[tor-commits] [tor-browser] 15/179: Bug 1763073 - Add telemetry (and messaging) for SameSite cookies blocked due to redirects. r=freddyb, dveditz a=pascalc
gitolite role
git at cupani.torproject.org
Fri Aug 19 08:35:12 UTC 2022
This is an automated email from the git hooks/post-receive script.
pierov pushed a commit to branch tor-browser-102.2.0esr-12.0-1
in repository tor-browser.
commit bb8996196e4d1f2dcc8302aa218e55d5a1a18a0e
Author: Tom Schuster <evilpies at gmail.com>
AuthorDate: Wed Jun 15 14:51:16 2022 +0000
Bug 1763073 - Add telemetry (and messaging) for SameSite cookies blocked due to redirects. r=freddyb,dveditz a=pascalc
Differential Revision: https://phabricator.services.mozilla.com/D143034
---
netwerk/cookie/Cookie.h | 4 +
netwerk/cookie/CookieCommons.cpp | 7 +-
netwerk/cookie/CookieCommons.h | 7 +-
netwerk/cookie/CookieService.cpp | 112 +++++++++++++++++++++------
netwerk/cookie/CookieService.h | 4 +-
netwerk/cookie/CookieServiceChild.cpp | 7 +-
netwerk/cookie/CookieServiceParent.cpp | 15 ++--
netwerk/cookie/CookieServiceParent.h | 3 +-
netwerk/cookie/PCookieService.ipdl | 1 +
netwerk/locales/en-US/necko.properties | 3 +
toolkit/components/telemetry/Histograms.json | 11 +++
11 files changed, 138 insertions(+), 36 deletions(-)
diff --git a/netwerk/cookie/Cookie.h b/netwerk/cookie/Cookie.h
index 51d9d1673c703..890589c1cf5ae 100644
--- a/netwerk/cookie/Cookie.h
+++ b/netwerk/cookie/Cookie.h
@@ -84,6 +84,10 @@ class Cookie final : public nsICookie {
}
inline int32_t SameSite() const { return mData.sameSite(); }
inline int32_t RawSameSite() const { return mData.rawSameSite(); }
+ inline bool IsDefaultSameSite() const {
+ return SameSite() == nsICookie::SAMESITE_LAX &&
+ RawSameSite() == nsICookie::SAMESITE_NONE;
+ }
inline uint8_t SchemeMap() const { return mData.schemeMap(); }
// setters
diff --git a/netwerk/cookie/CookieCommons.cpp b/netwerk/cookie/CookieCommons.cpp
index 5c6f6933b718a..7ecbadef868b0 100644
--- a/netwerk/cookie/CookieCommons.cpp
+++ b/netwerk/cookie/CookieCommons.cpp
@@ -519,7 +519,10 @@ bool IsSameSiteSchemeEqual(const nsACString& aFirstScheme,
return aFirstScheme.Equals(aSecondScheme);
}
-bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI) {
+bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI,
+ bool* aHadCrossSiteRedirects) {
+ *aHadCrossSiteRedirects = false;
+
if (!aChannel) {
return false;
}
@@ -596,6 +599,7 @@ bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI) {
rv = redirectPrincipal->IsThirdPartyChannel(aChannel, &isForeign);
// if at any point we encounter a cross-origin redirect we can return.
if (NS_FAILED(rv) || isForeign) {
+ *aHadCrossSiteRedirects = true;
return true;
}
@@ -604,6 +608,7 @@ bool CookieCommons::IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI) {
if (!IsSameSiteSchemeEqual(redirectScheme, hostScheme)) {
// If the two schemes are not of the same http(s) scheme then we
// consider the request as foreign.
