Consider redirects when defining same-site #1348
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
PTAL @chlily1 @miketaylr @annevk |
chlily1
reviewed
Dec 23, 2020
chlily1
reviewed
Dec 23, 2020
|
Thanks, this LGTM! |
miketaylr
reviewed
Dec 28, 2020
reschke
reviewed
Jan 25, 2021
You can grab a snapshot using this fancy button:
|
I looked a bit more at the process here, and linking to a permalink in a spec is discouraged by HTML. See https://whatwg.org/working-mode#anchors. Specifically Following that process: I've filed whatwg/html#6329, and will reference that anchor using a non-snapshot link & date as a separate reference from the rest of these HTML terms the spec already references. |
added 2 commits
January 26, 2021 10:18
reschke
requested changes
Jan 26, 2021
miketaylr
approved these changes
Feb 8, 2021
|
@englehardt it would be good to also add a changelog entry here. |
|
@chlily1 Would you mind taking another look at this post-merge with #1384? I've simplified the language in the same-site section regarding how we calculate same-site for requests which are reload navigations resulting from UI. Previously you had:
But consider the example of a user that types in B.com in the address bar (i.e., no client), B.com HTTP redirects to A.com, and then the user manually refreshes A.com. The B.com to A.com redirect makes the initial load cross-site, and thus we'd expect the user-initiated reload to still be cross-site. But if we followed the quoted text above, we'd use the client of the initial load (i.e., null) and conclude the new request should be same-site. I've instead opted to use the criteria you added later in the draft:
|
|
I've also made a terminology change, moving from |
sbingler
approved these changes
Feb 12, 2021
Nice catch, thanks! Lgtm. |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 5, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 5, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 8, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 8, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605504 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#860890}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 8, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605504 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#860890}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Mar 9, 2021
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605504 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#860890}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Mar 19, 2021
…n for same-site requests, a=testonly Automatic update from web-platform-tests SameSite cookies: Consider redirect chain for same-site requests The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605504 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#860890} -- wpt-commits: f5d7be1e657bdba8621715da535ba6058ca411a7 wpt-pr: 27902
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Jun 3, 2021
This adds a base::Feature (disabled by default) to control the redirect chain checking for SameSite cookies. When the feature is enabled, any cross-site redirect hop makes a request cross-site. This is consistent with the behavior specified by RFC 6265bis as of httpwg/http-extensions#1348. When the feature is disabled, only the site-for-cookies and initiator are considered, relative to the request URL. This is consistent with the behavior specified by previous versions of the spec. The redirect chain checking behavior is being hidden behind a Feature due to site breakage. We intend to re-enable it later. The new base::Feature is added to the set of features enabled by --enable-experimental-web-platform-features, so that web tests can run with the feature enabled (so as to match Firefox's behavior). The new base::Feature is also added to the set of features enabled by --enable-experimental-cookie-features. Bug: 1215167 Change-Id: Ie9a637f8ab0921f13559254caba93772ba8990fe Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2930367 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#888696}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jul 26, 2021
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jul 26, 2021
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jul 26, 2021
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Jul 27, 2021
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Jul 30, 2021
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Jul 31, 2021
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Aug 4, 2021
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this pull request
Aug 4, 2021
…=testonly Automatic update from web-platform-tests Re-enable SameSite cookie iframe WPTs These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} -- wpt-commits: d4deee9e5303f3c09f65bc0d40783cc18a30606e wpt-pr: 29792
GrumpyOldTroll
pushed a commit
to GrumpyOldTroll/chromium
that referenced
this pull request
Sep 4, 2021
[Merge to M93 branch] This adds histograms and UseCounter/UKM to measure the impact of the cookie spec change in httpwg/http-extensions#1348, which incorporates the redirect chain into the computation of a request's same-site or cross-site status. The histograms measure, on a per-cookie level, how many cookies are affected by the change (i.e. how many cookies have their ultimate inclusion changed by considering a cross-site redirect to make the request cross-site) as well as the SameSite attributes of those affected cookies. The UseCounter/UKM measures how many pageloads have impacted cookies. (cherry picked from commit 2db3a42) Bug: 1221316 Change-Id: I018f110466aa08e304c46f6de26fb1cc18facf33 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3024588 Reviewed-by: Steven Bingler <bingler@chromium.org> Reviewed-by: danakj <danakj@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Robert Kaplow <rkaplow@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#903573} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3049050 Auto-Submit: Lily Chen <chlily@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Reviewed-by: Jesse Doherty <jwd@chromium.org> Reviewed-by: Prudhvi Kumar Bommana <pbommana@google.com> Owners-Override: Prudhvi Kumar Bommana <pbommana@google.com> Cr-Commit-Position: refs/branch-heads/4577@{chromium#109} Cr-Branched-From: 761ddde-refs/heads/master@{#902210}
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
The cookie spec is being amended in httpwg/http-extensions#1348 to consider the redirect chain when computing whether a request is considered same-site. This aligns with the new specification by considering a request cross- site if any URL in the redirect chain was cross-site from the current request URL. Bug: 830101 Change-Id: I060026647ccea2a97267e865c8292ac64915e87b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2605504 Commit-Queue: Lily Chen <chlily@chromium.org> Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Reviewed-by: Min Qin <qinmin@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#860890} GitOrigin-RevId: 306b8fba167a809c5389a58d65bee438ca3bd15d
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
This adds histograms and UseCounter/UKM to measure the impact of the cookie spec change in httpwg/http-extensions#1348, which incorporates the redirect chain into the computation of a request's same-site or cross-site status. The histograms measure, on a per-cookie level, how many cookies are affected by the change (i.e. how many cookies have their ultimate inclusion changed by considering a cross-site redirect to make the request cross-site) as well as the SameSite attributes of those affected cookies. The UseCounter/UKM measures how many pageloads have impacted cookies. Bug: 1221316 Change-Id: I018f110466aa08e304c46f6de26fb1cc18facf33 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3024588 Reviewed-by: Steven Bingler <bingler@chromium.org> Reviewed-by: danakj <danakj@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Robert Kaplow <rkaplow@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#903573} NOKEYCHECK=True GitOrigin-RevId: 2db3a4287cc5ebbd7b1189509380cfc5647715ef
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this pull request
Oct 14, 2022
These tests were temporarily disabled due to an incompatibility between Firefox and Chromium. Now that this has been resolved by a spec PR (httpwg/http-extensions#1428), the tests can be re-enabled. Additionally, one of the tests was adjusted to reflect the behavior for redirects specified in httpwg/http-extensions#1348, which is enabled as part of --enable-experimental-web-platform-features. Bug: 1074441 Change-Id: I7e1deadf0c080927cc328b54d300d5d418fa5c6d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3054294 Reviewed-by: Steven Bingler <bingler@chromium.org> Commit-Queue: Lily Chen <chlily@chromium.org> Cr-Commit-Position: refs/heads/master@{#905421} NOKEYCHECK=True GitOrigin-RevId: 41ff2ed8246af31d078a263d228de4533b5991a1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #889.
Note that this change also simplifies the definition by referencing the fetch definition of when two origins are considered same-site. The text is the current version is effectively a copy-paste of that definition.