Resource Load Statistics: Further restrict client-side cookie persistence after cross...
authorwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Mar 2019 22:11:33 +0000 (22:11 +0000)
committerwilander@apple.com <wilander@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Mar 2019 22:11:33 +0000 (22:11 +0000)
https://bugs.webkit.org/show_bug.cgi?id=195196
<rdar://problem/48006419>

Reviewed by Brent Fulgham.

Source/WebCore:

Tests: http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html
       http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html
       http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html
       http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html
       http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html

Trackers abuse link query parameters to transport user identifiers cross-site.
This patch detects such navigations and applies further restrictions to
client-site cookies on the destination page.

* platform/network/NetworkStorageSession.cpp:
(WebCore::NetworkStorageSession::setAgeCapForClientSideCookies):
    Now sets the regular 7-day cap and a reduced 1-day cap.
(WebCore::NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics):
    Renamed NetworkStorageSession::removeStorageAccessForAllFramesOnPage() to
    NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics since
    it now clears out two types of page-specific data.
(WebCore::NetworkStorageSession::committedCrossSiteLoadWithLinkDecoration):
    This function receives a cross-site navigation and checks if the originating
    site is a prevalent resource. If so, it marks the page or stricter cookie
    rules.
(WebCore::NetworkStorageSession::resetCrossSiteLoadsWithLinkDecorationForTesting):
    Test infrastructure. This sets a state that overrides the regular per-page
    clear of data. The reason is that the double clear was racy and caused test
    failures.
(WebCore::NetworkStorageSession::clientSideCookieCap const):
    New function that returns the current cookie lifetime cap.
(WebCore::NetworkStorageSession::removeStorageAccessForAllFramesOnPage): Deleted.
    Renamed to NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics().
* platform/network/NetworkStorageSession.h:
* platform/network/cocoa/NetworkStorageSessionCocoa.mm:
(WebCore::NetworkStorageSession::setCookiesFromDOM const):
    Now calls NetworkStorageSession::clientSideCookieCap() to set the cap.

Source/WebKit:

Trackers abuse link query parameters to transport user identifiers cross-site.
This patch detects such navigations and applies further restrictions to
client-site cookies on the destination page.

* NetworkProcess/NetworkConnectionToWebProcess.cpp:
(WebKit::NetworkConnectionToWebProcess::clearPageSpecificDataForResourceLoadStatistics):
(WebKit::NetworkConnectionToWebProcess::removeStorageAccessForAllFramesOnPage): Deleted.
    Renamed NetworkConnectionToWebProcess::clearPageSpecificDataForResourceLoadStatistics().
* NetworkProcess/NetworkConnectionToWebProcess.h:
* NetworkProcess/NetworkConnectionToWebProcess.messages.in:
* NetworkProcess/NetworkProcess.cpp:
(WebKit::NetworkProcess::committedCrossSiteLoadWithLinkDecoration):
    Reporting IPC message when a link decorated cross-site navigation happens.
(WebKit::NetworkProcess::resetCrossSiteLoadsWithLinkDecorationForTesting):
* NetworkProcess/NetworkProcess.h:
* NetworkProcess/NetworkProcess.messages.in:
* UIProcess/API/C/WKWebsiteDataStoreRef.cpp:
(WKWebsiteDataStoreStatisticsResetToConsistentState):
    Added clearing of the new state between test runs.
* UIProcess/Network/NetworkProcessProxy.cpp:
(WebKit::NetworkProcessProxy::resetCrossSiteLoadsWithLinkDecorationForTesting):
    Test infrastructure.
* UIProcess/Network/NetworkProcessProxy.h:
* UIProcess/WebPageProxy.cpp:
(WebKit::isNonUniqueNavigationWithLinkDecoration):
    Convenience function.
(WebKit::WebPageProxy::didCommitLoadForFrame):
    This function now reports to the network process when a link decorated
    cross-site navigation happens.
* UIProcess/WebsiteData/WebsiteDataStore.cpp:
(WebKit::WebsiteDataStore::resetCrossSiteLoadsWithLinkDecorationForTesting):
    Test infrastructure.
* UIProcess/WebsiteData/WebsiteDataStore.h:
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::close):
    Name change of function called.