+ *aHadCrossSiteRedirects = true;
return true;
}
}
diff --git a/netwerk/cookie/CookieCommons.h b/netwerk/cookie/CookieCommons.h
index aaecfa1a2dd45..b7b338a623aa8 100644
--- a/netwerk/cookie/CookieCommons.h
+++ b/netwerk/cookie/CookieCommons.h
@@ -127,8 +127,11 @@ class CookieCommons final {
// Returns true if the channel is a foreign with respect to the host-uri.
// For loads of TYPE_DOCUMENT, this function returns true if it's a cross
- // origin navigation.
- static bool IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI);
+ // site navigation.
+ // `aHadCrossSiteRedirects` will be true iff the channel had a cross-site
+ // redirect before the final URI.
+ static bool IsSameSiteForeign(nsIChannel* aChannel, nsIURI* aHostURI,
+ bool* aHadCrossSiteRedirects);
};
} // namespace net
diff --git a/netwerk/cookie/CookieService.cpp b/netwerk/cookie/CookieService.cpp
index 489123e8cbbe4..da1aee326a17f 100644
--- a/netwerk/cookie/CookieService.cpp
+++ b/netwerk/cookie/CookieService.cpp
@@ -152,22 +152,25 @@ bool ProcessSameSiteCookieForForeignRequest(nsIChannel* aChannel,
Cookie* aCookie,
bool aIsSafeTopLevelNav,
bool aLaxByDefault) {
- int32_t sameSiteAttr = 0;
- aCookie->GetSameSite(&sameSiteAttr);
-
- // it if's a cross origin request and the cookie is same site only (strict)
- // don't send it
- if (sameSiteAttr == nsICookie::SAMESITE_STRICT) {
+ // If it's a cross-site request and the cookie is same site only (strict)
+ // don't send it.
+ if (aCookie->SameSite() == nsICookie::SAMESITE_STRICT) {
return false;
}
+ // Explicit SameSite=None cookies are always processed. When laxByDefault
+ // is OFF then so are default cookies.
+ if (aCookie->SameSite() == nsICookie::SAMESITE_NONE ||
+ (!aLaxByDefault && aCookie->IsDefaultSameSite())) {
+ return true;
+ }
+
int64_t currentTimeInUsec = PR_Now();
// 2 minutes of tolerance for 'SameSite=Lax by default' for cookies set
// without a SameSite value when used for unsafe http methods.
- if (StaticPrefs::network_cookie_sameSite_laxPlusPOST_timeout() > 0 &&
- aLaxByDefault && sameSiteAttr == nsICookie::SAMESITE_LAX &&
- aCookie->RawSameSite() == nsICookie::SAMESITE_NONE &&
+ if (aLaxByDefault && aCookie->IsDefaultSameSite() &&
+ StaticPrefs::network_cookie_sameSite_laxPlusPOST_timeout() > 0 &&
currentTimeInUsec - aCookie->CreationTime() <=
(StaticPrefs::network_cookie_sameSite_laxPlusPOST_timeout() *
PR_USEC_PER_SEC) &&
@@ -175,9 +178,11 @@ bool ProcessSameSiteCookieForForeignRequest(nsIChannel* aChannel,
return true;
}
- // if it's a cross origin request, the cookie is same site lax, but it's not a
- // top-level navigation, don't send it
- return sameSiteAttr != nsICookie::SAMESITE_LAX || aIsSafeTopLevelNav;
+ MOZ_ASSERT((aLaxByDefault && aCookie->IsDefaultSameSite()) ||
+ aCookie->SameSite() == nsICookie::SAMESITE_LAX);
+ // We only have SameSite=Lax or lax-by-default cookies at this point. These
+ // are processed only if it's a top-level navigation
+ return aIsSafeTopLevelNav;
}
} // namespace
@@ -486,7 +491,9 @@ CookieService::GetCookieStringFromHttp(nsIURI* aHostURI, nsIChannel* aChannel,
aChannel, attrs, StoragePrincipalHelper::eStorageAccessPrincipal);
bool isSafeTopLevelNav = CookieCommons::IsSafeTopLevelNav(aChannel);
