(Marginally out of date WD is at https://www.w3.org/TR/clear-site-data/)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/23a715e8dc89937b85f320d8e86645919c6164ab

commit 23a715e8dc89937b85f320d8e86645919c6164ab
Author: msramek <msramek@chromium.org>
Date: Mon Jul 18 12:22:37 2016

Make BrowsingDataRemover mockable and filter builders comparable

This was extracted from https://codereview.chromium.org/2025683003/ where
it will be needed for ChromeContentBrowserClient tests.

BUG=607897

Review-Url: https://codereview.chromium.org/2161583002
Cr-Commit-Position: refs/heads/master@{#405979}

[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/browsing_data_remover.cc
[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/browsing_data_remover.h
[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/origin_filter_builder.cc
[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/origin_filter_builder.h
[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/registrable_domain_filter_builder.cc
[modify] https://crrev.com/23a715e8dc89937b85f320d8e86645919c6164ab/chrome/browser/browsing_data/registrable_domain_filter_builder.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f4746d285ff62f0747ef4ce00c72a74f91f92cb

commit 1f4746d285ff62f0747ef4ce00c72a74f91f92cb
Author: msramek <msramek@chromium.org>
Date: Fri Aug 19 21:37:07 2016

First experimental implementation of the Clear-Site-Data header

We add a ClearSiteDataThrottle to the list of ResourceThrottle-s
on a main frame navigation. If the response contains a "Clear-Site-Data"
header, ClearSiteDataThrottle parses it and calls BrowsingDataRemover
to execute deletion with the specified parameters.

The deletion is asynchronous and does not delay or block the navigation.

This is an early proof-of-concept implementation of the working draft
https://www.w3.org/TR/clear-site-data/ which does not yet comply with
its full specification.

Tests:
- ClearSiteDataThrottleUnittest
  - parsing
  - error messages
- ClearSiteDataThrottleBrowsertest
  - secure origins
  - redirects,
  - integration with the embedder
- ChromeContentBrowserClientTest
  - removal parameters for BrowsingDataRemover

Note that the effect of data being asynchronously deleted while possibly
also written by the website in the same time has NOT yet been tested.

BUG=607897
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2025683003
Cr-Commit-Position: refs/heads/master@{#413247}

[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/chrome/browser/chrome_content_browser_client.cc
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/chrome/browser/chrome_content_browser_client.h
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/chrome/browser/chrome_content_browser_client_unittest.cc
[add] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/browser/browsing_data/clear_site_data_throttle.cc
[add] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/browser/browsing_data/clear_site_data_throttle.h
[add] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[add] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/browser/frame_host/navigation_handle_impl.cc
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/content_browser.gypi
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/content_tests.gypi
[modify] https://crrev.com/1f4746d285ff62f0747ef4ce00c72a74f91f92cb/content/public/browser/content_browser_client.h

And I should have updated the commit message... in the later stages of the CL, we decided that the deletion will be *synchronous*, i.e. it will delay the navigation until finished.

Just saw the announcement about this.  Things to think about:

Do requests with the LoadFlags LOAD_DO_NOT_SEND_COOKIES and LOAD_DO_NOT_SAVE_COOKIES set also respect these cookies?  i.e. cross-site requests that don't send CORS pre-flight headers.  Looks like they do, but I'm not sure if this is a great idea.  If we don't trust an HTTP response to set cookies, do we trust it to delete them?

What about responses that go through ServiceWorker, do we clear everything twice?  Looks like we do.  Can't think of any non-performance issues there, but seems a potential cause for concern.

A bigger service worker issue:  I believe ServiceWorker can lie about URLs.  i.e., we request https://blah.com from ServiceWorker.  It decides it wants to respond with something from https://foo.com instead.  So we have a response that looks like it's from blah.com, but really isn't...So one site can clear another's cookies?  I'm not all that familiar with SW, so perhaps I'm mistaken.

Requests that don't go through the ResourceLoader don't look to respect these options, should they?  Beyond just internal requests, there's SDCH requests, AppCache requests, certificate transparency requests, requests where we download stuff for enterprise policy (No idea where these are wired in), precache requests, and I'm sure there are a whole host of others.

Oh, this is only done on main frame requests?  I'm not seeing that mentioned in the spec?  If that's the intent, the load flag issue seems much less problematic, and the other sources of requests really don't matter (Though weirdly, downloads that we know are downloads from the start won't respect the headers, but downloads that we don't know are downloads from the start will respect them).

