Bug 1774857 - Send (only) laxByDefault cookies on boomerang-redirects. r=dveditz

Differential Revision: https://phabricator.services.mozilla.com/D150253
2022-11-18 11:08:45 +00:00 · 2022-11-18 11:08:45 +00:00 · e0b9da0442
--- a/modules/libpref/init/StaticPrefList.yaml
+++ b/modules/libpref/init/StaticPrefList.yaml
@ -10746,6 +10746,14 @@
  value: 120
  mirror: always

+# For lax-by-default cookies ignore cross-site redirects when the final
+# redirect is same-site again.
+# https://github.com/httpwg/http-extensions/issues/2104
+- name: network.cookie.sameSite.laxByDefault.allowBoomerangRedirect
+  type: bool
+  value: true
+  mirror: always
+
 - name: network.cookie.sameSite.noneRequiresSecure
  type: bool
  value: @IS_EARLY_BETA_OR_EARLIER@
--- a/netwerk/cookie/CookieCommons.cpp
+++ b/netwerk/cookie/CookieCommons.cpp
@ -610,7 +610,7 @@ bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI,
      rv = redirectPrincipal->IsThirdPartyChannel(aChannel, &isForeign);
      // if at any point we encounter a cross-origin redirect we can return.
      if (NS_FAILED(rv) || isForeign) {
-        *aHadCrossSiteRedirects = true;
+        *aHadCrossSiteRedirects = isForeign;
        return true;
      }

--- a/netwerk/cookie/CookieService.cpp
+++ b/netwerk/cookie/CookieService.cpp
@ -1093,13 +1093,27 @@ void CookieService::GetCookiesForURI(
        }
      }

+      // Lax-by-default cookies are processed even with an intermediate
+      // cross-site redirect (they are treated like aIsSameSiteForeign = false).
+      //
+      // This is outside of ProcessSameSiteCookieForForeignRequest to still
+      // collect the same telemetry.
+      if (blockCookie && aHadCrossSiteRedirects &&
+          cookie->IsDefaultSameSite() &&
+          StaticPrefs::
+              network_cookie_sameSite_laxByDefault_allowBoomerangRedirect()) {
+        blockCookie = false;
+      }
+
      if (blockCookie) {
-        CookieLogging::LogMessageToConsole(
-            crc, aHostURI, nsIScriptError::warningFlag,
-            CONSOLE_REJECTION_CATEGORY, "CookieBlockedCrossSiteRedirect"_ns,
-            AutoTArray<nsString, 1>{
-                NS_ConvertUTF8toUTF16(cookie->Name()),
-            });
+        if (aHadCrossSiteRedirects) {
+          CookieLogging::LogMessageToConsole(
+              crc, aHostURI, nsIScriptError::warningFlag,
+              CONSOLE_REJECTION_CATEGORY, "CookieBlockedCrossSiteRedirect"_ns,
+              AutoTArray<nsString, 1>{
+                  NS_ConvertUTF8toUTF16(cookie->Name()),
+              });
+        }
        continue;
      }
    }
--- a/testing/web-platform/meta/cookies/samesite/fetch.https.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/fetch.https.html.ini
@ -1,2 +1,8 @@
 [fetch.https.html]
  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
+
+  [Cross-site redirecting to same-host fetches are cross-site]
+    expected: FAIL
+
+  [Cross-site redirecting to subdomain fetches are cross-site]
+    expected: FAIL
--- a/testing/web-platform/meta/cookies/samesite/form-post-blank.https.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/form-post-blank.https.html.ini
@ -3,3 +3,9 @@
  expected:
    if (os == "android") and fission: [OK, TIMEOUT]
    if (os == "mac") and not debug: [OK, TIMEOUT]
+  [Cross-site redirecting to same-host top-level form POSTs are cross-site]
+    expected: FAIL
+
+  [Cross-site redirecting to subdomain top-level form POSTs are cross-site]
+    expected: FAIL
+
--- a/testing/web-platform/meta/cookies/samesite/iframe.https.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/iframe.https.html.ini
@ -2,3 +2,9 @@
  prefs: [network.cookie.sameSite.laxByDefault:true, network.cookie.sameSite.noneRequiresSecure:true]
  expected:
    if (os == "android") and fission: [OK, TIMEOUT]
+  [Cross-site redirecting to same-host fetches are cross-site]
+    expected: FAIL
+
+  [Cross-site redirecting to subdomain fetches are cross-site]
+    expected: FAIL
+
--- a/testing/web-platform/meta/cookies/samesite/img.https.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/img.https.html.ini
@ -3,3 +3,9 @@
  expected:
    if (os == "android") and fission: [OK, TIMEOUT]
    if (os == "mac") and not debug: [OK, TIMEOUT]
+  [Cross-site redirecting to same-host images are cross-site]
+    expected: FAIL
+
+  [Cross-site redirecting to subdomain images are cross-site]
+    expected: FAIL
+
--- a/testing/web-platform/meta/cookies/samesite/multiple-samesite-attributes.https.html.ini
+++ b/testing/web-platform/meta/cookies/samesite/multiple-samesite-attributes.https.html.ini
@ -3,3 +3,9 @@
  expected:
    if (os == "mac") and not debug: [OK, TIMEOUT]
    if (os == "android") and fission: [OK, TIMEOUT]
+  [Cross-site redirecting to same-host images are cross-site]
+    expected: FAIL
+
+  [Cross-site redirecting to subdomain images are cross-site]
+    expected: FAIL
+