I don't know much about how the cookie encryption works on Mac. i.e. is there some one-time key that we can ask the browser for, and use that for encryption/decryption? Or does the actual encrypt/decrypt calls have to happen in the browser? The latter would be too slow.

Note that cookies are all read into memory on start, so even if we have to create some sort of proxied persistent cookie store, it would just affect performance while still loading cookies into memory.  *howeveR*, it might also mean we'd be more likely to lose cookies on shutdown...And there's additional session cookie-settings magic that has to be respected in the network process.

On macOS, the implementation is handled by //components/os_crypt/os_crypt_mac.mm's GetEncryptionKey().

Note that this issue will potentially be present with Linux sandboxing efforts as well, as the Linux os_crypt implementation has a number of backends (see all the KeyStorage implementations), but that functionally return GetKeyImpl (just with various 3P dependencies, such as KWallet)

The encryption within net is handled by the //net/extras/sqlite/cookie_crypto_delegate.h, which is implemented by //components/cookie_config to glue //components/os_crypt to the cookie store.

re #1
On Mac and Linux, encryption depends on a safely stored key. If you pass that key between processes, encryption and decryption will work fine. I would defer to the security team on whether it is safe to pass this key between processes.

If it is not possible to keep the key only in the browser process (e.g., round-tripping to the browser for each cookie decrypt is too costly), then sending the key over IPC to the network service seems acceptable. Doing so would be preferable on Mac to expanding the Keychain ACL to include the Helper app.

Review: https://chromium-review.googlesource.com/1208457.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/82531c641caf83369e66ee2d6635bc72e1ddc83b

commit 82531c641caf83369e66ee2d6635bc72e1ddc83b
Author: Chris Mumford <cmumford@chromium.org>
Date: Thu Sep 06 22:31:36 2018

Send the AES encryption key to the network service.

Send the encryption key to network service so that the process
does not request the item from the keychain directly, which would
cause macOS to show a confirmation prompt.

Bug:  880522 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Ia1067bf809472653d843b9007a45574bfe10ed2c
Reviewed-on: https://chromium-review.googlesource.com/1208457
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589343}
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/components/os_crypt/os_crypt.h
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/components/os_crypt/os_crypt_mac.mm
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/network_service.cc
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/network_service.h
[modify] https://crrev.com/82531c641caf83369e66ee2d6635bc72e1ddc83b/services/network/public/mojom/network_service.mojom

Update:

We are unable to reproduce the issue on old canary build #71.0.3542.0 

@jam :  Could you please provide us with a exact steps of the issue which would help us to verify the issue further.

Attaching screen-cast with performed steps.

Thanks.

Deleted: #71.0.3542.0-KeyChain-behaviour.mov 4.8 MB

	#71.0.3542.0-KeyChain-behaviour.mov 4.8 MB View Download

Branch:3538

aiman.ansari@etouch.net: I had to do two things to repro: 1) Start with a fresh profile directory. i.e. use a new --user-data-dir value when launching Chrome. 2) Make sure you run Chrome with net service enabled: --enable-features=NetworkService, then navigating to https://mail.google.com will display the dialog after a short prompt.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a

commit 1e1c6c712894e519ecec0ef5d9ed4ca470491c9a
Author: Chris Mumford <cmumford@google.com>
Date: Fri Sep 07 19:51:17 2018

Send the AES encryption key to the network service.

Send the encryption key to network service so that the process
does not request the item from the keychain directly, which would
cause macOS to show a confirmation prompt.

TBR=cmumford@chromium.org

(cherry picked from commit 82531c641caf83369e66ee2d6635bc72e1ddc83b)

Bug:  880522 
Cq-Include-Trybots: luci.chromium.try:linux_mojo
Change-Id: Ia1067bf809472653d843b9007a45574bfe10ed2c
Reviewed-on: https://chromium-review.googlesource.com/1208457
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#589343}
Reviewed-on: https://chromium-review.googlesource.com/1214156
Reviewed-by: Chris Mumford <cmumford@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#152}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/components/os_crypt/os_crypt.h
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/components/os_crypt/os_crypt_mac.mm
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/network_service.cc
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/network_service.h
[modify] https://crrev.com/1e1c6c712894e519ecec0ef5d9ed4ca470491c9a/services/network/public/mojom/network_service.mojom

Update:

Retested the issue using steps mentioned in comment #14 with #network-service flag enbaled and seems issue is fixed. Visited https://mail.google.com and no Keychain dialog is observed even after waiting for 30 sec.

Kindly refer the attached screen-cast from below link.

https://drive.google.com/drive/folders/1HLzk4-pDfurCKpC8XgCtnml_02ulw8yL?usp=sharing

Thanks!