Thanks for the feedback! Sorry that it took me some time to respond, I wanted to investigate the service worker behavior first, but I didn't get to it yet, so let me at least respond to the rest.

The implementation changed several times during that one CL, and it seems that I haven't updated the CL description for a long time - sorry for the confusion, unfortunately, there's no way for me to edit that now.

The current implementation uses a NavigationThrottle on a NavigationHandle - i.e. it handles web navigations - and not just in the main frame. Other kinds of requests (e.g. going directly through URLFetcher IIUC?) are not supported. This is fine for now for the usecases that are mentioned in the spec. I personally don't think we need to support this header for internal requests like policy updates or certificate checks, but I'll make sure to investigate.

I agree with your assessment that if setting cookies is prohibited, deleting them should be as well. We're not respecting cookie settings in the current version, and that's a bug. I'll look into that as well.

ServiceWorker can make a same-site fetch look like it was cross-origin.  i.e., https://evil.com requests https://good.com, and then https://evil.com's ServiceWorker responds with a result from https://evil.com.  I believe this can also be done for cross-origin subframes, though I'm not positive (ServiceWorker is weird).  Should make sure this isn't an issue.

Note that it's not cookie settings I'm concerned about, it's some cross-origin requests that we don't allow to send or receive cookies, for security reasons.

Actually, I can't see how a ServiceWorker intercepting cross-origin iframes could be done securely, so I may well be wrong about that.  Should check to make sure, though.

Other questions:  Is this HTTPS only?  If not, need to be sure not to delete Secure cookies in response to an HTTP request.  Spec should be updated about this case (Or maybe the Leave Secure Cookies Alone spec should be).

There's a Javascript API.  There are "HTTP-only" cookies that can only be accessed via HTTP.  Does it make sense to allow Javascript clear them?  I think it does, since Javascript can overwrite them (I think?), just not access them, but worth thinking about.

Nevermind that last comment - looks like it's only allowed for secure origins (Searched the doc for HTTPS instead of secure, so missed it).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e56855b80edc5ef04735afedc959a629c091825e

commit e56855b80edc5ef04735afedc959a629c091825e
Author: msramek <msramek@chromium.org>
Date: Tue Sep 13 19:31:05 2016

Add a fuzzer test for the Clear-Site-Data header.

With a starting corpus of several valid and almost-valid entries.

TBR=nasko@chromium.org
BUG=607897

Review-Url: https://codereview.chromium.org/2333733002
Cr-Commit-Position: refs/heads/master@{#418334}

[modify] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/browser/browsing_data/clear_site_data_throttle.h
[modify] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/all.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/cache.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/cookies.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/extra.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/storage.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/string.txt
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/data/fuzzer_corpus/clear_site_data/unknown.txt
[modify] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/fuzzer/BUILD.gn
[add] https://crrev.com/e56855b80edc5ef04735afedc959a629c091825e/content/test/fuzzer/clear_site_data_fuzzer.cc

Re #10 (mmenke@):

I finally had time to try it out and you're right that any service worker could trick us to delete data from any random website by responding with e.g. '<img src="https://example.org/image.jpg" />' in the served content, then immediately intercepting that request and responding with Clear-Site-Data. In this situation, URLRequest sees the origin "example.org", not the one of the service worker, so we cannot directly trust the URL.

Note that this (as well as CORS) is still just a theoretical concern, since we're only handling navigations, not subresource requests.

However, it turns out that we do want to support subresource requests as well, so these concerns will become real. Thus, thanks again for warning me, and I'll make sure to include you in the code reviews! :)

#10

> I [service worker can intercept requests for] cross-origin subframes

It can't. A client's service worker only intercepts sub resources.

Clear-Site-Data should work at the network fetch level, not the service worker response level. The spec seems to be correct here. A non-network response from the service worker shouldn't be able to clear site data.

Are you sure about that?  Looking at the SW spec, as usual, I can't make any sense of it.  It's not written common english - it has layer upon layer of definitions, and even the top level ones often aren't actually mapped to HTTP syntax, requiring a lot of inference to figure out.