LayoutTests:

* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site-expected.txt: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource-expected.txt: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource-expected.txt: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource-expected.txt: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource-expected.txt: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html: Added.
* http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js.html:
    Now clears cookies after the test.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242288 268f45cc-cd09-0410-ab3c-d52691b4dbfc

30 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html [new file with mode: 0644]
LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js.html
Source/WebCore/ChangeLog
Source/WebCore/platform/network/NetworkStorageSession.cpp
Source/WebCore/platform/network/NetworkStorageSession.h
Source/WebCore/platform/network/cocoa/NetworkStorageSessionCocoa.mm
Source/WebKit/ChangeLog
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.cpp
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.h
Source/WebKit/NetworkProcess/NetworkConnectionToWebProcess.messages.in
Source/WebKit/NetworkProcess/NetworkProcess.cpp
Source/WebKit/NetworkProcess/NetworkProcess.h
Source/WebKit/NetworkProcess/NetworkProcess.messages.in
Source/WebKit/UIProcess/API/C/WKWebsiteDataStoreRef.cpp
Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp
Source/WebKit/UIProcess/Network/NetworkProcessProxy.h
Source/WebKit/UIProcess/WebPageProxy.cpp
Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp
Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h
Source/WebKit/WebProcess/WebPage/WebPage.cpp

index b495457..4c60e0c 100644 (file)
@@ -1,3 +1,24 @@
+2019-03-01  John Wilander  <wilander@apple.com>
+
+        Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration
+        https://bugs.webkit.org/show_bug.cgi?id=195196
+        <rdar://problem/48006419>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site-expected.txt: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource-expected.txt: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource-expected.txt: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource-expected.txt: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource-expected.txt: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html: Added.
+        * http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js.html:
+            Now clears cookies after the test.
+
 2019-03-01  Rob Buis  <rbuis@igalia.com>
 