- bool isSameSiteForeign = CookieCommons::IsSameSiteForeign(aChannel, aHostURI);
+ bool hadCrossSiteRedirects = false;
+ bool isSameSiteForeign = CookieCommons::IsSameSiteForeign(
+ aChannel, aHostURI, &hadCrossSiteRedirects);
AutoTArray<Cookie*, 8> foundCookieList;
GetCookiesForURI(
@@ -494,8 +501,8 @@ CookieService::GetCookieStringFromHttp(nsIURI* aHostURI, nsIChannel* aChannel,
result.contains(ThirdPartyAnalysis::IsThirdPartyTrackingResource),
result.contains(ThirdPartyAnalysis::IsThirdPartySocialTrackingResource),
result.contains(ThirdPartyAnalysis::IsStorageAccessPermissionGranted),
- rejectedReason, isSafeTopLevelNav, isSameSiteForeign, true, attrs,
- foundCookieList);
+ rejectedReason, isSafeTopLevelNav, isSameSiteForeign,
+ hadCrossSiteRedirects, true, attrs, foundCookieList);
ComposeCookieString(foundCookieList, aCookieString);
@@ -895,12 +902,26 @@ CookieService::RemoveNative(const nsACString& aHost, const nsACString& aName,
return NS_OK;
}
+enum class CookieProblem : uint32_t {
+ None = 0,
+ // Same-Site cookies (default or explicit) blocked due to redirect
+ RedirectDefault = 1 << 0,
+ RedirectExplicit = 1 << 1,
+ // Special case for googleads Same-Site cookies
+ RedirectGoogleAds = 1 << 2,
+ // Blocked due to other reasons
+ OtherDefault = 1 << 3,
+ OtherExplicit = 1 << 4
+};
+MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(CookieProblem)
+
void CookieService::GetCookiesForURI(
nsIURI* aHostURI, nsIChannel* aChannel, bool aIsForeign,
bool aIsThirdPartyTrackingResource,
bool aIsThirdPartySocialTrackingResource,
bool aStorageAccessPermissionGranted, uint32_t aRejectedReason,
- bool aIsSafeTopLevelNav, bool aIsSameSiteForeign, bool aHttpBound,
+ bool aIsSafeTopLevelNav, bool aIsSameSiteForeign,
+ bool aHadCrossSiteRedirects, bool aHttpBound,
const OriginAttributes& aOriginAttrs, nsTArray<Cookie*>& aCookieList) {
NS_ASSERTION(aHostURI, "null host!");
@@ -1003,6 +1024,13 @@ void CookieService::GetCookiesForURI(
!nsContentUtils::IsURIInPrefList(
aHostURI, "network.cookie.sameSite.laxByDefault.disabledHosts");
+ // We are counting blocked SameSite cookies to get an idea of
+ // potential website breakage before we reintroduce "laxByDefault".
+ // Special attention is paid to redirects where our behavior
+ // differs from Chrome (bug 1763073, crbug/1221316).
+ //
+ CookieProblem sameSiteProblems = CookieProblem::None;
+
// iterate the cookies!
for (Cookie* cookie : *cookies) {
// check the host, since the base domain lookup is conservative.
@@ -1015,12 +1043,6 @@ void CookieService::GetCookiesForURI(
continue;
}
- if (aHttpBound && aIsSameSiteForeign &&
- !ProcessSameSiteCookieForForeignRequest(
- aChannel, cookie, aIsSafeTopLevelNav, laxByDefault)) {
- continue;
- }
-
// if the cookie is httpOnly and it's not going directly to the HTTP
// connection, don't send it
if (cookie->IsHttpOnly() && !aHttpBound) {
@@ -1037,6 +1059,49 @@ void CookieService::GetCookiesForURI(
continue;
}
+ if (aHttpBound && aIsSameSiteForeign) {
+ bool blockCookie = !ProcessSameSiteCookieForForeignRequest(
+ aChannel, cookie, aIsSafeTopLevelNav, laxByDefault);
+
+ // Record telemetry for blocked sameSite cookies. If laxByDefault is off,
+ // re-run the check to see if we would get different results with it
+ // turned on.
+ if (blockCookie || (!laxByDefault && cookie->IsDefaultSameSite() &&
+ !ProcessSameSiteCookieForForeignRequest(
+ aChannel, cookie, aIsSafeTopLevelNav, true))) {
+ if (aHadCrossSiteRedirects) {
+ // Count the known problematic Google cookies from
+ // adservice.google.{com, de} etc. separately. This is not an exact
+ // domain match, but good enough for telemetry.
+ if (StringBeginsWith(hostFromURI, "adservice.google."_ns)) {
+ sameSiteProblems |= CookieProblem::RedirectGoogleAds;
+ } else {
+ if (cookie->IsDefaultSameSite()) {
+ sameSiteProblems |= CookieProblem::RedirectDefault;
+ } else {
+ sameSiteProblems |= CookieProblem::RedirectExplicit;
+ }
+ }
+ } else {
+ if (cookie->IsDefaultSameSite()) {
+ sameSiteProblems |= CookieProblem::OtherDefault;
+ } else {
+ sameSiteProblems |= CookieProblem::OtherExplicit;
+ }
+ }
+ }
+
+ if (blockCookie) {
+ CookieLogging::LogMessageToConsole(
+ crc, aHostURI, nsIScriptError::warningFlag,
+ CONSOLE_REJECTION_CATEGORY, "CookieBlockedCrossSiteRedirect"_ns,
+ AutoTArray<nsString, 1>{
+ NS_ConvertUTF8toUTF16(cookie->Name()),
+ });
+ continue;
+ }
+ }
+
// all checks passed - add to list and check if lastAccessed stamp needs
// updating
aCookieList.AppendElement(cookie);
@@ -1045,6 +1110,9 @@ void CookieService::GetCookiesForURI(
}
}
+ Telemetry::Accumulate(Telemetry::COOKIE_RETRIEVAL_SAMESITE_PROBLEM,
+ static_cast<uint32_t>(sameSiteProblems));
+
if (aCookieList.IsEmpty()) {
return;
}
diff --git a/netwerk/cookie/CookieService.h b/netwerk/cookie/CookieService.h
index 15de4170a810c..caec5b785bef2 100644
--- a/netwerk/cookie/CookieService.h
+++ b/netwerk/cookie/CookieService.h
@@ -84,8 +84,8 @@ class CookieService final : public nsICookieService,
bool aIsThirdPartySocialTrackingResource,
bool aStorageAccessPermissionGranted,
uint32_t aRejectedReason, bool aIsSafeTopLevelNav,
- bool aIsSameSiteForeign, bool aHttpBound,
- const OriginAttributes& aOriginAttrs,
+ bool aIsSameSiteForeign, bool aHadCrossSiteRedirects,
+ bool aHttpBound, const OriginAttributes& aOriginAttrs,
nsTArray<Cookie*>& aCookieList);
/**
diff --git a/netwerk/cookie/CookieServiceChild.cpp b/netwerk/cookie/CookieServiceChild.cpp
index fe869303511b8..a4e2d2523dd31 100644
--- a/netwerk/cookie/CookieServiceChild.cpp
+++ b/netwerk/cookie/CookieServiceChild.cpp
@@ -145,13 +145,16 @@ void CookieServiceChild::TrackCookieLoad(nsIChannel* aChannel) {
aChannel, attrs);
bool isSafeTopLevelNav = CookieCommons::IsSafeTopLevelNav(aChannel);
- bool isSameSiteForeign = CookieCommons::IsSameSiteForeign(aChannel, uri);
