Bug 1633015 - Allow 'secure' cookies when set by .onion site r=baku

Allow secure cookies when set by a .onion site if the pref dom.securecontext.whitelist_onions is set to true. Most of the needed parts were introduced in bug 1618113, due to the fact that the `IsPotentiallyTrustworthyOrigin()` check also takes into account onion hostnames. This adds one missing check, allowing a trustworthy origin (e.g. onion site) to replace a secure cookie by an insecure one, as well as adding some tests for the .onion case. Differential Revision: https://phabricator.services.mozilla.com/D72486
2020-04-27 09:20:50 +00:00 · 2020-04-27 09:20:50 +00:00 · 0b7a953f77
--- a/netwerk/cookie/CookieStorage.cpp
+++ b/netwerk/cookie/CookieStorage.cpp
@ -7,7 +7,7 @@
 #include "CookieCommons.h"
 #include "CookieLogging.h"
 #include "CookieStorage.h"
-
+#include "mozilla/dom/nsMixedContentBlocker.h"
 #include "nsIMutableArray.h"
 #include "nsTPriorityQueue.h"
 #include "prprf.h"
@ -407,9 +407,10 @@ void CookieStorage::AddCookie(const nsACString& aBaseDomain,
  foundCookie = FindCookie(aBaseDomain, aOriginAttributes, aCookie->Host(),
                           aCookie->Name(), aCookie->Path(), exactIter);
  bool foundSecureExact = foundCookie && exactIter.Cookie()->IsSecure();
-  bool isSecure = true;
+  bool potentiallyTrustworthy = true;
  if (aHostURI) {
-    isSecure = aHostURI->SchemeIs("https");
+    potentiallyTrustworthy =
+        nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin(aHostURI);
  }
  bool oldCookieIsSession = false;
  // Step1, call FindSecureCookie(). FindSecureCookie() would
@ -425,7 +426,7 @@ void CookieStorage::AddCookie(const nsACString& aBaseDomain,
  if (!aCookie->IsSecure() &&
      (foundSecureExact ||
       FindSecureCookie(aBaseDomain, aOriginAttributes, aCookie)) &&
-      !isSecure) {
+      !potentiallyTrustworthy) {
    COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, aCookieHeader,
                      "cookie can't save because older cookie is secure "
                      "cookie but newer cookie is non-secure cookie");
--- a/netwerk/test/TestCookie.cpp
+++ b/netwerk/test/TestCookie.cpp
@ -196,6 +196,7 @@ void InitPrefs(nsIPrefBranch* aPrefBranch) {
  // default"
  Preferences::SetBool("network.cookie.sameSite.laxByDefault", false);
  Preferences::SetBool("network.cookieJarSettings.unblocked_for_testing", true);
+  Preferences::SetBool("dom.securecontext.whitelist_onions", false);
 }

 TEST(TestCookie, TestCookieMain)
@ -1009,6 +1010,9 @@ TEST(TestCookie, TestCookieMain)
    SetACookie(cookieService, secureURIs[i], "test=basic; secure");
    GetACookie(cookieService, secureURIs[i], cookie);
    EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic"));
+    SetACookie(cookieService, secureURIs[i], "test=basic1");
+    GetACookie(cookieService, secureURIs[i], cookie);
+    EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic1"));
  }

  // XXX the following are placeholders: add these tests please!
@ -1062,3 +1066,33 @@ TEST(TestCookie, SameSiteLax)
  EXPECT_EQ(cookie->RawSameSite(), nsICookie::SAMESITE_NONE);
  EXPECT_EQ(cookie->SameSite(), nsICookie::SAMESITE_NONE);
 }
+
+TEST(TestCookie, OnionSite)
+{
+  Preferences::SetBool("dom.securecontext.whitelist_onions", true);
+
+  nsresult rv;
+  nsCString cookie;
+
+  nsCOMPtr<nsICookieService> cookieService =
+      do_GetService(kCookieServiceCID, &rv);
+  ASSERT_TRUE(NS_SUCCEEDED(rv));
+
+  // .onion secure cookie tests
+  SetACookie(cookieService, "http://123456789abcdef.onion/",
+             "test=onion-security; secure");
+  GetACookieNoHttp(cookieService, "https://123456789abcdef.onion/", cookie);
+  EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security"));
+  SetACookie(cookieService, "http://123456789abcdef.onion/",
+             "test=onion-security2; secure");
+  GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
+  EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security2"));
+  SetACookie(cookieService, "https://123456789abcdef.onion/",
+             "test=onion-security3; secure");
+  GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
+  EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security3"));
+  SetACookie(cookieService, "http://123456789abcdef.onion/",
+             "test=onion-security4");
+  GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
+  EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security4"));
+}