         Adjust XMLHttpRequest Content-Type handling
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site-expected.txt b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site-expected.txt
new file mode 100644 (file)
index 0000000..a49545a
--- /dev/null
@@ -0,0 +1,10 @@
+Check that cookies created by JavaScript after a same-site navigation with link decoration don't get capped to 24 hours.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS The two long-lived cookies expire after more than 86430 seconds.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html
new file mode 100644 (file)
index 0000000..b82d999
--- /dev/null
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/cookies/resources/cookie-utilities.js"></script>
+    <script src="resources/util.js"></script>
+</head>
+<body onload="setTimeout('runTest()', 0)">
+<script>
+    description("Check that cookies created by JavaScript after a same-site navigation with link decoration don't get capped to 24 hours.");
+    jsTestIsAsync = true;
+
+    function testCookies() {
+        let passedTests = 0;
+
+        function checkThatCookieDoesExpireAfter(cookieData, maxAgeInSeconds) {
+            let now = new Date();
+            let maxExpiryDateInMilliseconds = now.getTime() + (maxAgeInSeconds * 1000);
+
+            if (maxExpiryDateInMilliseconds < cookieData["expires"])
+                ++passedTests;
+            else
+                testFailed("Cookie named " + cookieData["name"] + " expires in less than " + maxAgeInSeconds + " seconds.");
+        }
+
+        const oneDayInSeconds = 24 * 60 * 60;
+        const twoDaysInSeconds = 2 * oneDayInSeconds;
+        const longLivedCookieMaxAge = { name : "longLivedCookieMaxAge", lifetime : "Max-Age=" + twoDaysInSeconds + ";" };
+        document.cookie = longLivedCookieMaxAge.name + "=foobar; " + longLivedCookieMaxAge.lifetime + " path=/";
+
+        const twoDaysAsExpiresDate = createExpiresDateFromMaxAge(twoDaysInSeconds);
+        const longLivedCookieExpires = { name : "longLivedCookieExpires", lifetime : "Expires=" + twoDaysAsExpiresDate + ";" };
+        document.cookie = longLivedCookieExpires.name + "=foobar; " + longLivedCookieExpires.lifetime + " path=/";
+
+        const overOneDayInSeconds = oneDayInSeconds + 30;
+        if (internals) {
+            let cookies = internals.getCookies();
+            if (!cookies.length)
+                testFailed("No cookies found.");
+            for (let cookie of cookies) {
+                switch (cookie.name) {
+                    case longLivedCookieMaxAge.name:
+                        checkThatCookieDoesExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                    case longLivedCookieExpires.name:
+                        checkThatCookieDoesExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                }
+            }
+
+            resetCookiesForCurrentOrigin();
+
+            if (passedTests === 2) {
+                testPassed("The two long-lived cookies expire after more than " + overOneDayInSeconds + " seconds.");
+            } else
+                testFailed("At least one cookie's expiry attribute was below the test thresholds.");
+        } else
+            testFailed("No internals object.");
+
+        setEnableFeature(false, finishJSTest);
+    }
+
+    function navigateCrossOrigin() {
+        document.location.href = prevalentResourceOrigin + "/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html?link=decoration#fragment";
+    }
+
+    const destinationOrigin = "http://localhost:8000";
+    const prevalentResourceOrigin = "http://127.0.0.1:8000";
+    function runTest() {
+        if (document.location.origin === prevalentResourceOrigin && document.location.hash !== "#fragment") {
+            setEnableFeature(true, function () {
+                testRunner.setStatisticsPrevalentResource(prevalentResourceOrigin, true, function() {
+                    if (!testRunner.isStatisticsPrevalentResource(prevalentResourceOrigin))
+                        testFailed("Host did not get set as prevalent resource.");
+                    testRunner.statisticsUpdateCookieBlocking(navigateCrossOrigin);
+                });
+
+            });
+        } else {
+            testCookies();
+        }
+    }
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource-expected.txt b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource-expected.txt
new file mode 100644 (file)
index 0000000..f7bad03
--- /dev/null
@@ -0,0 +1,11 @@
+Check that cookies created by JavaScript after a cross-site navigation with link fragment get capped to 24 hours.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS The two short-lived cookies don't expire after more than 43230 seconds.
+PASS The two long-lived cookies don't expire after more than 86430 seconds.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html
new file mode 100644 (file)
index 0000000..4a10b46
--- /dev/null
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/cookies/resources/cookie-utilities.js"></script>
+    <script src="resources/util.js"></script>
+</head>
+<body onload="setTimeout('runTest()', 0)">
+<script>
+    description("Check that cookies created by JavaScript after a cross-site navigation with link fragment get capped to 24 hours.");
+    jsTestIsAsync = true;
+
+    function testCookies() {
+        let passedTests = 0;
+        function checkThatCookieDoesNotExpireAfter(cookieData, maxAgeInSeconds) {