+ bool hadCrossSiteRedirects = false;
+ bool isSameSiteForeign =
+ CookieCommons::IsSameSiteForeign(aChannel, uri, &hadCrossSiteRedirects);
SendPrepareCookieList(
uri, result.contains(ThirdPartyAnalysis::IsForeign),
result.contains(ThirdPartyAnalysis::IsThirdPartyTrackingResource),
result.contains(ThirdPartyAnalysis::IsThirdPartySocialTrackingResource),
result.contains(ThirdPartyAnalysis::IsStorageAccessPermissionGranted),
- rejectedReason, isSafeTopLevelNav, isSameSiteForeign, attrs);
+ rejectedReason, isSafeTopLevelNav, isSameSiteForeign,
+ hadCrossSiteRedirects, attrs);
}
IPCResult CookieServiceChild::RecvRemoveAll() {
diff --git a/netwerk/cookie/CookieServiceParent.cpp b/netwerk/cookie/CookieServiceParent.cpp
index 71411c574fc7a..8389eb342c0dd 100644
--- a/netwerk/cookie/CookieServiceParent.cpp
+++ b/netwerk/cookie/CookieServiceParent.cpp
@@ -82,7 +82,9 @@ void CookieServiceParent::TrackCookieLoad(nsIChannel* aChannel) {
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
OriginAttributes attrs = loadInfo->GetOriginAttributes();
bool isSafeTopLevelNav = CookieCommons::IsSafeTopLevelNav(aChannel);
- bool aIsSameSiteForeign = CookieCommons::IsSameSiteForeign(aChannel, uri);
+ bool hadCrossSiteRedirects = false;
+ bool isSameSiteForeign =
+ CookieCommons::IsSameSiteForeign(aChannel, uri, &hadCrossSiteRedirects);
StoragePrincipalHelper::PrepareEffectiveStoragePrincipalOriginAttributes(
aChannel, attrs);
@@ -101,8 +103,8 @@ void CookieServiceParent::TrackCookieLoad(nsIChannel* aChannel) {
result.contains(ThirdPartyAnalysis::IsThirdPartyTrackingResource),
result.contains(ThirdPartyAnalysis::IsThirdPartySocialTrackingResource),
result.contains(ThirdPartyAnalysis::IsStorageAccessPermissionGranted),
- rejectedReason, isSafeTopLevelNav, aIsSameSiteForeign, false, attrs,
- foundCookieList);
+ rejectedReason, isSafeTopLevelNav, isSameSiteForeign,
+ hadCrossSiteRedirects, false, attrs, foundCookieList);
nsTArray<CookieStruct> matchingCookiesList;
SerialializeCookieList(foundCookieList, matchingCookiesList);
Unused << SendTrackCookiesLoad(matchingCookiesList, attrs);
@@ -129,7 +131,8 @@ IPCResult CookieServiceParent::RecvPrepareCookieList(
const bool& aIsThirdPartySocialTrackingResource,
const bool& aStorageAccessPermissionGranted,
const uint32_t& aRejectedReason, const bool& aIsSafeTopLevelNav,
- const bool& aIsSameSiteForeign, const OriginAttributes& aAttrs) {
+ const bool& aIsSameSiteForeign, const bool& aHadCrossSiteRedirects,
+ const OriginAttributes& aAttrs) {
// Send matching cookies to Child.
