_perftest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/content/browser/net/sqlite_persistent_cookie_store_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/canonical_cookie.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/canonical_cookie.h
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/canonical_cookie_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/cookie_monster.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/cookie_monster.h
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/cookie_monster_store_test.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/cookie_monster_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/cookie_options.h
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/parsed_cookie.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/parsed_cookie.h
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/cookies/parsed_cookie_unittest.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/net/url_request/url_request_http_job.cc
[modify] http://crrev.com/ae819bb3096b63a11b8c1ff47dd3b69f85ea241b/tools/metrics/histograms/histograms.xml

Project Member

Comment 3 by bugdroid1@chromium.org, Feb 26 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3f3daac24caec2913641fe2fc2685feb738676ad

commit 3f3daac24caec2913641fe2fc2685feb738676ad
Author: mkwst <mkwst@chromium.org>
Date: Thu Feb 26 20:15:26 2015

First-Party Cookies: Wire it up as an experimental web platform feature

This patch adds a flag to the NetworkDelegate to control the first-party
cookies experiment, and implements the flag in the ChromeNetworkDelegate
and ShellNetworkDelegate by checking the value of the experimental web
platform features command-line flag.

Once we decide whether or not to ship this feature, we can revert
everything in this patch other than the tests and the change to
URLRequestHttpJob::DoLoadCookies.

BUG= 459154 

Review URL: https://codereview.chromium.org/940373002

Cr-Commit-Position: refs/heads/master@{#318295}

[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/chrome/browser/net/chrome_network_delegate.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/chrome/browser/net/chrome_network_delegate.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/chrome/browser/net/chrome_network_delegate_unittest.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/content/shell/browser/shell_network_delegate.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/content/shell/browser/shell_network_delegate.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/layered_network_delegate.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/layered_network_delegate.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/network_delegate.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/network_delegate.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/network_delegate_impl.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/base/network_delegate_impl.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/url_request/url_request_http_job.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/url_request/url_request_test_util.cc
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/url_request/url_request_test_util.h
[modify] http://crrev.com/3f3daac24caec2913641fe2fc2685feb738676ad/net/url_request/url_request_unittest.cc

Comment 4 by mkwst@chromium.org, Mar 19 2015

Attaching screenshot of a new column in the devtools cookie table.
Screenshot from 2015-03-19 11:29:48.png
170 KB View Download

Comment 5 by mkwst@chromium.org, Mar 19 2015

Blockedon: chromium:468709

Comment 6 by mkwst@chromium.org, Mar 19 2015

Blockedon: chromium:468711

Comment 8 by mkwst@chromium.org, Mar 27 2015

Labels: M-43
Project Member

Comment 9 by bugdroid1@chromium.org, Mar 27 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d

commit bdd0b09b5371066ad6d6c0ef2c32f5b92595316d
Author: mkwst <mkwst@chromium.org>
Date: Fri Mar 27 05:03:29 2015

Enable 'First-Party-Only' cookies by default.

This patch reverts https://codereview.chromium.org/940373002, and adds
back in the ~2 lines and tests that are still relevant.

BUG= 459154 

Review URL: https://codereview.chromium.org/1032063002

Cr-Commit-Position: refs/heads/master@{#322533}

[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/chrome/browser/net/chrome_network_delegate.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/chrome/browser/net/chrome_network_delegate.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/chrome/browser/net/chrome_network_delegate_unittest.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/content/shell/browser/shell_network_delegate.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/content/shell/browser/shell_network_delegate.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/layered_network_delegate.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/layered_network_delegate.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/network_delegate.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/network_delegate.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/network_delegate_impl.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/base/network_delegate_impl.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/url_request/url_request_http_job.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/url_request/url_request_test_util.cc
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/url_request/url_request_test_util.h
[modify] http://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d/net/url_request/url_request_unittest.cc

Comment 10 by mkwst@chromium.org, Mar 27 2015

Blockedon: chromium:471252
Project Member

Comment 11 by bugdroid1@chromium.org, Apr 1 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0513c9d42fe0220d30174c55367e4a13b36f9cfd

commit 0513c9d42fe0220d30174c55367e4a13b36f9cfd
Author: mkwst <mkwst@chromium.org>
Date: Wed Apr 01 05:53:15 2015

