Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow first party iframes embedded in 3rd-party origins plus exceptio… #5433

Merged
merged 3 commits into from
May 7, 2020

Conversation

bridiver
Copy link
Collaborator

@bridiver bridiver commented Apr 30, 2020

…ns for wp/wordpress and playstation/sonyentertainmentnetwork

fix brave/brave-browser#8629
fix brave/brave-browser#9564
fix brave/brave-browser#9105

Submitter Checklist:

Test Plan:

Reviewer Checklist:

  • New files have MPL-2.0 license header.
  • Request a security/privacy review as needed.
  • Adequate test coverage exists to prevent regressions
  • Verify test plan is specified in PR before merging to source

After-merge Checklist:

  • The associated issue milestone is set to the smallest version that the
    changes has landed on.
  • All relevant documentation has been updated.

@bridiver bridiver requested review from pes10k and jumde April 30, 2020 21:04
@bridiver bridiver requested a review from iefremov as a code owner April 30, 2020 21:04
@bridiver bridiver self-assigned this Apr 30, 2020
Copy link
Contributor

@pes10k pes10k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, as discussed

"setTimeout(\""
"var iframes = document.getElementById('%s');iframes.src='%s';"
"\",0)",
iframe_id.c_str(), url.spec().c_str());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please confirm there's no way for any attacker controlled input to end up as part of this string thereby causing XSS

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diracdeltas this is a test :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bridiver yes i'm aware, just being paranoid. guessing the answer is no.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's nothing special about the script and it was actually copied from a chromium test helper and modified to use the render frame instead of the webcontents. It isn't related to the functionality here in any way, it's just a way to update the iframe url in the test


#include "components/content_settings/core/common/cookie_settings_base.h"

#include "base/containers/flat_map.h"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unused

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, there was a flat map, but not anymore


GURL first_party_url = site_for_cookies;

if (!first_party_url.is_valid() && top_frame_origin)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, shouldn't we use top_frame_origin by default and fallback to site_for_cookies?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't really matter which way you do it because if the parent frame is 3rd-party then the site_for_cookies is invalid

  // this will be a 3rd party cookie.
  for (const RenderFrameHostImpl* rfh = render_frame_host; rfh;
       rfh = rfh->parent_) {
    if (!candidate.IsEquivalent(
            net::SiteForCookies::FromOrigin(rfh->last_committed_origin_))) {
      return net::SiteForCookies();
    }
  }```

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and it seems safer to me to use site_for_cookies when it is available because that is its purpose

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just want to be consistent with how the original class thinks about first party url

  GetCookieSettingInternal(
      url, top_frame_origin ? top_frame_origin->GetURL() : site_for_cookies,
      false, nullptr, &setting);

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@iefremov so the problem here is that site_for_cookies is treated differently in default 3rd-party cookie blocking and in content settings. The content settings default to the top_frame_origin, but the 3rd-party cookie settings default to the site_for_cookies. The reason we don't want to default to the top_frame_origin here is that there are times when it's not what we want (like redirects) and that is why site_for_cookies exists in the first place. We used only top frame origin in browser-laptop and there were times when it was wrong because of that.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so for the purposes of 3rd-party cookie blocking we want to use site_for_cookies whenever it's available and only use top_frame_origin when it's empty (3rd-party iframe)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the folow-up I'll add a comment here explaining that and see if I can come up with a test for it

if (!first_party_url.is_valid() && top_frame_origin)
first_party_url = top_frame_origin->GetURL();

if (net::registry_controlled_domains::GetDomainAndRegistry(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think here we need some detailed explanations with examples and links, otherwise our ancestors will curse us

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what you're looking for detailed explanations for?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a good example was written for wp exceptions in brave_content_settings_pref_provider.cc https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L317

Basically i want that anyone reading this could understand easily why we implemented this behaviour and get some links to the issue tracker

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My question is about what specific behavior you're referring to. The overall behavior is defined by the issue and that's why we have the link in the PR that you can find through git blame. Are you talking specifically about why we're using GetDomainAndRegistry here or more generally about what this code is doing?

net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES))
return true;

for (auto i = entity_list->begin();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for (const auto& entity : entity_list)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it doesn't like this because of base::NoDestructor (even when dereferenced) and I didn't feel like fighting with it

#define BRAVE_COOKIE_SETTINGS_BASE_H \
private: \
bool IsChromiumCookieAccessAllowed(const GURL& url, \
const GURL& first_party_url) const; \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better indent

const GURL& site_for_cookies,
const base::Optional<url::Origin>& top_frame_origin) const {

// get content settings only - do not consider default 3rd-party blocking
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mind improving some punctuation here and below? I.e. start with a capital letter and end with a dot.
("Comments should be as readable as narrative text, with proper capitalization and punctuation." )

std::vector<std::pair<ContentSettingsPattern,
ContentSettingsPattern>>> entity_list({
{
ContentSettingsPattern::FromString(kWp),
Copy link
Contributor

@jumde jumde May 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of hard-coding the exceptions in the code, we can use the local-data-updater component to create a cookie exception list similar to: https://github.com/brave/referrer-whitelist/blob/master/data/ReferrerWhitelist.json

cc: @diracdeltas

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure that eventually we will end up with a server-updated list of "entities" (something like https://github.com/krgovind/first-party-sets or another similar attempt)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First party sets are not getting consensus from all browser vendors. There are too many edge-cases.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strong vote against full party sets from me too. But would be open to pulling in user-agent controlled set of site associations (a la disconnect entities list).

I dig the local-data-updater idea too, but for my two cents, i'd like to separate that from this PR, since a this PR solves web compat issues folks are complaining about now, and local-data-updater would take a while longer (and, this machinery would more or less be needed anyway for the local-data-updater approach, so this can be one step on the way to that)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think local-data-updater idea will take much time. We can use the referrer-exceptions list for cookies. I'm happy to quickly set-up a separate list if there are any concerns with using the referrer whitelist

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a separate list would be better. @bridiver would probably know best whether changing this to local-data-updater is better to do in this PR, or in some future one.

For my two cents, if it pushes landing this PR back more than a day or two, its best doing separately though

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I also think we can make a separate list separately

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, no argument about it going in a separate list, thats fine. But time is sensitive here, for biz reasons. If it will take longer to make a sep list, lets please merge this, and then work on a separate list as a next time.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pes10k and I already discussed a list as a downloadable component, but that is outside the scope of this PR. We are only adding one exception to the existing hardcoded list from https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L332

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and that exception was just added to this PR because it was somewhat related and we were moving the existing exception

},
{
ContentSettingsPattern::FromString(kPlaystation),
ContentSettingsPattern::FromString(kSonyentertainmentnetwork)},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tiniest nit in the world, but this } is doing something the others aren't ;)

@bridiver bridiver force-pushed the fix-google-drive-autoplay-bj branch from 0a404b3 to c6e2be4 Compare May 6, 2020 14:15
@bridiver bridiver merged commit c1a339a into master May 7, 2020
@bridiver bridiver deleted the fix-google-drive-autoplay-bj branch May 7, 2020 16:32
@bridiver bridiver added this to the 1.10.x - Nightly milestone May 7, 2020
bsclifton pushed a commit that referenced this pull request May 7, 2020
allow first party iframes embedded in 3rd-party origins plus exceptio…
bsclifton pushed a commit that referenced this pull request May 26, 2020
allow first party iframes embedded in 3rd-party origins plus exceptio…
bsclifton pushed a commit that referenced this pull request May 28, 2020
allow first party iframes embedded in 3rd-party origins plus exceptio…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants