Add domain and path checks for secure cookies eviction

[KiChjang]

Fixes #14477.

---

This change is 

[highfive]

Heads up! This PR modifies the following files:

• @KiChjang: components/net/cookie_storage.rs, components/net/cookie.rs

[highfive]

Warning

• These commits modify net code, but no tests are modified. Please consider adding a test!

[KiChjang]

r? @jdm

[Ms2ger]

This looks like a more complicated way of writing .any(..)

[KiChjang]

Totally is, that function completely slipped my mind.

[jdm]

We will definitely need tests verifying that the attacks described in the spec fail.

[jdm]

CookieSource::HTTP only means that it's an HTTP/HTTPS request, rather than document.cookie. Let's add a ServoUrl argument to CookieSource::HTTP so we can check it here.

[jdm]

This is missing the "vice-versa" part of step 2.1.3.

[jdm]

Could we do everything after the || on a new line instead?

[jdm]

We'll want to check the actual request URL here.

[jdm]

What happened to performing the symmetric domain matches from the spec? That's different than checking if the domains for the two cookies are identical.

[KiChjang]

I was thinking that bi-directional domain-matching is equivalent to equality comparison. RFC 2965 states the following:

 Host A's name domain-matches host B's if

 *  their host name strings string-compare equal; or
 *  A is a HDN string and has the form NB, where N is a non-empty
    name string, B has the form .B', and B' is a HDN string.  (So,
    x.y.com domain-matches .Y.com but not Y.com.)

[jdm]

It's the second point that doesn't get covered by the equality check here, since if the domains are not strictly equal they can still match.

[KiChjang]

Yes, but since it's checking bi-directionally, I don't think it's possible where A domain-matches B and B domain-matches A but A is not equal to B.

[KiChjang]

Basically it boils down to the statement "if two strings are suffixes of each other, then they are equal".

[KiChjang]

Nevermind, the IETF draft did not say "and vice versa", it said "or vice versa".

[jdm]

Our cookies always have a path according to https://github.com/KiChjang/servo/blob/cf08600e5f390b72a6e094e74633326bad204908/components/net/cookie.rs#L69-L74, so let's use expect on both of them instead.

[frewsxcv]

Should we add an assert here that string.len() > domain_string.len() ?

[jdm]

If string ends with domain_string, that is already implicitly true.

[jdm]

Note to self: be sure that these changes do not prevent a page using document.cookie to set a secure cookie if the page running the JS has a secure origin.

[bors-servo]

☔ The latest upstream changes (presumably #14570) made this pull request unmergeable. Please resolve the merge conflicts.

[jdm]

Good start on the tests. We need more thorough coverage for some of the cases to be sure we're not breaking the existing implementation and to be sure we're properly blocking all the cases that the specification calls out.

[jdm]

Let's do:

if !cookie.cookie.secure && !source.is_secure_protocol() {
    let new_domain = cookie.cookie.domain.as_ref().unwrap();
    let new_path = cookie.cookie.path.as_ref().unwrap();

    let any_overlapping = cookies.iter().any(|c| {
        let existing_domain = c.cookie.domain.as_ref().unwrap();
        let existing_path = c.cookie.path.as_ref().unwrap();

        c.cookie.name == cookie.cookie.name &&
        c.cookie.secure &&
        (Cookie::domain_match(new_domain, existing_domain) ||
         Cookie::domain_match(existing_domain, new_domain)) &&
        Cookie::path_match(new_path, existing_path)
    });

    if any_overlapping {
        return Err(());
    }
}

[jdm]

I think we're going to have to add a ServoUrl to this case to, or we'll break allowing pages to set secure cookies via document.cookie when loaded via a secure scheme.

[KiChjang]

What would a non-secure non-HTTP source look like?

[jdm]

Using document.cookie on a site with an HTTP URL.

[jdm]

Let's call this secure_url and reuse it later.

[jdm]

Let's call this insecure_url.

[jdm]

We need another test that tries setting these cookies using a secure scheme, too.

[jdm]

We should add a test that it's still possible to set secure cookies using a NonHTTP source and a secure URL.

[jdm]

Seems like the rebase went a bit wonky here?

[KiChjang]

Still only rebased; haven't gotten around to address comments yet.

[jdm]

I finally sat down and reasoned my way through the test results. This looks good to me; thanks for working on it!
@bors-servo: r+

[bors-servo]

📌 Commit 16f1947 has been approved by jdm

[bors-servo]

⌛ Testing commit 16f1947 with merge b13afcc...

[bors-servo]

☀️ Test successful - android, arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css, mac-rel-wpt1, mac-rel-wpt2, windows-gnu-dev, windows-msvc-dev