Revert of Enable 'First-Party-Only' cookies by default. (patchset #3 id:40001 of https://codereview.chromium.org/1032063002/)

Reason for revert:
Blink OWNERs would like to wait a bit before shipping: https://groups.google.com/a/chromium.org/d/msg/blink-dev/wKZBCzcNssg/nZ1CFmgddJcJ

Original issue's description:
> Enable 'First-Party-Only' cookies by default.
>
> This patch reverts https://codereview.chromium.org/940373002, and adds
> back in the ~2 lines and tests that are still relevant.
>
> BUG= 459154 
>
> Committed: https://crrev.com/bdd0b09b5371066ad6d6c0ef2c32f5b92595316d
> Cr-Commit-Position: refs/heads/master@{#322533}

TBR=cbentzel@chromium.org,jochen@chromium.org,rsleevi@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 459154 

Review URL: https://codereview.chromium.org/1043403003

Cr-Commit-Position: refs/heads/master@{#323190}

[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/chrome/browser/net/chrome_network_delegate.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/chrome/browser/net/chrome_network_delegate.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/chrome/browser/net/chrome_network_delegate_unittest.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/content/shell/browser/shell_network_delegate.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/content/shell/browser/shell_network_delegate.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/layered_network_delegate.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/layered_network_delegate.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/network_delegate.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/network_delegate.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/network_delegate_impl.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/base/network_delegate_impl.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/url_request/url_request_http_job.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/url_request/url_request_test_util.cc
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/url_request/url_request_test_util.h
[modify] http://crrev.com/0513c9d42fe0220d30174c55367e4a13b36f9cfd/net/url_request/url_request_unittest.cc

Project Member

Comment 12 by bugdroid1@chromium.org, Apr 16 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=193884

------------------------------------------------------------------
r193884 | mkwst@chromium.org | 2015-04-16T16:22:31.639824Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/dom/Document.cpp?r1=193884&r2=193883&pathrev=193884
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originA.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-data.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originB.html?r1=193884&r2=193883&pathrev=193884
   M http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/WebDocumentTest.cpp?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-srcdoc.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/empty.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originA-in-originA.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originA-in-originB.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originB-in-originA.html?r1=193884&r2=193883&pathrev=193884
   A http://src.chromium.org/viewvc/blink/trunk/Source/web/tests/data/first_party/nested-originB-in-originB.html?r1=193884&r2=193883&pathrev=193884

Ancestors count towards first-partyness.

We currently set requests' "firstPartyForCookies" property based on the
top-level document's URL. We ought to harden this property to account
for good.com -> evil.com -> good.com ancestor chains.

The top-level 'good.com' should be considered a first-party context.
The nested 'good.com' should not.

This CL adds this behavior behind a runtime flag. If the intent to ship
at [1] is approved, I'll remove the flag in a followup CL.

[1]: https://groups.google.com/a/chromium.org/d/msg/blink-dev/ZvMEJMSU6po/wKWAfpIe6vUJ

BUG= 459154 

Review URL: https://codereview.chromium.org/1075163002
-----------------------------------------------------------------
Project Member

Comment 13 by bugdroid1@chromium.org, Apr 21 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=194131

------------------------------------------------------------------
r194131 | mkwst@chromium.org | 2015-04-21T14:36:14.026397Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/loader/FrameLoader.cpp?r1=194131&r2=194130&pathrev=194131
   M http://src.chromium.org/viewvc/blink/trunk/Source/core/page/CreateWindow.cpp?r1=194131&r2=194130&pathrev=194131

Properly set WebURLRequest::FrameType for opened windows.

These should have an "auxiliary" context, per Fetch. This will allow us
to distinguish between main frame navigations and window openings to
make certain policy decisions (first-party cookies, etc).

BUG= 459154 

Review URL: https://codereview.chromium.org/1097303002
-----------------------------------------------------------------

Comment 15 by mkwst@chromium.org, May 20 2015

Labels: -M-43 M-45
Now aiming for M45.
Project Member

Comment 16 by bugdroid1@chromium.org, Jul 27 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=199514

------------------------------------------------------------------
r199514 | mkwst@chromium.org | 2015-07-27T14:21:49.188529Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/network/ResourceRequest.cpp?r1=199514&r2=199513&pathrev=199514
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/network/ResourceRequestTest.cpp?r1=199514&r2=199513&pathrev=199514

Initialize ResourceRequest::m_requestorOrigin.