Also note that the content layer does not explicitly distinguish between responses from the network, and responses from a ServiceWorker, and the header has to be able to clear things that are content layer concepts, so it can't be implemented in net/.

i.e., there *is* no network fetch level in Chrome that is aware of things the header must clear.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb

commit 9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb
Author: msramek <msramek@chromium.org>
Date: Wed Jun 07 11:23:10 2017

Support the Clear-Site-Data header on resource requests

Until now, it was only supported for navigations.

Changes in this CL:

1. Convert the NavigationThrottle to a ResourceThrottle. The two classes
   are sufficiently similar that these are mostly syntactical changes,
   except that the ResourceThrottle lives on the IO thread and needs to
   occasionally jump to the UI thread.

2. Instantiate it in ResourceDispatcherHostImpl instead of
   NavigationHandleImpl. This requires adding an explicit DEPS rule.

3. Add some restrictions - for example, we will not support service worker
   requests or LOAD_DO_NOT_SET_COOKIES. These are then tested in the
   unittest.

4. Add browsertests for resource requests, and some integration tests
   that check not only calls to BrowsingDataRemover, but also the actual
   removal of data.

BUG=607897
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2368923003
Cr-Commit-Position: refs/heads/master@{#477612}

[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/chrome/browser/BUILD.gn
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/chrome/browser/chrome_content_browser_client.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/chrome/browser/chrome_content_browser_client.h
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/chrome/browser/chrome_content_browser_client_unittest.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/browsing_data/clear_site_data_throttle.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/browsing_data/clear_site_data_throttle.h
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/frame_host/navigation_handle_impl.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/loader/DEPS
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/browser/loader/resource_dispatcher_host_impl.h
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/public/browser/content_browser_client.h
[rename] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/public/test/mock_browsing_data_remover_delegate.cc
[rename] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/public/test/mock_browsing_data_remover_delegate.h
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/test/BUILD.gn
[add] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/test/data/browsing_data/worker.js
[add] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/test/data/browsing_data/worker_setup.html
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/content/test/fuzzer/clear_site_data_fuzzer.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/net/http/http_response_headers.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/net/http/http_response_headers_unittest.cc
[modify] https://crrev.com/9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb/testing/buildbot/filters/mojo.fyi.network_content_browsertests.filter

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/085b57ffe70b6cb90cd77b61585babcf59df3a95

commit 085b57ffe70b6cb90cd77b61585babcf59df3a95
Author: mkwst <mkwst@chromium.org>
Date: Mon Jun 12 10:34:44 2017

Align `clear-site-data` syntax with the spec.

We've shifted from an explicit JSON dictionary to a list of quoted
strings (that can be parsed as JSON for forward-compatibility). That is,
rather than `Clear-Site-Data: { "types": [ "cookies", "cache" ] }`,
we'll use `Clear-Site-Data: "cookies", "cache"` to mean the same thing.

Spec change in https://github.com/w3c/webappsec-clear-site-data/issues/27.

BUG=607897

Review-Url: https://codereview.chromium.org/2929593002
Cr-Commit-Position: refs/heads/master@{#478585}

[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/browser/browsing_data/clear_site_data_throttle.cc
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/browsing_data/worker.js
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/all.txt
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/cache.txt
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/cookies.txt
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/extra.txt
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/storage.txt
[modify] https://crrev.com/085b57ffe70b6cb90cd77b61585babcf59df3a95/content/test/data/fuzzer_corpus/clear_site_data/unknown.txt

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b6ad2b157c987fe2d64e07990b83654ac9830a85

commit b6ad2b157c987fe2d64e07990b83654ac9830a85
Author: mkwst <mkwst@chromium.org>
Date: Mon Jun 12 12:01:52 2017

Revert of Align `clear-site-data` syntax with the spec. (patchset #2 id:20001 of https://codereview.chromium.org/2929593002/ )

Reason for revert:
Despite passing all the bots, this apparently breaks `content_browsertests`: https://build.chromium.org/p/chromium.linux/buildstatus?builder=Linux%20Tests&number=57936. So, let's go fix that.

