[FedCM] Don't send SameSite=Strict cookies for FedCM requests

See w3c-fedid/FedCM#320 (comment) This is behind the off-by-default "FedCmSameSiteNone" feature. Bug: 329145816 Change-Id: I6408255a01118cd5ac4d0d0263a34051796dc301 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5366009 Reviewed-by: John Abd-El-Malek <[email protected]> Reviewed-by: Philip Rogers <[email protected]> Commit-Queue: Christian Biesinger <[email protected]> Reviewed-by: Nicolás Peña <[email protected]> Cr-Commit-Position: refs/heads/main@{#1273426}
BruceDai · Mar 25, 2024 · 7e623be · 7e623be
1 parent 0110763
commit 7e623be
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 3 deletions.
diff --git a/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html b/credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<title>Federated Credential Management API SameSite=None tests.</title>
+<link rel="help" href="https://fedidcg.github.io/FedCM">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/testdriver.js"></script>
+<script src="/resources/testdriver-vendor.js"></script>
+
+<body>
+
+<script type="module">
+import {fedcm_test,
+        alt_request_options_with_mediation_required,
+        select_manifest,
+        fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';
+
+fedcm_test(async t => {
+  const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json');
+  await select_manifest(t, options);
+  const cred = await fedcm_get_and_select_first_account(t, options);
+  assert_equals(cred.token, "token");
+  assert_equals(cred.isAutoSelected, false);
+}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");
+
+</script>
diff --git a/credential-management/support/fedcm-helper.sub.js b/credential-management/support/fedcm-helper.sub.js
@@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) {
 // Set the identity provider cookie.
 export function set_fedcm_cookie(host) {
   if (host == undefined) {
-    document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+    document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
     return Promise.resolve();
   } else {
     return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');

diff --git a/credential-management/support/fedcm/accounts_check_same_site_strict.py b/credential-management/support/fedcm/accounts_check_same_site_strict.py
@@ -0,0 +1,28 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.accountsCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+  if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
+    return (538, [], "Wrong Sec-Fetch-Site header")
+
+  response.headers.set(b"Content-Type", b"application/json")
+
+  return """
+{
+ "accounts": [{
+   "id": "1234",
+   "given_name": "John",
+   "name": "John Doe",
+   "email": "[email protected]",
+   "picture": "https://idp.example/profile/123",
+   "approved_clients": ["123", "456", "789"],
+   "login_hints": ["john_doe"],
+   "domain_hints": ["idp.example", "example"]
+  }]
+}
+"""
diff --git a/credential-management/support/fedcm/manifest_check_same_site_strict.json b/credential-management/support/fedcm/manifest_check_same_site_strict.json
@@ -0,0 +1,7 @@
+{
+  "accounts_endpoint": "accounts_check_same_site_strict.py",
+  "client_metadata_endpoint": "client_metadata.py",
+  "id_assertion_endpoint": "token_check_same_site_strict.py",
+  "login_url": "login.html"
+}
+
diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py
@@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
 def commonCredentialedRequestCheck(request):
   if request.cookies.get(b"cookie") != b"1":
     return (537, [], "Missing cookie")
-  if request.headers.get(b"Sec-Fetch-Site") != b"none":
-    return (538, [], "Wrong Sec-Fetch-Site header")
 
 def commonPostCheck(request):
   if not request.headers.get(b"Origin"):

diff --git a/credential-management/support/fedcm/token_check_same_site_strict.py b/credential-management/support/fedcm/token_check_same_site_strict.py
@@ -0,0 +1,15 @@
+import importlib
+error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")
+
+def main(request, response):
+  request_error = error_checker.tokenCheck(request)
+  if (request_error):
+    return request_error
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
+
+  response.headers.set(b"Content-Type", b"application/json")
+  response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
+  response.headers.set(b"Access-Control-Allow-Credentials", "true")
+
+  return "{\"token\": \"token\"}"
diff --git a/credential-management/support/set_cookie.headers b/credential-management/support/set_cookie.headers
@@ -1,2 +1,3 @@
 Content-Type: text/html
 Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure