Verified Commit 7551d686 authored by edgul's avatar edgul Committed by ma1
Browse files

Bug 1844827 - Added checks for sub-document navigations from cross-site to...

Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=cookie-reviewers,valentin,bvandersloot a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D204074
parent 25609cb3
Loading
Loading
Loading
Loading
+5 −0
Original line number Diff line number Diff line
@@ -11417,6 +11417,11 @@
  value: false
  mirror: always

- name: network.cookie.sameSite.crossSiteIframeSetCheck
  type: bool
  value: true
  mirror: always

- name: network.cookie.thirdparty.sessionOnly
  type: bool
  value: false
+12 −0
Original line number Diff line number Diff line
@@ -675,6 +675,18 @@ CookieService::SetCookieStringFromHttp(nsIURI* aHostURI,
  if (!addonAllowsLoad) {
    mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,
                                         &isForeignAndNotAddon);

    // include sub-document navigations from cross-site to same-site
    // wrt top-level in our check for thirdparty-ness
    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&
        !isForeignAndNotAddon &&
        loadInfo->GetExternalContentPolicyType() ==
            ExtContentPolicy::TYPE_SUBDOCUMENT) {
      bool triggeringPrincipalIsThirdParty = false;
      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
          ->IsThirdPartyURI(channelURI, &triggeringPrincipalIsThirdParty);
      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;
    }
  }

  nsCString cookieHeader(aCookieHeader);
+12 −0
Original line number Diff line number Diff line
@@ -517,6 +517,18 @@ CookieServiceChild::SetCookieStringFromHttp(nsIURI* aHostURI,
  if (!addonAllowsLoad) {
    mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,
                                         &isForeignAndNotAddon);

    // include sub-document navigations from cross-site to same-site
    // wrt top-level in our check for thirdparty-ness
    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&
        !isForeignAndNotAddon &&
        loadInfo->GetExternalContentPolicyType() ==
            ExtContentPolicy::TYPE_SUBDOCUMENT) {
      bool triggeringPrincipalIsThirdParty = false;
      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())
          ->IsThirdPartyURI(finalChannelURI, &triggeringPrincipalIsThirdParty);
      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;
    }
  }

  bool moreCookies;