+            let now = new Date();
+            let maxExpiryDateInMilliseconds = now.getTime() + (maxAgeInSeconds * 1000);
+
+            if (maxExpiryDateInMilliseconds > cookieData["expires"])
+                ++passedTests;
+            else
+                testFailed("Cookie named " + cookieData["name"] + " expires in more than " + maxAgeInSeconds + " seconds.");
+        }
+
+        const twelveHoursInSeconds = 12 * 60 * 60;
+        const shortLivedCookieMaxAge = { name : "shortLivedCookieMaxAge", lifetime : "Max-Age=" + twelveHoursInSeconds + ";" };
+        document.cookie = shortLivedCookieMaxAge.name + "=foobar; " + shortLivedCookieMaxAge.lifetime + " path=/";
+
+        const twelveHoursAsExpiresDate = createExpiresDateFromMaxAge(twelveHoursInSeconds);
+        const shortLivedCookieExpires = { name : "shortLivedCookieExpires", lifetime : "Expires=" + twelveHoursAsExpiresDate + ";" };
+        document.cookie = shortLivedCookieExpires.name + "=foobar; " + shortLivedCookieExpires.lifetime + " path=/";
+
+        const oneDayInSeconds = 2 * twelveHoursInSeconds;
+        const twoDaysInSeconds = 2 * oneDayInSeconds;
+        const longLivedCookieMaxAge = { name : "longLivedCookieMaxAge", lifetime : "Max-Age=" + twoDaysInSeconds + ";" };
+        document.cookie = longLivedCookieMaxAge.name + "=foobar; " + longLivedCookieMaxAge.lifetime + " path=/";
+
+        const twoDaysAsExpiresDate = createExpiresDateFromMaxAge(twoDaysInSeconds);
+        const longLivedCookieExpires = { name : "longLivedCookieExpires", lifetime : "Expires=" + twoDaysAsExpiresDate + ";" };
+        document.cookie = longLivedCookieExpires.name + "=foobar; " + longLivedCookieExpires.lifetime + " path=/";
+
+        const overTwelveHoursInSeconds = twelveHoursInSeconds + 30;
+        const overOneDayInSeconds = oneDayInSeconds + 30;
+        if (internals) {
+            let cookies = internals.getCookies();
+            if (!cookies.length)
+                testFailed("No cookies found.");
+            for (let cookie of cookies) {
+                switch (cookie.name) {
+                    case shortLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case shortLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case longLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                    case longLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                }
+            }
+
+            resetCookiesForCurrentOrigin();
+
+            if (passedTests === 4) {
+                testPassed("The two short-lived cookies don't expire after more than " + overTwelveHoursInSeconds + " seconds.");
+                testPassed("The two long-lived cookies don't expire after more than " + overOneDayInSeconds + " seconds.");
+            } else
+                testFailed("At least one cookie's expiry attribute was beyond the test thresholds.");
+        } else
+            testFailed("No internals object.");
+
+        setEnableFeature(false, finishJSTest);
+    }
+
+    function navigateCrossOrigin() {
+        document.location.href = destinationOrigin + "/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html#link=fragment";
+    }
+
+    const destinationOrigin = "http://localhost:8000";
+    const prevalentResourceOrigin = "http://127.0.0.1:8000";
+    function runTest() {
+        if (document.location.origin === prevalentResourceOrigin) {
+            setEnableFeature(true, function () {
+                testRunner.setStatisticsPrevalentResource(prevalentResourceOrigin, true, function() {
+                    if (!testRunner.isStatisticsPrevalentResource(prevalentResourceOrigin))
+                        testFailed("Host did not get set as prevalent resource.");
+                    testRunner.statisticsUpdateCookieBlocking(navigateCrossOrigin);
+                });
+
+            });
+        } else {
+            testCookies();
+        }
+    }
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource-expected.txt b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource-expected.txt
new file mode 100644 (file)
index 0000000..6e98dc8
--- /dev/null
@@ -0,0 +1,11 @@
+Check that cookies created by JavaScript after a cross-site navigation with link query and fragment get capped to 24 hours.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS The two short-lived cookies don't expire after more than 43230 seconds.
+PASS The two long-lived cookies don't expire after more than 86430 seconds.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html
new file mode 100644 (file)
index 0000000..4f2bfaf
--- /dev/null
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/cookies/resources/cookie-utilities.js"></script>
+    <script src="resources/util.js"></script>
+</head>
+<body onload="setTimeout('runTest()', 0)">
+<script>
+    description("Check that cookies created by JavaScript after a cross-site navigation with link query and fragment get capped to 24 hours.");
+    jsTestIsAsync = true;
+
+    function testCookies() {
+        let passedTests = 0;
+        function checkThatCookieDoesNotExpireAfter(cookieData, maxAgeInSeconds) {
+            let now = new Date();
+            let maxExpiryDateInMilliseconds = now.getTime() + (maxAgeInSeconds * 1000);
+
+            if (maxExpiryDateInMilliseconds > cookieData["expires"])
+                ++passedTests;
+            else