We're not using this on the Chromium side yet, which is good, because
as soon as we start converting the exposed  'nullptr' WebSecurityOrigin
into a url::Origin, it'll crash. :) This patch fixes that.

BUG= 459154 

Review URL: https://codereview.chromium.org/1255843003
-----------------------------------------------------------------
Project Member

Comment 17 by bugdroid1@chromium.org, Jul 28 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/765edf7c2d4f183663d6eb54964fc41f261be2df

commit 765edf7c2d4f183663d6eb54964fc41f261be2df
Author: mkwst <mkwst@chromium.org>
Date: Tue Jul 28 09:24:27 2015

Split 'CookieOptions' out into a .h/.cc file.

I need to add a member to CookieOptions in order to support First-Party
Only cookies, but doing so makes CookieOptions' constructor "complex".
Splitting that work out into a separate patch for clarity.

BUG= 459154 

Review URL: https://codereview.chromium.org/1258023002

Cr-Commit-Position: refs/heads/master@{#340657}

[add] http://crrev.com/765edf7c2d4f183663d6eb54964fc41f261be2df/net/cookies/cookie_options.cc
[modify] http://crrev.com/765edf7c2d4f183663d6eb54964fc41f261be2df/net/cookies/cookie_options.h
[modify] http://crrev.com/765edf7c2d4f183663d6eb54964fc41f261be2df/net/net.gypi

Comment 18 by mkwst@chromium.org, Oct 16 2015

Blockedon: chromium:544114
Project Member

Comment 19 by bugdroid1@chromium.org, Oct 20 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8241a123220e71b3733df642e2e56e1962be99a9

commit 8241a123220e71b3733df642e2e56e1962be99a9
Author: mkwst <mkwst@chromium.org>
Date: Tue Oct 20 07:15:10 2015

Convert 'CookieOptions::first_party_url' to a 'url::Origin'.

We don't need a full URL for any check we're doing inside //net, so let's
throw away the bits we don't need, and make the origin check explicit
(rather than matching the URLs that result from 'GURL::GetOrigin()').

BUG= 459154 

Review URL: https://codereview.chromium.org/1413623002

Cr-Commit-Position: refs/heads/master@{#354999}

[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/cookies/canonical_cookie.cc
[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/cookies/canonical_cookie_unittest.cc
[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/cookies/cookie_monster.cc
[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/cookies/cookie_options.h
[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/url_request/url_request.h
[modify] http://crrev.com/8241a123220e71b3733df642e2e56e1962be99a9/net/url_request/url_request_http_job.cc

Comment 20 by jmedley@google.com, Dec 11 2015

Mike,

Can this be closed? (Or at least updated?)

Comment 21 by mkwst@chromium.org, Dec 13 2015

Labels: -M-45 M-49
Might make M49. If not, 50. Just waiting on me to finish writing tests for https://codereview.chromium.org/1411813003.

Comment 22 by jmedley@google.com, Dec 14 2015

MIke,

Is this to take it out from behind the flag? (It looks like that was done in 42.)

Comment 23 by mkwst@chromium.org, Dec 14 2015

> Is this to take it out from behind the flag? (It looks like that was done in 42.)

We briefly took it out from behind the flag in dev, but put it back in again before cutting the branch.

Comment 24 by mkwst@chromium.org, Jan 22 2016

Summary: Experiment with "SameSite" cookies. (was: Experiment with "First-Party" cookies.)
Renamed to "SameSite" in https://tools.ietf.org/html/draft-west-first-party-cookies-05.

Comment 25 by mkwst@chromium.org, Jan 22 2016

Labels: -M-49 M-50
Targeting ~50.
How can I test this?
Which flag I have to set? Where?
> How can I test this?
Which flag I have to set? Where?

AFAIK this issue currently does not need to be tested. Thanks.
Project Member

Comment 28 by bugdroid1@chromium.org, Feb 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4654941d380d76638610198ac497015b8d979bb9

commit 4654941d380d76638610198ac497015b8d979bb9
Author: mkwst <mkwst@chromium.org>
Date: Mon Feb 01 10:05:37 2016

Rename first-party-only cookies to same-site cookies.

