New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 882107 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Buried. Ping if important.
Closed: Oct 4
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocked on:
issue 881715



Sign in to add a comment

Harden `StaticCookiePolicy` to treat empty URLs as third-party.

Project Member Reported by mkwst@chromium.org, Sep 8

Issue description

Currently, `StaticCookiePolicy` treats requests whose `site_for_cookies` is an empty GURL as always being considered first-party. That's error-prone and unintuitive. We should change that behavior to fail closed.
 
Cc: domfarolino@gmail.com
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023

commit 9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023
Author: Mike West <mkwst@chromium.org>
Date: Mon Sep 10 20:57:01 2018

Harden StaticCookiePolicy to treat empty GURLs as third-party.

Bug:  882107 
Change-Id: I380e01b2663a926c9e5eb7d4ac9f3e433dc869e9
Reviewed-on: https://chromium-review.googlesource.com/1213082
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590055}
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/chrome/browser/net/network_context_configuration_browsertest.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/content/browser/loader/loader_browsertest.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/extensions/browser/api/declarative_webrequest/webrequest_condition_attribute_unittest.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/extensions/browser/api/declarative_webrequest/webrequest_condition_unittest.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/net/base/static_cookie_policy.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/net/base/static_cookie_policy_unittest.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/third_party/blink/renderer/core/dom/document.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/third_party/blink/renderer/core/exported/web_document_test.cc
[modify] https://crrev.com/9cb9846d1aa3cc68f9d4e7974f5cdc305fb70023/third_party/blink/renderer/core/exported/web_frame_test.cc

Cc: msarda@chromium.org
Labels: -Pri-3 ReleaseBlock-Beta M-71 Pri-1
This is breaking signin. A lot of requests to Gaia from the browser (signin component) now have their cookies blocked when the user blocked third-party cookies, even though they should be considered first-party.

For example the ListAccounts request, which is created here:
https://cs.chromium.org/chromium/src/google_apis/gaia/gaia_auth_fetcher.cc?rcl=a7544fa319794b67426d6c9872e2f8fdc9f69c40&l=715

Should we revert?
Cc: yananj@google.com
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 20

Cc: droger@chromium.org
This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5307e885ce24f0b4e2756ff5512063f754c3a403

commit 5307e885ce24f0b4e2756ff5512063f754c3a403
Author: David Roger <droger@chromium.org>
Date: Thu Sep 20 19:14:43 2018

[signin] Fix first party URL in GaiaAuthFetcher

Bug:  882107 
Change-Id: Ie36e139d17b03bfd75f3b1cec9d557ec5513b084
Reviewed-on: https://chromium-review.googlesource.com/1236214
Reviewed-by: Mihai Sardarescu <msarda@chromium.org>
Commit-Queue: David Roger <droger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#592896}
[modify] https://crrev.com/5307e885ce24f0b4e2756ff5512063f754c3a403/google_apis/gaia/gaia_auth_fetcher.cc
[modify] https://crrev.com/5307e885ce24f0b4e2756ff5512063f754c3a403/google_apis/gaia/gaia_auth_fetcher_unittest.cc

Labels: -ReleaseBlock-Beta
Removing the RBS label, signin now works again.
Labels: -Pri-1 -M-71 Pri-3
Status: Fixed (was: Started)
Labels: Postmortem-Followup

Sign in to add a comment