diff --git a/netwerk/cookie/CookieCommons.cpp b/netwerk/cookie/CookieCommons.cpp index 4bdb42bd9a5b..fed01042f511 100644 --- a/netwerk/cookie/CookieCommons.cpp +++ b/netwerk/cookie/CookieCommons.cpp @@ -446,5 +446,15 @@ already_AddRefed CookieCommons::GetCookieJarSettings( return cookieJarSettings.forget(); } +// static +bool CookieCommons::ShouldIncludeCrossSiteCookieForDocument(Cookie* aCookie) { + MOZ_ASSERT(aCookie); + + int32_t sameSiteAttr = 0; + aCookie->GetSameSite(&sameSiteAttr); + + return sameSiteAttr == nsICookie::SAMESITE_NONE; +} + } // namespace net } // namespace mozilla diff --git a/netwerk/cookie/CookieCommons.h b/netwerk/cookie/CookieCommons.h index 35042108be2d..54ea72c55053 100644 --- a/netwerk/cookie/CookieCommons.h +++ b/netwerk/cookie/CookieCommons.h @@ -10,6 +10,7 @@ #include #include "prtime.h" #include "nsString.h" +#include "nsICookie.h" class nsIChannel; class nsICookieJarSettings; @@ -105,6 +106,8 @@ class CookieCommons final { static already_AddRefed GetCookieJarSettings( nsIChannel* aChannel); + + static bool ShouldIncludeCrossSiteCookieForDocument(Cookie* aCookie); }; } // namespace net diff --git a/netwerk/cookie/CookieService.cpp b/netwerk/cookie/CookieService.cpp index 9ca11b591f6a..95d588d44836 100644 --- a/netwerk/cookie/CookieService.cpp +++ b/netwerk/cookie/CookieService.cpp @@ -317,6 +317,14 @@ CookieService::GetCookieStringFromDocument(Document* aDocument, // if it isn't, then we can't send a secure cookie over the connection. bool potentiallyTurstworthy = principal->GetIsOriginPotentiallyTrustworthy(); + nsPIDOMWindowInner* innerWindow = aDocument->GetInnerWindow(); + if (NS_WARN_IF(!innerWindow)) { + return NS_OK; + } + + bool thirdParty = nsContentUtils::IsThirdPartyWindowOrChannel( + innerWindow, nullptr, nullptr); + bool stale = false; nsTArray cookieList; @@ -333,6 +341,11 @@ CookieService::GetCookieStringFromDocument(Document* aDocument, continue; } + if (thirdParty && + !CookieCommons::ShouldIncludeCrossSiteCookieForDocument(cookie)) { + continue; + } + // if the cookie is secure and the host scheme isn't, we can't send it if (cookie->IsSecure() && !potentiallyTurstworthy) { continue; diff --git a/netwerk/cookie/CookieServiceChild.cpp b/netwerk/cookie/CookieServiceChild.cpp index b422630803a1..4c13904c5cf2 100644 --- a/netwerk/cookie/CookieServiceChild.cpp +++ b/netwerk/cookie/CookieServiceChild.cpp @@ -351,6 +351,14 @@ CookieServiceChild::GetCookieStringFromDocument(Document* aDocument, nsAutoCString pathFromURI; principal->GetFilePath(pathFromURI); + nsPIDOMWindowInner* innerWindow = aDocument->GetInnerWindow(); + if (NS_WARN_IF(!innerWindow)) { + return NS_OK; + } + + bool thirdParty = nsContentUtils::IsThirdPartyWindowOrChannel( + innerWindow, nullptr, nullptr); + bool isPotentiallyTrustworthy = principal->GetIsOriginPotentiallyTrustworthy(); int64_t currentTimeInUsec = PR_Now(); @@ -369,6 +377,11 @@ CookieServiceChild::GetCookieStringFromDocument(Document* aDocument, continue; } + if (thirdParty && + !CookieCommons::ShouldIncludeCrossSiteCookieForDocument(cookie)) { + continue; + } + // if the cookie is secure and the host scheme isn't, we can't send it if (cookie->IsSecure() && !isPotentiallyTrustworthy) { continue;