As per https://tools.ietf.org/html/draft-west-first-party-cookies-05 and
https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0134.html.

BUG= 459154 

Review URL: https://codereview.chromium.org/1615773005

Cr-Commit-Position: refs/heads/master@{#372630}

[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/android/java/src/org/chromium/chrome/browser/cookies/CanonicalCookie.java
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/android/java/src/org/chromium/chrome/browser/cookies/CookiesFetcher.java
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/app/generated_resources.grd
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/browser/android/cookies/cookies_fetcher.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/browser/browsing_data/cookies_tree_model.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/chrome/browser/net/chrome_network_delegate_unittest.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/ios/net/cookies/cookie_store_ios_unittest.mm
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/ios/net/cookies/system_cookie_util_unittest.mm
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/canonical_cookie.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/canonical_cookie.h
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/canonical_cookie_unittest.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_monster.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_monster.h
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_monster_store_test.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_monster_unittest.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_options.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/cookie_options.h
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/parsed_cookie.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/parsed_cookie.h
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/cookies/parsed_cookie_unittest.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/extras/sqlite/sqlite_persistent_cookie_store.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/url_request/url_request_http_job.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/net/url_request/url_request_unittest.cc
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/third_party/WebKit/LayoutTests/inspector/components/cookie-parser-expected.txt
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/third_party/WebKit/LayoutTests/inspector/components/cookie-parser.html
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/third_party/WebKit/LayoutTests/inspector/cookie-resource-match.html
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/third_party/WebKit/Source/devtools/front_end/components_lazy/CookiesTable.js
[modify] http://crrev.com/4654941d380d76638610198ac497015b8d979bb9/third_party/WebKit/Source/devtools/front_end/sdk/CookieParser.js

Project Member

Comment 29 by bugdroid1@chromium.org, Mar 15 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e1a295845cbc338a564dc04e6e3e69b29ba7862f

commit e1a295845cbc338a564dc04e6e3e69b29ba7862f
Author: mkwst <mkwst@chromium.org>
Date: Tue Mar 15 10:07:52 2016

SameSite: Implement 'Strict'/'Lax' attribute parsing.

https://tools.ietf.org/html/draft-west-first-party-cookies-06 introduced
the notion of "Strict" or "Lax" enforcement of the "SameSite" attribute.
This patch implements the infrastructure changes necessary to support
that distinction, but does not yet implement the behavioral change
(that is, after this patch, `SameSite` will be rejected, while
`SameSite=Strict` and `SameSite=Lax` will have the same behavior that
`SameSite` alone has today).

Most of this patch is occupied with the fairly mechanical process of
swapping out a new 'CookieSameSite' enum for the existing boolean in
various constructors and setters. The most interesting piece is the
change to the storage backend, which now stores 0, 1, or 2 in the
database to represent the possible values, rather than 0 or 1 to
represent the boolean.

BUG= 459154 

Review URL: https://codereview.chromium.org/1773133002

Cr-Commit-Position: refs/heads/master@{#381201}

[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/android_webview/browser/net/aw_cookie_store_wrapper.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/android_webview/browser/net/aw_cookie_store_wrapper.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/android/cookies/cookies_fetcher.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/android/cookies/cookies_fetcher.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/browsing_data/cookies_tree_model.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/chromeos/login/profile_auth_data.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/chromeos/login/profile_auth_data_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/extensions/api/cookies/cookies_api.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/chrome/browser/extensions/api/cookies/cookies_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/components/signin/core/browser/gaia_cookie_manager_service.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/content/browser/net/quota_policy_cookie_store_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/cookie_cache_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/cookie_store_ios.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/cookie_store_ios.mm
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/cookie_store_ios_unittest.mm
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/system_cookie_util.mm
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/ios/net/cookies/system_cookie_util_unittest.mm
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/canonical_cookie.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/canonical_cookie.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/canonical_cookie_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_constants.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_constants.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_monster.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_monster.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_monster_store_test.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_monster_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_store.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_store_test_helpers.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_store_test_helpers.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/cookie_store_unittest.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/parsed_cookie.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/parsed_cookie.h
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/cookies/parsed_cookie_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/extras/sqlite/sqlite_persistent_cookie_store.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/extras/sqlite/sqlite_persistent_cookie_store_perftest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
[modify] https://crrev.com/e1a295845cbc338a564dc04e6e3e69b29ba7862f/net/url_request/url_request_unittest.cc