if (!aHost) {
return IPC_FAIL(this, "aHost must not be null");
@@ -142,8 +145,8 @@ IPCResult CookieServiceParent::RecvPrepareCookieList(
mCookieService->GetCookiesForURI(
aHost, nullptr, aIsForeign, aIsThirdPartyTrackingResource,
aIsThirdPartySocialTrackingResource, aStorageAccessPermissionGranted,
- aRejectedReason, aIsSafeTopLevelNav, aIsSameSiteForeign, false, aAttrs,
- foundCookieList);
+ aRejectedReason, aIsSafeTopLevelNav, aIsSameSiteForeign,
+ aHadCrossSiteRedirects, false, aAttrs, foundCookieList);
nsTArray<CookieStruct> matchingCookiesList;
SerialializeCookieList(foundCookieList, matchingCookiesList);
Unused << SendTrackCookiesLoad(matchingCookiesList, aAttrs);
diff --git a/netwerk/cookie/CookieServiceParent.h b/netwerk/cookie/CookieServiceParent.h
index e8ac54671ece3..af48756e0ee0a 100644
--- a/netwerk/cookie/CookieServiceParent.h
+++ b/netwerk/cookie/CookieServiceParent.h
@@ -56,7 +56,8 @@ class CookieServiceParent : public PCookieServiceParent {
const bool& aIsThirdPartySocialTrackingResource,
const bool& aStorageAccessPermissionGranted,
const uint32_t& aRejectedReason, const bool& aIsSafeTopLevelNav,
- const bool& aIsSameSiteForeign, const OriginAttributes& aAttrs);
+ const bool& aIsSameSiteForeign, const bool& aHadCrossSiteRedirects,
+ const OriginAttributes& aAttrs);
static void SerialializeCookieList(const nsTArray<Cookie*>& aFoundCookieList,
nsTArray<CookieStruct>& aCookiesList);
diff --git a/netwerk/cookie/PCookieService.ipdl b/netwerk/cookie/PCookieService.ipdl
index 4197982fae838..35c807ce5f271 100644
--- a/netwerk/cookie/PCookieService.ipdl
+++ b/netwerk/cookie/PCookieService.ipdl
@@ -46,6 +46,7 @@ parent:
uint32_t rejectedReason,
bool isSafeTopLevelNav,
bool isSameSiteForeign,
+ bool hadCrossSiteRedirects,
OriginAttributes attrs);
async __delete__();
diff --git a/netwerk/locales/en-US/necko.properties b/netwerk/locales/en-US/necko.properties
index 8ff47ab185416..2e9ab3a901de6 100644
--- a/netwerk/locales/en-US/necko.properties
+++ b/netwerk/locales/en-US/necko.properties
@@ -85,5 +85,8 @@ CookieRejectedExpired=Cookie “%1$S” has been rejected because it is already
# LOCALIZATION NOTE (CookieRejectedForNonSameSiteness): %1$S is the cookie name.
CookieRejectedForNonSameSiteness=Cookie “%1$S” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict”.
+# LOCALIZATION NOTE (CookieBlockedCrossSiteRedirect): %1$S is the cookie name. Do not translate "SameSite", "Lax" or "Strict".
+CookieBlockedCrossSiteRedirect=Cookie “%1$S” with the “SameSite” attribute value “Lax” or “Strict” was omitted because of a cross-site redirect.
+
# LOCALIZATION NOTE (APIDeprecationWarning): %1$S is the deprecated API; %2$S is the API function that should be used.
APIDeprecationWarning=Warning: ‘%1$S’ deprecated, please use ‘%2$S’
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index 2720b5e1a5683..999ef7fd7b255 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -16532,6 +16532,17 @@
"n_buckets": 56,
"description": "How much time (in hours) passed between the current cookie purging activity and the one before that (cookie purging is run on 'daily idle')"
},
+ "COOKIE_RETRIEVAL_SAMESITE_PROBLEM": {
+ "record_in_processes": ["main", "content"],
+ "products": ["firefox"],
+ "alert_emails": ["fbraun at mozilla.com", "tschuster at mozilla.com", "seceng-telemetry at mozilla.com"],
+ "bug_numbers": [1763367],
+ "expires_in_version": "106",
+ "kind" : "enumerated",
+ "n_values": 32,
+ "description": "Whether a cookie was skipped in GetCookiesForURI because of a same-site issue. This is a bit field.",
+ "releaseChannelCollection": "opt-out"
+ },
"REFERRER_POLICY_COUNT" : {
"products": ["firefox"],
"record_in_processes": ["main"],
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the tor-commits
mailing list