| // Copyright 2019 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/cookies/site_for_cookies.h" |
| |
| #include <utility> |
| |
| #include "base/strings/strcat.h" |
| #include "base/strings/string_util.h" |
| #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
| #include "net/cookies/cookie_util.h" |
| |
| namespace net { |
| |
| SiteForCookies::SiteForCookies() = default; |
| |
| SiteForCookies::SiteForCookies(const SchemefulSite& site) |
| : site_(site), schemefully_same_(!site.opaque()) { |
| site_.ConvertWebSocketToHttp(); |
| } |
| |
| SiteForCookies::SiteForCookies(const SiteForCookies& other) = default; |
| SiteForCookies::SiteForCookies(SiteForCookies&& other) = default; |
| |
| SiteForCookies::~SiteForCookies() = default; |
| |
| SiteForCookies& SiteForCookies::operator=(const SiteForCookies& other) = |
| default; |
| SiteForCookies& SiteForCookies::operator=(SiteForCookies&& site_for_cookies) = |
| default; |
| |
| // static |
| bool SiteForCookies::FromWire(const SchemefulSite& site, |
| bool schemefully_same, |
| SiteForCookies* out) { |
| SiteForCookies candidate(site); |
| if (site != candidate.site_) |
| return false; |
| |
| candidate.schemefully_same_ = schemefully_same; |
| |
| *out = std::move(candidate); |
| return true; |
| } |
| |
| // static |
| SiteForCookies SiteForCookies::FromOrigin(const url::Origin& origin) { |
| return SiteForCookies(SchemefulSite(origin)); |
| } |
| |
| // static |
| SiteForCookies SiteForCookies::FromUrl(const GURL& url) { |
| return SiteForCookies::FromOrigin(url::Origin::Create(url)); |
| } |
| |
| std::string SiteForCookies::ToDebugString() const { |
| std::string same_scheme_string = schemefully_same_ ? "true" : "false"; |
| return base::StrCat({"SiteForCookies: {site=", site_.Serialize(), |
| "; schemefully_same=", same_scheme_string, "}"}); |
| } |
| |
| bool SiteForCookies::IsFirstParty(const GURL& url) const { |
| return IsFirstPartyWithSchemefulMode( |
| url, cookie_util::IsSchemefulSameSiteEnabled()); |
| } |
| |
| bool SiteForCookies::IsFirstPartyWithSchemefulMode( |
| const GURL& url, |
| bool compute_schemefully) const { |
| if (compute_schemefully) |
| return IsSchemefullyFirstParty(url); |
| |
| return IsSchemelesslyFirstParty(url); |
| } |
| |
| bool SiteForCookies::IsEquivalent(const SiteForCookies& other) const { |
| if (IsNull() || other.IsNull()) { |
| // We need to check if `other.IsNull()` explicitly in order to catch if |
| // `other.schemefully_same_` is false when "Schemeful Same-Site" is enabled. |
| return IsNull() && other.IsNull(); |
| } |
| |
| // In the case where the site has no registrable domain or host, the scheme |
| // cannot be ws(s) or http(s), so equality of sites implies actual equality of |
| // schemes (not just modulo ws-http and wss-https compatibility). |
| if (cookie_util::IsSchemefulSameSiteEnabled() || |
| !site_.has_registrable_domain_or_host()) { |
| return site_ == other.site_; |
| } |
| |
| return site_.SchemelesslyEqual(other.site_); |
| } |
| |
| bool SiteForCookies::CompareWithFrameTreeSiteAndRevise( |
| const SchemefulSite& other) { |
| // Two opaque SFC are considered equivalent. |
| if (site_.opaque() && other.opaque()) |
| return true; |
| |
| // But if only one is opaque we should return false. |
| if (site_.opaque()) |
| return false; |
| |
| // Nullify `this` if the `other` is opaque |
| if (other.opaque()) { |
| site_ = SchemefulSite(); |
| return false; |
| } |
| |
| bool nullify = site_.has_registrable_domain_or_host() |
| ? !site_.SchemelesslyEqual(other) |
| : site_ != other; |
| |
| if (nullify) { |
| // We should only nullify this SFC if the registrable domains (or the entire |
| // site for cases without an RD) don't match. We *should not* nullify if |
