Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FedCM] Don't send SameSite=Strict cookies for FedCM requests #45066

Merged
merged 1 commit into from
Mar 15, 2024
Merged

[FedCM] Don't send SameSite=Strict cookies for FedCM requests #45066

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!DOCTYPE html>
<title>Federated Credential Management API SameSite=None tests.</title>
<link rel="help" href="https://fedidcg.github.io/FedCM">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>

<body>

<script type="module">
import {fedcm_test,
alt_request_options_with_mediation_required,
select_manifest,
fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js';

fedcm_test(async t => {
const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json');
await select_manifest(t, options);
const cred = await fedcm_get_and_select_first_account(t, options);
assert_equals(cred.token, "token");
assert_equals(cred.isAutoSelected, false);
}, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies.");

</script>
2 changes: 1 addition & 1 deletion credential-management/support/fedcm-helper.sub.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) {
// Set the identity provider cookie.
export function set_fedcm_cookie(host) {
if (host == undefined) {
document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
return Promise.resolve();
} else {
return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');
Expand Down
28 changes: 28 additions & 0 deletions credential-management/support/fedcm/accounts_check_same_site_strict.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
import importlib
error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")

def main(request, response):
request_error = error_checker.accountsCheck(request)
if (request_error):
return request_error
if request.cookies.get(b"same_site_strict") == b"1":
return (546, [], "Should not send SameSite=Strict cookies")
if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
return (538, [], "Wrong Sec-Fetch-Site header")

response.headers.set(b"Content-Type", b"application/json")

return """
{
"accounts": [{
"id": "1234",
"given_name": "John",
"name": "John Doe",
"email": "[email protected]",
"picture": "https://idp.example/profile/123",
"approved_clients": ["123", "456", "789"],
"login_hints": ["john_doe"],
"domain_hints": ["idp.example", "example"]
}]
}
"""
7 changes: 7 additions & 0 deletions credential-management/support/fedcm/manifest_check_same_site_strict.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"accounts_endpoint": "accounts_check_same_site_strict.py",
"client_metadata_endpoint": "client_metadata.py",
"id_assertion_endpoint": "token_check_same_site_strict.py",
"login_url": "login.html"
}

2 changes: 0 additions & 2 deletions credential-management/support/fedcm/request-params-check.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ def commonUncredentialedRequestCheck(request):
def commonCredentialedRequestCheck(request):
if request.cookies.get(b"cookie") != b"1":
return (537, [], "Missing cookie")
if request.headers.get(b"Sec-Fetch-Site") != b"none":
return (538, [], "Wrong Sec-Fetch-Site header")

def commonPostCheck(request):
if not request.headers.get(b"Origin"):
Expand Down
15 changes: 15 additions & 0 deletions credential-management/support/fedcm/token_check_same_site_strict.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
import importlib
error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check")

def main(request, response):
request_error = error_checker.tokenCheck(request)
if (request_error):
return request_error
if request.cookies.get(b"same_site_strict") == b"1":
return (546, [], "Should not send SameSite=Strict cookies")

response.headers.set(b"Content-Type", b"application/json")
response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin"))
response.headers.set(b"Access-Control-Allow-Credentials", "true")

return "{\"token\": \"token\"}"
1 change: 1 addition & 0 deletions credential-management/support/set_cookie.headers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
Content-Type: text/html
Set-Cookie: cookie=1; SameSite=None; Secure
Set-Cookie: same_site_strict=1; SameSite=Strict; Secure