Project Member

Comment 30 by bugdroid1@chromium.org, Mar 21 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f71d0bde417518f99f977a0ecbf480b375cf49ca

commit f71d0bde417518f99f977a0ecbf480b375cf49ca
Author: mkwst <mkwst@chromium.org>
Date: Mon Mar 21 14:15:24 2016

SameSite: Strict/Lax behavior.

This patch brings our "SameSite" implementation into line with
https://tools.ietf.org/html/draft-west-first-party-cookies-06 by teaching
CookieOptions about strict and lax request modes, and teaching URLRequestHttpJob
about the registrable-domain behaviors of both.

BUG= 459154 
CQ_INCLUDE_TRYBOTS=tryserver.chromium.linux:linux_site_isolation

Review URL: https://codereview.chromium.org/1783813002

Cr-Commit-Position: refs/heads/master@{#382277}

[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/content/browser/frame_host/render_frame_message_filter.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/content/browser/frame_host/render_frame_message_filter_browsertest.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/base/registry_controlled_domains/registry_controlled_domain.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/base/registry_controlled_domains/registry_controlled_domain.h
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/base/registry_controlled_domains/registry_controlled_domain_unittest.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/canonical_cookie.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/canonical_cookie_unittest.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/cookie_monster.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/cookie_options.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/cookie_options.h
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/cookie_store.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/cookies/cookie_store_unittest.h
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/url_request/url_request_http_job.cc
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/net/url_request/url_request_unittest.cc
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/resources/echo-json.php
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-onmessage.php
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/resources/post-cookies-to-opener.php
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/resources/testharness-helpers.js
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/basics.html
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site-post.html
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-cross-site.html
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site-post.html
[add] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/LayoutTests/http/tests/cookies/same-site/popup-same-site.html
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/f71d0bde417518f99f977a0ecbf480b375cf49ca/third_party/WebKit/Source/core/dom/Document.h

Comment 31 by mkwst@chromium.org, Mar 22 2016

Blockedon: 596520
Labels: -M-50 M-51
Status: Fixed (was: Assigned)
Shipping in M51.
Will this be behind a flag in M51?
m.kurz@: No, it won't be behind a flag. We're shipping it.
Blockedon: 600983
Project Member

Comment 37 by bugdroid1@chromium.org, Apr 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e391c6d887ac88d4d8aa9dde783e35607325abff

commit e391c6d887ac88d4d8aa9dde783e35607325abff
Author: boliu <boliu@chromium.org>
Date: Fri Apr 29 15:28:14 2016

android: Fix CanonicalCookie same_site field

This field became an enum in r381201, but the java side was never
updated. Update java side to int instead.

Also update the format:
* Add an explicit version number that's just a date
* Explicitly encode the length so don't need EOF

Note the cookies can never persist across app updates, so no
need for any migration logic.

BUG= 459154 

Review-Url: https://codereview.chromium.org/1894213003
Cr-Commit-Position: refs/heads/master@{#390655}

[modify] https://crrev.com/e391c6d887ac88d4d8aa9dde783e35607325abff/chrome/android/java/src/org/chromium/chrome/browser/cookies/CanonicalCookie.java
[modify] https://crrev.com/e391c6d887ac88d4d8aa9dde783e35607325abff/chrome/android/java/src/org/chromium/chrome/browser/cookies/CookiesFetcher.java
[modify] https://crrev.com/e391c6d887ac88d4d8aa9dde783e35607325abff/chrome/android/java_sources.gni
[add] https://crrev.com/e391c6d887ac88d4d8aa9dde783e35607325abff/chrome/android/junit/src/org/chromium/chrome/browser/cookies/CanonicalCookieTest.java
[modify] https://crrev.com/e391c6d887ac88d4d8aa9dde783e35607325abff/chrome/browser/android/cookies/cookies_fetcher.cc

Sign in to add a comment