| // only the schemes mismatch (unless there is no RD) because cookies may be |
| // processed with LEGACY semantics which only use the RDs. Eventually, when |
| // schemeful same-site can no longer be disabled, we can revisit this. |
| site_ = SchemefulSite(); |
| return false; |
| } |
| |
| MarkIfCrossScheme(other); |
| |
| return true; |
| } |
| |
| bool SiteForCookies::CompareWithFrameTreeOriginAndRevise( |
| const url::Origin& other) { |
| return CompareWithFrameTreeSiteAndRevise(SchemefulSite(other)); |
| } |
| |
| GURL SiteForCookies::RepresentativeUrl() const { |
| if (IsNull()) |
| return GURL(); |
| // Cannot use url::Origin::GetURL() because it loses the hostname for file: |
| // scheme origins. |
| GURL result(base::StrCat({scheme(), "://", registrable_domain(), "/"})); |
| DCHECK(result.is_valid()); |
| return result; |
| } |
| |
| bool SiteForCookies::IsNull() const { |
| if (cookie_util::IsSchemefulSameSiteEnabled()) |
| return site_.opaque() || !schemefully_same_; |
| |
| return site_.opaque(); |
| } |
| |
| bool SiteForCookies::IsSchemefullyFirstParty(const GURL& url) const { |
| // Can't use IsNull() as we want the same behavior regardless of |
| // SchemefulSameSite feature status. |
| if (site_.opaque() || !schemefully_same_ || !url.is_valid()) |
| return false; |
| |
| SchemefulSite other_site(url); |
| other_site.ConvertWebSocketToHttp(); |
| return site_ == other_site; |
| } |
| |
| bool SiteForCookies::IsSchemelesslyFirstParty(const GURL& url) const { |
| // Can't use IsNull() as we want the same behavior regardless of |
| // SchemefulSameSite feature status. |
| if (site_.opaque() || !url.is_valid()) |
| return false; |
| |
| // We don't need to bother changing WebSocket schemes to http, because if |
| // there is no registrable domain or host, the scheme cannot be ws(s) or |
| // http(s), and the latter comparison is schemeless anyway. |
| SchemefulSite other_site(url); |
| if (!site_.has_registrable_domain_or_host()) |
| return site_ == other_site; |
| |
| return site_.SchemelesslyEqual(other_site); |
| } |
| |
| void SiteForCookies::MarkIfCrossScheme(const SchemefulSite& other) { |
| // If `this` is IsNull() then `this` doesn't match anything which means that |
| // the scheme check is pointless. Also exit early if schemefully_same_ is |
| // already false. |
| if (IsNull() || !schemefully_same_) |
| return; |
| |
| // Mark if `other` is opaque. Opaque origins shouldn't match. |
| if (other.opaque()) { |
| schemefully_same_ = false; |
| return; |
| } |
| |
| // Conversion to http/https should have occurred during construction. |
| DCHECK_NE(url::kWsScheme, scheme()); |
| DCHECK_NE(url::kWssScheme, scheme()); |
| |
| // If the schemes are equal, modulo ws-http and wss-https, don't mark. |
| if (scheme() == other.site_as_origin_.scheme() || |
| (scheme() == url::kHttpsScheme && |
| other.site_as_origin_.scheme() == url::kWssScheme) || |
| (scheme() == url::kHttpScheme && |
| other.site_as_origin_.scheme() == url::kWsScheme)) { |
| return; |
| } |
| |
| // Mark that the two are cross-scheme to each other. |
| schemefully_same_ = false; |
| } |
| |
| bool operator<(const SiteForCookies& lhs, const SiteForCookies& rhs) { |
| // Similar to IsEquivalent(), if they're both null then they're equivalent |
| // and therefore `lhs` is not < `rhs`. |
| if (lhs.IsNull() && rhs.IsNull()) |
| return false; |
| |
| // If only `lhs` is null then it's always < `rhs`. |
| if (lhs.IsNull()) |
| return true; |
| |
| // If only `rhs` is null then `lhs` is not < `rhs`. |
| if (rhs.IsNull()) |
| return false; |
| |
| // Otherwise neither are null and we need to compare the `site_`s. |
| return lhs.site_ < rhs.site_; |
| } |
| |
| } // namespace net |