Original issue's description:
> Align `clear-site-data` syntax with the spec.
>
> We've shifted from an explicit JSON dictionary to a list of quoted
> strings (that can be parsed as JSON for forward-compatibility). That is,
> rather than `Clear-Site-Data: { "types": [ "cookies", "cache" ] }`,
> we'll use `Clear-Site-Data: "cookies", "cache"` to mean the same thing.
>
> Spec change in https://github.com/w3c/webappsec-clear-site-data/issues/27.
>
> BUG=607897
>
> Review-Url: https://codereview.chromium.org/2929593002
> Cr-Commit-Position: refs/heads/master@{#478585}
> Committed: https://chromium.googlesource.com/chromium/src/+/085b57ffe70b6cb90cd77b61585babcf59df3a95

TBR=msramek@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=607897

Review-Url: https://codereview.chromium.org/2933083002
Cr-Commit-Position: refs/heads/master@{#478594}

[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/browser/browsing_data/clear_site_data_throttle.cc
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/browsing_data/worker.js
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/all.txt
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/cache.txt
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/cookies.txt
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/extra.txt
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/storage.txt
[modify] https://crrev.com/b6ad2b157c987fe2d64e07990b83654ac9830a85/content/test/data/fuzzer_corpus/clear_site_data/unknown.txt

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cc19a8388814caf28b15e348a2e1941b6b66e370

commit cc19a8388814caf28b15e348a2e1941b6b66e370
Author: Mike West <mkwst@chromium.org>
Date: Mon Jun 12 15:38:35 2017

Align `clear-site-data` syntax with the spec.

We've shifted from an explicit JSON dictionary to a list of quoted
strings (that can be parsed as JSON for forward-compatibility). That is,
rather than `Clear-Site-Data: { "types": [ "cookies", "cache" ] }`,
we'll use `Clear-Site-Data: "cookies", "cache"` to mean the same thing.

Spec change in https://github.com/w3c/webappsec-clear-site-data/issues/27.

BUG: 607897
Change-Id: I051dcc49f9ed108e117347ccd7e249781433302b
Reviewed-on: https://chromium-review.googlesource.com/530748
Reviewed-by: Martin Šrámek <msramek@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#478633}
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/browser/browsing_data/clear_site_data_throttle.cc
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/browser/browsing_data/clear_site_data_throttle_unittest.cc
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/browsing_data/worker.js
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/all.txt
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/cache.txt
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/cookies.txt
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/extra.txt
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/storage.txt
[modify] https://crrev.com/cc19a8388814caf28b15e348a2e1941b6b66e370/content/test/data/fuzzer_corpus/clear_site_data/unknown.txt

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96edcc81a114c3aa88ae657a6d7f26524054a4f2

commit 96edcc81a114c3aa88ae657a6d7f26524054a4f2
Author: msramek <msramek@chromium.org>
Date: Fri Jul 07 11:18:30 2017

Enable Clear-Site-Data web platform tests.

At the same time:
- Rename navigation.html to navigation.https.html, as Clear-Site-Data
  is only supported on HTTPS.
- Fix Promise synchronicity problems in the above file.

This was part of the CL https://codereview.chromium.org/2913553004/ which
was supposed to add the 'cache' datatype, but that CL cannot land yet due
to issues with cache being inaccessible in WPTs.

BUG=607897

Review-Url: https://codereview.chromium.org/2975463002
Cr-Commit-Position: refs/heads/master@{#484884}

[modify] https://crrev.com/96edcc81a114c3aa88ae657a6d7f26524054a4f2/third_party/WebKit/LayoutTests/NeverFixTests
[modify] https://crrev.com/96edcc81a114c3aa88ae657a6d7f26524054a4f2/third_party/WebKit/LayoutTests/W3CImportExpectations
[delete] https://crrev.com/1b24fe8864b850e20ead1147d2f6eb41c1624515/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation.html
[add] https://crrev.com/96edcc81a114c3aa88ae657a6d7f26524054a4f2/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation.https.html
[modify] https://crrev.com/96edcc81a114c3aa88ae657a6d7f26524054a4f2/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/echo-clear-site-data.py

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8d58b4ef1c854ab0356f357745a3e68f26c6b1ba

commit 8d58b4ef1c854ab0356f357745a3e68f26c6b1ba
Author: msramek <msramek@chromium.org>
Date: Fri Jul 07 11:28:28 2017

Test that Clear-Site-Data is not supported on an insecure navigation

BUG=607897

Review-Url: https://codereview.chromium.org/2965173003
Cr-Commit-Position: refs/heads/master@{#484887}

[add] https://crrev.com/8d58b4ef1c854ab0356f357745a3e68f26c6b1ba/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation-insecure.html
[modify] https://crrev.com/8d58b4ef1c854ab0356f357745a3e68f26c6b1ba/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation.https.html
[modify] https://crrev.com/8d58b4ef1c854ab0356f357745a3e68f26c6b1ba/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/test_utils.js

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7d08794ea091f1a9d5684b0056fbf88fed090298

commit 7d08794ea091f1a9d5684b0056fbf88fed090298
Author: msramek <msramek@chromium.org>
Date: Fri Jul 07 11:46:01 2017

Enable Clear-Site-Data by default.

