Bug 1641459 - Do not expose sameSite=lax/strict cookies to cross-site…

… documents - part 1 - implementation, r=smaug Differential Revision: https://phabricator.services.mozilla.com/D77208
dothq · May 29, 2020 · e9c61f5 · e9c61f5
1 parent 7e07333
commit e9c61f5
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 0 deletions.
diff --git a/netwerk/cookie/CookieCommons.cpp b/netwerk/cookie/CookieCommons.cpp
@@ -446,5 +446,15 @@ already_AddRefed<nsICookieJarSettings> CookieCommons::GetCookieJarSettings(
   return cookieJarSettings.forget();
 }
 
+// static
+bool CookieCommons::ShouldIncludeCrossSiteCookieForDocument(Cookie* aCookie) {
+  MOZ_ASSERT(aCookie);
+
+  int32_t sameSiteAttr = 0;
+  aCookie->GetSameSite(&sameSiteAttr);
+
+  return sameSiteAttr == nsICookie::SAMESITE_NONE;
+}
+
 }  // namespace net
 }  // namespace mozilla
diff --git a/netwerk/cookie/CookieCommons.h b/netwerk/cookie/CookieCommons.h
@@ -10,6 +10,7 @@
 #include <functional>
 #include "prtime.h"
 #include "nsString.h"
+#include "nsICookie.h"
 
 class nsIChannel;
 class nsICookieJarSettings;
@@ -105,6 +106,8 @@ class CookieCommons final {
 
   static already_AddRefed<nsICookieJarSettings> GetCookieJarSettings(
       nsIChannel* aChannel);
+
+  static bool ShouldIncludeCrossSiteCookieForDocument(Cookie* aCookie);
 };
 
 }  // namespace net

diff --git a/netwerk/cookie/CookieService.cpp b/netwerk/cookie/CookieService.cpp
@@ -317,6 +317,14 @@ CookieService::GetCookieStringFromDocument(Document* aDocument,
   // if it isn't, then we can't send a secure cookie over the connection.
   bool potentiallyTurstworthy = principal->GetIsOriginPotentiallyTrustworthy();
 
+  nsPIDOMWindowInner* innerWindow = aDocument->GetInnerWindow();
+  if (NS_WARN_IF(!innerWindow)) {
+    return NS_OK;
+  }
+
+  bool thirdParty = nsContentUtils::IsThirdPartyWindowOrChannel(
+      innerWindow, nullptr, nullptr);
+
   bool stale = false;
   nsTArray<Cookie*> cookieList;
 
@@ -333,6 +341,11 @@ CookieService::GetCookieStringFromDocument(Document* aDocument,
       continue;
     }
 
+    if (thirdParty &&
+        !CookieCommons::ShouldIncludeCrossSiteCookieForDocument(cookie)) {
+      continue;
+    }
+
     // if the cookie is secure and the host scheme isn't, we can't send it
     if (cookie->IsSecure() && !potentiallyTurstworthy) {
       continue;

diff --git a/netwerk/cookie/CookieServiceChild.cpp b/netwerk/cookie/CookieServiceChild.cpp
@@ -351,6 +351,14 @@ CookieServiceChild::GetCookieStringFromDocument(Document* aDocument,
   nsAutoCString pathFromURI;
   principal->GetFilePath(pathFromURI);
 
+  nsPIDOMWindowInner* innerWindow = aDocument->GetInnerWindow();
+  if (NS_WARN_IF(!innerWindow)) {
+    return NS_OK;
+  }
+
+  bool thirdParty = nsContentUtils::IsThirdPartyWindowOrChannel(
+      innerWindow, nullptr, nullptr);
+
   bool isPotentiallyTrustworthy =
       principal->GetIsOriginPotentiallyTrustworthy();
   int64_t currentTimeInUsec = PR_Now();
@@ -369,6 +377,11 @@ CookieServiceChild::GetCookieStringFromDocument(Document* aDocument,
       continue;
     }
 
+    if (thirdParty &&
+        !CookieCommons::ShouldIncludeCrossSiteCookieForDocument(cookie)) {
+      continue;
+    }
+
     // if the cookie is secure and the host scheme isn't, we can't send it
     if (cookie->IsSecure() && !isPotentiallyTrustworthy) {
       continue;