-
Notifications
You must be signed in to change notification settings - Fork 888
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow first party iframes embedded in 3rd-party origins plus exceptio… #5433
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, as discussed
"setTimeout(\"" | ||
"var iframes = document.getElementById('%s');iframes.src='%s';" | ||
"\",0)", | ||
iframe_id.c_str(), url.spec().c_str()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please confirm there's no way for any attacker controlled input to end up as part of this string thereby causing XSS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@diracdeltas this is a test :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bridiver yes i'm aware, just being paranoid. guessing the answer is no.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's nothing special about the script and it was actually copied from a chromium test helper and modified to use the render frame instead of the webcontents. It isn't related to the functionality here in any way, it's just a way to update the iframe url in the test
|
||
#include "components/content_settings/core/common/cookie_settings_base.h" | ||
|
||
#include "base/containers/flat_map.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unused
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, there was a flat map, but not anymore
|
||
GURL first_party_url = site_for_cookies; | ||
|
||
if (!first_party_url.is_valid() && top_frame_origin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, shouldn't we use top_frame_origin by default and fallback to site_for_cookies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't really matter which way you do it because if the parent frame is 3rd-party then the site_for_cookies is invalid
// this will be a 3rd party cookie.
for (const RenderFrameHostImpl* rfh = render_frame_host; rfh;
rfh = rfh->parent_) {
if (!candidate.IsEquivalent(
net::SiteForCookies::FromOrigin(rfh->last_committed_origin_))) {
return net::SiteForCookies();
}
}```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and it seems safer to me to use site_for_cookies when it is available because that is its purpose
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just want to be consistent with how the original class thinks about first party url
GetCookieSettingInternal(
url, top_frame_origin ? top_frame_origin->GetURL() : site_for_cookies,
false, nullptr, &setting);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@iefremov so the problem here is that site_for_cookies is treated differently in default 3rd-party cookie blocking and in content settings. The content settings default to the top_frame_origin, but the 3rd-party cookie settings default to the site_for_cookies. The reason we don't want to default to the top_frame_origin here is that there are times when it's not what we want (like redirects) and that is why site_for_cookies exists in the first place. We used only top frame origin in browser-laptop and there were times when it was wrong because of that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so for the purposes of 3rd-party cookie blocking we want to use site_for_cookies whenever it's available and only use top_frame_origin when it's empty (3rd-party iframe)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the folow-up I'll add a comment here explaining that and see if I can come up with a test for it
if (!first_party_url.is_valid() && top_frame_origin) | ||
first_party_url = top_frame_origin->GetURL(); | ||
|
||
if (net::registry_controlled_domains::GetDomainAndRegistry( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think here we need some detailed explanations with examples and links, otherwise our ancestors will curse us
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what you're looking for detailed explanations for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a good example was written for wp exceptions in brave_content_settings_pref_provider.cc
https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L317
Basically i want that anyone reading this could understand easily why we implemented this behaviour and get some links to the issue tracker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My question is about what specific behavior you're referring to. The overall behavior is defined by the issue and that's why we have the link in the PR that you can find through git blame. Are you talking specifically about why we're using GetDomainAndRegistry here or more generally about what this code is doing?
net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) | ||
return true; | ||
|
||
for (auto i = entity_list->begin(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for (const auto& entity : entity_list)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it doesn't like this because of base::NoDestructor
(even when dereferenced) and I didn't feel like fighting with it
#define BRAVE_COOKIE_SETTINGS_BASE_H \ | ||
private: \ | ||
bool IsChromiumCookieAccessAllowed(const GURL& url, \ | ||
const GURL& first_party_url) const; \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better indent
const GURL& site_for_cookies, | ||
const base::Optional<url::Origin>& top_frame_origin) const { | ||
|
||
// get content settings only - do not consider default 3rd-party blocking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mind improving some punctuation here and below? I.e. start with a capital letter and end with a dot.
("Comments should be as readable as narrative text, with proper capitalization and punctuation." )
std::vector<std::pair<ContentSettingsPattern, | ||
ContentSettingsPattern>>> entity_list({ | ||
{ | ||
ContentSettingsPattern::FromString(kWp), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of hard-coding the exceptions in the code, we can use the local-data-updater component to create a cookie exception list similar to: https://github.com/brave/referrer-whitelist/blob/master/data/ReferrerWhitelist.json
cc: @diracdeltas
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure that eventually we will end up with a server-updated list of "entities" (something like https://github.com/krgovind/first-party-sets or another similar attempt)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First party sets are not getting consensus from all browser vendors. There are too many edge-cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strong vote against full party sets from me too. But would be open to pulling in user-agent controlled set of site associations (a la disconnect entities list).
I dig the local-data-updater idea too, but for my two cents, i'd like to separate that from this PR, since a this PR solves web compat issues folks are complaining about now, and local-data-updater would take a while longer (and, this machinery would more or less be needed anyway for the local-data-updater approach, so this can be one step on the way to that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think local-data-updater
idea will take much time. We can use the referrer-exceptions
list for cookies. I'm happy to quickly set-up a separate list if there are any concerns with using the referrer whitelist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a separate list would be better. @bridiver would probably know best whether changing this to local-data-updater
is better to do in this PR, or in some future one.
For my two cents, if it pushes landing this PR back more than a day or two, its best doing separately though
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I also think we can make a separate list separately
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, no argument about it going in a separate list, thats fine. But time is sensitive here, for biz reasons. If it will take longer to make a sep list, lets please merge this, and then work on a separate list as a next time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pes10k and I already discussed a list as a downloadable component, but that is outside the scope of this PR. We are only adding one exception to the existing hardcoded list from https://github.com/brave/brave-core/pull/5433/files#diff-9981585c3d9184fc54b96697c59d2028L332
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and that exception was just added to this PR because it was somewhat related and we were moving the existing exception
}, | ||
{ | ||
ContentSettingsPattern::FromString(kPlaystation), | ||
ContentSettingsPattern::FromString(kSonyentertainmentnetwork)}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiniest nit in the world, but this }
is doing something the others aren't ;)
7e6cedd
to
0a404b3
Compare
…ns for wp/wordpress and playstation/sonyentertainmentnetwork fix brave/brave-browser#8629 fix brave/brave-browser#9564
0a404b3
to
c6e2be4
Compare
allow first party iframes embedded in 3rd-party origins plus exceptio…
allow first party iframes embedded in 3rd-party origins plus exceptio…
allow first party iframes embedded in 3rd-party origins plus exceptio…
…ns for wp/wordpress and playstation/sonyentertainmentnetwork
fix brave/brave-browser#8629
fix brave/brave-browser#9564
fix brave/brave-browser#9105
Submitter Checklist:
npm run lint
)git rebase master
(if needed).git rebase -i
to squash commits (if needed).Test Plan:
Reviewer Checklist:
After-merge Checklist:
changes has landed on.