Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Don't permit setting
SameSite
cookies from cross-site contexts.
This is almost entirely based on Mike West's preliminary version: https://chromium-review.googlesource.com/c/chromium/src/+/1528244 The new enforcement blocks the setup portion of some existing WPT tests, which verified read behavior, so the helper they use was changed to always set them in a same-site context by PostMessage'ing to a helper window. Bug: 837412 Change-Id: Iba95d65ec4d0916fb4dfa581efaede50654792d3
- Loading branch information
1 parent
4657e10
commit d0b993e
Showing
3 changed files
with
98 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE html> | ||
<script src="/cookies/resources/cookie-helper.sub.js"></script> | ||
<script> | ||
// Helper to either set or clear some cookies on its own origin, or | ||
// (potentially) cross-site on ORIGIN. | ||
window.onmessage = e => { | ||
var originToUse = ORIGIN; | ||
if (e.data.useOwnOrigin) | ||
originToUse = self.origin; | ||
|
||
if (e.data.type === "set") { | ||
credFetch(originToUse + "/cookies/resources/setSameSite.py?" + e.data.value) | ||
.then(_ => { | ||
e.source.postMessage({ | ||
type: "set-complete", | ||
value: e.data.value | ||
}, "*"); | ||
}); | ||
} | ||
|
||
if (e.data.type === "drop") { | ||
credFetch(originToUse + "/cookies/resources/dropSameSite.py") | ||
.then(_ => { | ||
e.source.postMessage({type: "drop-complete"}, "*"); | ||
}); | ||
} | ||
}; | ||
|
||
window.opener.postMessage({ | ||
type: "READY" | ||
}, "*"); | ||
</script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
<!DOCTYPE html> | ||
<meta charset="utf-8"/> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="/cookies/resources/cookie-helper.sub.js"></script> | ||
<script> | ||
promise_test(async function(t) { | ||
let w = window.open(ORIGIN + "/cookies/samesite/resources/puppet.html"); | ||
await wait_for_message("READY", ORIGIN); | ||
let random = "" + Math.random(); | ||
w.postMessage({type: "set", value: random}, "*"); | ||
let e = await wait_for_message("set-complete", ORIGIN) | ||
assert_dom_cookie("samesite_strict", e.data.value, true); | ||
assert_dom_cookie("samesite_lax", e.data.value, true); | ||
assert_dom_cookie("samesite_none", e.data.value, true); | ||
w.close(); | ||
}, "Same-site window should be able to set `SameSite=Lax` or `SameSite=Strict` cookies."); | ||
|
||
promise_test(async function(t) { | ||
let w = window.open(CROSS_SITE_ORIGIN + "/cookies/samesite/resources/puppet.html"); | ||
await wait_for_message("READY", CROSS_SITE_ORIGIN); | ||
let random = "" + Math.random(); | ||
w.postMessage({type: "set", value: random}, "*"); | ||
let e = await wait_for_message("set-complete", CROSS_SITE_ORIGIN); | ||
assert_dom_cookie("samesite_strict", e.data.value, false); | ||
assert_dom_cookie("samesite_lax", e.data.value, false); | ||
assert_dom_cookie("samesite_none", e.data.value, true); | ||
w.close(); | ||
}, "Cross-site window shouldn't be able to set `SameSite=Lax` or `SameSite=Strict` cookies."); | ||
</script> |