From 08c2f13fa0d6bf961ab2e80b0db0a958ef991ee9 Mon Sep 17 00:00:00 2001 From: Christian Biesinger Date: Fri, 15 Mar 2024 08:47:16 -0700 Subject: [PATCH] [FedCM] Don't send SameSite=Strict cookies for FedCM requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See https://github.com/fedidcg/FedCM/issues/320#issuecomment-1992358452 This is behind the off-by-default "FedCmSameSiteNone" feature. Bug: 329145816 Change-Id: I6408255a01118cd5ac4d0d0263a34051796dc301 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5366009 Reviewed-by: John Abd-El-Malek Reviewed-by: Philip Rogers Commit-Queue: Christian Biesinger Reviewed-by: Nicolás Peña Cr-Commit-Position: refs/heads/main@{#1273426} --- .../fedcm-same-site-none.https.html | 25 +++++++++++++++++ .../support/fedcm-helper.sub.js | 2 +- .../fedcm/accounts_check_same_site_strict.py | 28 +++++++++++++++++++ .../manifest_check_same_site_strict.json | 7 +++++ .../support/fedcm/request-params-check.py | 2 -- .../fedcm/token_check_same_site_strict.py | 15 ++++++++++ .../support/set_cookie.headers | 1 + 7 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html create mode 100644 credential-management/support/fedcm/accounts_check_same_site_strict.py create mode 100644 credential-management/support/fedcm/manifest_check_same_site_strict.json create mode 100644 credential-management/support/fedcm/token_check_same_site_strict.py diff --git a/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html new file mode 100644 index 00000000000000..77ecdaff9fe36e --- /dev/null +++ b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html @@ -0,0 +1,25 @@ + +Federated Credential Management API SameSite=None tests. + + + + + + + + + diff --git a/credential-management/support/fedcm-helper.sub.js b/credential-management/support/fedcm-helper.sub.js index 765b3cc48a9019..25fdb0995c1a2b 100644 --- a/credential-management/support/fedcm-helper.sub.js +++ b/credential-management/support/fedcm-helper.sub.js @@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) { // Set the identity provider cookie. export function set_fedcm_cookie(host) { if (host == undefined) { - document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure'; + document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure'; return Promise.resolve(); } else { return open_and_wait_for_popup(host, '/credential-management/support/set_cookie'); diff --git a/credential-management/support/fedcm/accounts_check_same_site_strict.py b/credential-management/support/fedcm/accounts_check_same_site_strict.py new file mode 100644 index 00000000000000..a6f385feac1ccf --- /dev/null +++ b/credential-management/support/fedcm/accounts_check_same_site_strict.py @@ -0,0 +1,28 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.accountsCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + if request.headers.get(b"Sec-Fetch-Site") != b"cross-site": + return (538, [], "Wrong Sec-Fetch-Site header") + + response.headers.set(b"Content-Type", b"application/json") + + return """ +{ + "accounts": [{ + "id": "1234", + "given_name": "John", + "name": "John Doe", + "email": "john_doe@idp.example", + "picture": "https://idp.example/profile/123", + "approved_clients": ["123", "456", "789"], + "login_hints": ["john_doe"], + "domain_hints": ["idp.example", "example"] + }] +} +""" diff --git a/credential-management/support/fedcm/manifest_check_same_site_strict.json b/credential-management/support/fedcm/manifest_check_same_site_strict.json new file mode 100644 index 00000000000000..d7304159834804 --- /dev/null +++ b/credential-management/support/fedcm/manifest_check_same_site_strict.json @@ -0,0 +1,7 @@ +{ + "accounts_endpoint": "accounts_check_same_site_strict.py", + "client_metadata_endpoint": "client_metadata.py", + "id_assertion_endpoint": "token_check_same_site_strict.py", + "login_url": "login.html" +} + diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py index b774496d5dab3e..6c610e6e201dd1 100644 --- a/credential-management/support/fedcm/request-params-check.py +++ b/credential-management/support/fedcm/request-params-check.py @@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request): def commonCredentialedRequestCheck(request): if request.cookies.get(b"cookie") != b"1": return (537, [], "Missing cookie") - if request.headers.get(b"Sec-Fetch-Site") != b"none": - return (538, [], "Wrong Sec-Fetch-Site header") def commonPostCheck(request): if not request.headers.get(b"Origin"): diff --git a/credential-management/support/fedcm/token_check_same_site_strict.py b/credential-management/support/fedcm/token_check_same_site_strict.py new file mode 100644 index 00000000000000..8a4b3a234bdb99 --- /dev/null +++ b/credential-management/support/fedcm/token_check_same_site_strict.py @@ -0,0 +1,15 @@ +import importlib +error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") + +def main(request, response): + request_error = error_checker.tokenCheck(request) + if (request_error): + return request_error + if request.cookies.get(b"same_site_strict") == b"1": + return (546, [], "Should not send SameSite=Strict cookies") + + response.headers.set(b"Content-Type", b"application/json") + response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) + response.headers.set(b"Access-Control-Allow-Credentials", "true") + + return "{\"token\": \"token\"}" diff --git a/credential-management/support/set_cookie.headers b/credential-management/support/set_cookie.headers index b19ff933a6f585..4226ff4c9975cc 100644 --- a/credential-management/support/set_cookie.headers +++ b/credential-management/support/set_cookie.headers @@ -1,2 +1,3 @@ Content-Type: text/html Set-Cookie: cookie=1; SameSite=None; Secure +Set-Cookie: same_site_strict=1; SameSite=Strict; Secure