BUG=607897

Review-Url: https://codereview.chromium.org/2972083002
Cr-Commit-Position: refs/heads/master@{#484890}

[modify] https://crrev.com/7d08794ea091f1a9d5684b0056fbf88fed090298/content/browser/browsing_data/clear_site_data_throttle_browsertest.cc
[modify] https://crrev.com/7d08794ea091f1a9d5684b0056fbf88fed090298/content/browser/loader/resource_dispatcher_host_impl.cc
[modify] https://crrev.com/7d08794ea091f1a9d5684b0056fbf88fed090298/content/browser/loader/resource_dispatcher_host_impl.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/db4ce8958b07571c79a472af492abdc87a2c6c68

commit db4ce8958b07571c79a472af492abdc87a2c6c68
Author: Martin Sramek <msramek@chromium.org>
Date: Tue Jul 18 16:06:18 2017

Add Clear-Site-Data [in]secure resource load WPTs

resource.html runs 4 test cases, representing [in]secure resource load
on an [in]secure page.

The expected result is that Clear-Site-Data is honored iff the resource
is secure. The embedding page does not matter.

Bug: 607897
Change-Id: Id17bc6d52bca4da46fab214bcc71ca7c7070cdb0
Reviewed-on: https://chromium-review.googlesource.com/571458
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#487490}
[modify] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation-insecure.html
[modify] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/navigation.https.html
[add] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/resource.html
[modify] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/echo-clear-site-data.py
[add] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/page_with_resource.sub.html
[add] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/send_report.html
[rename] https://crrev.com/db4ce8958b07571c79a472af492abdc87a2c6c68/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/test_utils.sub.js

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/60dcff4291a8d762b9b02a8dae4674d6138b7d9e

commit 60dcff4291a8d762b9b02a8dae4674d6138b7d9e
Author: Martin Sramek <msramek@chromium.org>
Date: Fri Aug 04 11:26:09 2017

Verify that various backends are deleted with the "storage" datatype

- Local Storage
- Indexed DB
- Filesystems
- Service workers
- WebSQL

Bug: 607897
Change-Id: I7fd82d08c651fb8f41dbde9c6af1b723679c621c
Reviewed-on: https://chromium-review.googlesource.com/596088
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#491993}
[add] https://crrev.com/60dcff4291a8d762b9b02a8dae4674d6138b7d9e/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/storage.https.html
[add] https://crrev.com/60dcff4291a8d762b9b02a8dae4674d6138b7d9e/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/service_worker.js
[modify] https://crrev.com/60dcff4291a8d762b9b02a8dae4674d6138b7d9e/third_party/WebKit/LayoutTests/external/wpt/clear-site-data/support/test_utils.sub.js

This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Did this ship? Should this be marked fix?

This did indeed ship in M61, but there are open comments from the TAG review, and the cache deletion option turned out to be impractical and somewhat broken.

All of that could be also tracked in separate bugs, but I want to keep this one open to indicate that Clear-Site-Data is not a closed chapter yet.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/69e586cb53639ea3e6f22267bde1f611fbab00de

commit 69e586cb53639ea3e6f22267bde1f611fbab00de
Author: Martin Sramek <msramek@chromium.org>
Date: Thu Nov 16 10:22:45 2017

Add the wildcard ("*") pseudo-datatype to Clear-Site-Data.

Corresponding spec change:
https://github.com/w3c/webappsec-clear-site-data/pull/43

Bug: 607897
Change-Id: Ib9d0c994917ff801dd64404734efdcb34c9507e1
Reviewed-on: https://chromium-review.googlesource.com/771890
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517047}
[modify] https://crrev.com/69e586cb53639ea3e6f22267bde1f611fbab00de/content/browser/browsing_data/clear_site_data_throttle.cc
[modify] https://crrev.com/69e586cb53639ea3e6f22267bde1f611fbab00de/content/browser/browsing_data/clear_site_data_throttle_unittest.cc