allow first party iframes embedded in 3rd-party origins plus exceptio… #5433
Conversation
| "setTimeout(\"" | ||
| "var iframes = document.getElementById('%s');iframes.src='%s';" | ||
| "\",0)", | ||
| iframe_id.c_str(), url.spec().c_str()); |
There was a problem hiding this comment.
please confirm there's no way for any attacker controlled input to end up as part of this string thereby causing XSS
There was a problem hiding this comment.
@diracdeltas this is a test :)
There was a problem hiding this comment.
@bridiver yes i'm aware, just being paranoid. guessing the answer is no.
There was a problem hiding this comment.
there's nothing special about the script and it was actually copied from a chromium test helper and modified to use the render frame instead of the webcontents. It isn't related to the functionality here in any way, it's just a way to update the iframe url in the test
|
|
||
| #include "components/content_settings/core/common/cookie_settings_base.h" | ||
|
|
||
| #include "base/containers/flat_map.h" |
There was a problem hiding this comment.
yep, there was a flat map, but not anymore
|
|
||
| GURL first_party_url = site_for_cookies; | ||
|
|
||
| if (!first_party_url.is_valid() && top_frame_origin) |
There was a problem hiding this comment.
hmm, shouldn't we use top_frame_origin by default and fallback to site_for_cookies?
There was a problem hiding this comment.
It doesn't really matter which way you do it because if the parent frame is 3rd-party then the site_for_cookies is invalid
// this will be a 3rd party cookie.
for (const RenderFrameHostImpl* rfh = render_frame_host; rfh;
rfh = rfh->parent_) {
if (!candidate.IsEquivalent(
net::SiteForCookies::FromOrigin(rfh->last_committed_origin_))) {
return net::SiteForCookies();
}
}```
There was a problem hiding this comment.
and it seems safer to me to use site_for_cookies when it is available because that is its purpose
There was a problem hiding this comment.
I just want to be consistent with how the original class thinks about first party url
GetCookieSettingInternal(
url, top_frame_origin ? top_frame_origin->GetURL() : site_for_cookies,
false, nullptr, &setting);
There was a problem hiding this comment.
@iefremov so the problem here is that site_for_cookies is treated differently in default 3rd-party cookie blocking and in content settings. The content settings default to the top_frame_origin, but the 3rd-party cookie settings default to the site_for_cookies. The reason we don't want to default to the top_frame_origin here is that there are times when it's not what we want (like redirects) and that is why site_for_cookies exists in the first place. We used only top frame origin in browser-laptop and there were times when it was wrong because of that.
There was a problem hiding this comment.
so for the purposes of 3rd-party cookie blocking we want to use site_for_cookies whenever it's available and only use top_frame_origin when it's empty (3rd-party iframe)
There was a problem hiding this comment.
in the folow-up I'll add a comment here explaining that and see if I can come up with a test for it
| if (!first_party_url.is_valid() && top_frame_origin) | ||
| first_party_url = top_frame_origin->GetURL(); | ||
|
|
||
| if (net::registry_controlled_domains::GetDomainAndRegistry( |
There was a problem hiding this comment.
I think here we need some detailed explanations with examples and links, otherwise our ancestors will curse us
There was a problem hiding this comment.
I'm not sure what you're looking for detailed explanations for?
There was a problem hiding this comment.
a good example was written for wp exceptions in brave_content_settings_pref_provider.cc https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L317
Basically i want that anyone reading this could understand easily why we implemented this behaviour and get some links to the issue tracker
There was a problem hiding this comment.
My question is about what specific behavior you're referring to. The overall behavior is defined by the issue and that's why we have the link in the PR that you can find through git blame. Are you talking specifically about why we're using GetDomainAndRegistry here or more generally about what this code is doing?
| net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) | ||
| return true; | ||
|
|
||
| for (auto i = entity_list->begin(); |
There was a problem hiding this comment.
for (const auto& entity : entity_list)
There was a problem hiding this comment.
it doesn't like this because of base::NoDestructor (even when dereferenced) and I didn't feel like fighting with it
| #define BRAVE_COOKIE_SETTINGS_BASE_H \ | ||
| private: \ | ||
| bool IsChromiumCookieAccessAllowed(const GURL& url, \ | ||
| const GURL& first_party_url) const; \ |
| const GURL& site_for_cookies, | ||
| const base::Optional<url::Origin>& top_frame_origin) const { | ||
|
|
||
| // get content settings only - do not consider default 3rd-party blocking |
There was a problem hiding this comment.
