Verified Commit 7551d686 authored by edgul's avatar edgul Committed by ma1
Browse files

Bug 1844827 - Added checks for sub-document navigations from cross-site to... 

Bug 1844827 - Added checks for sub-document navigations from cross-site to same-site in third-party checks when setting a cookie. r=cookie-reviewers,valentin,bvandersloot a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D204074
parent 25609cb3

modules/libpref/init/StaticPrefList.yaml

+5 −0
Original line number Diff line number Diff line
@@ -11417,6 +11417,11 @@ 
  value: false

  mirror: always



- name: network.cookie.sameSite.crossSiteIframeSetCheck

  type: bool

  value: true

  mirror: always



- name: network.cookie.thirdparty.sessionOnly

  type: bool

  value: false

netwerk/cookie/CookieService.cpp

+12 −0
Original line number Diff line number Diff line
@@ -675,6 +675,18 @@ CookieService::SetCookieStringFromHttp(nsIURI* aHostURI, 
  if (!addonAllowsLoad) {

    mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,

                                         &isForeignAndNotAddon);



    // include sub-document navigations from cross-site to same-site

    // wrt top-level in our check for thirdparty-ness

    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&

        !isForeignAndNotAddon &&

        loadInfo->GetExternalContentPolicyType() ==

            ExtContentPolicy::TYPE_SUBDOCUMENT) {

      bool triggeringPrincipalIsThirdParty = false;

      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())

          ->IsThirdPartyURI(channelURI, &triggeringPrincipalIsThirdParty);

      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;

    }

  }



  nsCString cookieHeader(aCookieHeader);

netwerk/cookie/CookieServiceChild.cpp

+12 −0
Original line number Diff line number Diff line
@@ -517,6 +517,18 @@ CookieServiceChild::SetCookieStringFromHttp(nsIURI* aHostURI, 
  if (!addonAllowsLoad) {

    mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI,

                                         &isForeignAndNotAddon);



    // include sub-document navigations from cross-site to same-site

    // wrt top-level in our check for thirdparty-ness

    if (StaticPrefs::network_cookie_sameSite_crossSiteIframeSetCheck() &&

        !isForeignAndNotAddon &&

        loadInfo->GetExternalContentPolicyType() ==

            ExtContentPolicy::TYPE_SUBDOCUMENT) {

      bool triggeringPrincipalIsThirdParty = false;

      BasePrincipal::Cast(loadInfo->TriggeringPrincipal())

          ->IsThirdPartyURI(finalChannelURI, &triggeringPrincipalIsThirdParty);

      isForeignAndNotAddon |= triggeringPrincipalIsThirdParty;

    }

  }



  bool moreCookies;