Mind improving some punctuation here and below? I.e. start with a capital letter and end with a dot.
("Comments should be as readable as narrative text, with proper capitalization and punctuation." )
| std::vector<std::pair<ContentSettingsPattern, | ||
| ContentSettingsPattern>>> entity_list({ | ||
| { | ||
| ContentSettingsPattern::FromString(kWp), |
There was a problem hiding this comment.
Instead of hard-coding the exceptions in the code, we can use the local-data-updater component to create a cookie exception list similar to: https://github.com/brave/referrer-whitelist/blob/master/data/ReferrerWhitelist.json
cc: @diracdeltas
There was a problem hiding this comment.
I'm pretty sure that eventually we will end up with a server-updated list of "entities" (something like https://github.com/krgovind/first-party-sets or another similar attempt)
There was a problem hiding this comment.
First party sets are not getting consensus from all browser vendors. There are too many edge-cases.
There was a problem hiding this comment.
Strong vote against full party sets from me too. But would be open to pulling in user-agent controlled set of site associations (a la disconnect entities list).
I dig the local-data-updater idea too, but for my two cents, i'd like to separate that from this PR, since a this PR solves web compat issues folks are complaining about now, and local-data-updater would take a while longer (and, this machinery would more or less be needed anyway for the local-data-updater approach, so this can be one step on the way to that)
There was a problem hiding this comment.
I don't think local-data-updater idea will take much time. We can use the referrer-exceptions list for cookies. I'm happy to quickly set-up a separate list if there are any concerns with using the referrer whitelist
There was a problem hiding this comment.
I think a separate list would be better. @bridiver would probably know best whether changing this to local-data-updater is better to do in this PR, or in some future one.
For my two cents, if it pushes landing this PR back more than a day or two, its best doing separately though
There was a problem hiding this comment.
yeah I also think we can make a separate list separately
There was a problem hiding this comment.
Again, no argument about it going in a separate list, thats fine. But time is sensitive here, for biz reasons. If it will take longer to make a sep list, lets please merge this, and then work on a separate list as a next time.
There was a problem hiding this comment.
@pes10k and I already discussed a list as a downloadable component, but that is outside the scope of this PR. We are only adding one exception to the existing hardcoded list from https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L332
There was a problem hiding this comment.
and that exception was just added to this PR because it was somewhat related and we were moving the existing exception
| }, | ||
| { | ||
| ContentSettingsPattern::FromString(kPlaystation), | ||
| ContentSettingsPattern::FromString(kSonyentertainmentnetwork)}, |
There was a problem hiding this comment.
tiniest nit in the world, but this } is doing something the others aren't ;)
bridiver
force-pushed
the
fix-google-drive-autoplay-bj
branch
from
7e6cedd
to
0a404b3
Compare
…ns for wp/wordpress and playstation/sonyentertainmentnetwork fix brave/brave-browser#8629 fix brave/brave-browser#9564
bridiver
force-pushed
the
fix-google-drive-autoplay-bj
branch
from
0a404b3
to
c6e2be4
Compare
allow first party iframes embedded in 3rd-party origins plus exceptio…
allow first party iframes embedded in 3rd-party origins plus exceptio…
allow first party iframes embedded in 3rd-party origins plus exceptio…
…ns for wp/wordpress and playstation/sonyentertainmentnetwork
fix brave/brave-browser#8629
fix brave/brave-browser#9564
fix brave/brave-browser#9105
Submitter Checklist:
npm run lint)git rebase master(if needed).git rebase -ito squash commits (if needed).Test Plan:
Reviewer Checklist:
After-merge Checklist:
changes has landed on.