+                testFailed("Cookie named " + cookieData["name"] + " expires in more than " + maxAgeInSeconds + " seconds.");
+        }
+
+        const twelveHoursInSeconds = 12 * 60 * 60;
+        const shortLivedCookieMaxAge = { name : "shortLivedCookieMaxAge", lifetime : "Max-Age=" + twelveHoursInSeconds + ";" };
+        document.cookie = shortLivedCookieMaxAge.name + "=foobar; " + shortLivedCookieMaxAge.lifetime + " path=/";
+
+        const twelveHoursAsExpiresDate = createExpiresDateFromMaxAge(twelveHoursInSeconds);
+        const shortLivedCookieExpires = { name : "shortLivedCookieExpires", lifetime : "Expires=" + twelveHoursAsExpiresDate + ";" };
+        document.cookie = shortLivedCookieExpires.name + "=foobar; " + shortLivedCookieExpires.lifetime + " path=/";
+
+        const oneDayInSeconds = 2 * twelveHoursInSeconds;
+        const twoDaysInSeconds = 2 * oneDayInSeconds;
+        const longLivedCookieMaxAge = { name : "longLivedCookieMaxAge", lifetime : "Max-Age=" + twoDaysInSeconds + ";" };
+        document.cookie = longLivedCookieMaxAge.name + "=foobar; " + longLivedCookieMaxAge.lifetime + " path=/";
+
+        const twoDaysAsExpiresDate = createExpiresDateFromMaxAge(twoDaysInSeconds);
+        const longLivedCookieExpires = { name : "longLivedCookieExpires", lifetime : "Expires=" + twoDaysAsExpiresDate + ";" };
+        document.cookie = longLivedCookieExpires.name + "=foobar; " + longLivedCookieExpires.lifetime + " path=/";
+
+        const overTwelveHoursInSeconds = twelveHoursInSeconds + 30;
+        const overOneDayInSeconds = oneDayInSeconds + 30;
+        if (internals) {
+            let cookies = internals.getCookies();
+            if (!cookies.length)
+                testFailed("No cookies found.");
+            for (let cookie of cookies) {
+                switch (cookie.name) {
+                    case shortLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case shortLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case longLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                    case longLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                }
+            }
+
+            resetCookiesForCurrentOrigin();
+
+            if (passedTests === 4) {
+                testPassed("The two short-lived cookies don't expire after more than " + overTwelveHoursInSeconds + " seconds.");
+                testPassed("The two long-lived cookies don't expire after more than " + overOneDayInSeconds + " seconds.");
+            } else
+                testFailed("At least one cookie's expiry attribute was beyond the test thresholds.");
+        } else
+            testFailed("No internals object.");
+
+        setEnableFeature(false, finishJSTest);
+    }
+
+    function navigateCrossOrigin() {
+        document.location.href = destinationOrigin + "/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html?link=query#link=fragment";
+    }
+
+    const destinationOrigin = "http://localhost:8000";
+    const prevalentResourceOrigin = "http://127.0.0.1:8000";
+    function runTest() {
+        if (document.location.origin === prevalentResourceOrigin) {
+            setEnableFeature(true, function () {
+                testRunner.setStatisticsPrevalentResource(prevalentResourceOrigin, true, function() {
+                    if (!testRunner.isStatisticsPrevalentResource(prevalentResourceOrigin))
+                        testFailed("Host did not get set as prevalent resource.");
+                    testRunner.statisticsUpdateCookieBlocking(navigateCrossOrigin);
+                });
+
+            });
+        } else {
+            testCookies();
+        }
+    }
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource-expected.txt b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource-expected.txt
new file mode 100644 (file)
index 0000000..d45dd16
--- /dev/null
@@ -0,0 +1,11 @@
+Check that cookies created by JavaScript after a cross-site navigation with link query get capped to 24 hours.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS The two short-lived cookies don't expire after more than 43230 seconds.
+PASS The two long-lived cookies don't expire after more than 86430 seconds.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html
new file mode 100644 (file)
index 0000000..9eda6dc
--- /dev/null
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/cookies/resources/cookie-utilities.js"></script>
+    <script src="resources/util.js"></script>
+</head>
+<body onload="setTimeout('runTest()', 0)">
+<script>
+    description("Check that cookies created by JavaScript after a cross-site navigation with link query get capped to 24 hours.");
+    jsTestIsAsync = true;
+
+    function testCookies() {
+        let passedTests = 0;
+        function checkThatCookieDoesNotExpireAfter(cookieData, maxAgeInSeconds) {
+            let now = new Date();
+            let maxExpiryDateInMilliseconds = now.getTime() + (maxAgeInSeconds * 1000);
+
+            if (maxExpiryDateInMilliseconds > cookieData["expires"])
+                ++passedTests;
+            else
+                testFailed("Cookie named " + cookieData["name"] + " expires in more than " + maxAgeInSeconds + " seconds.");
+        }
+
+        const twelveHoursInSeconds = 12 * 60 * 60;
+        const shortLivedCookieMaxAge = { name : "shortLivedCookieMaxAge", lifetime : "Max-Age=" + twelveHoursInSeconds + ";" };
+        document.cookie = shortLivedCookieMaxAge.name + "=foobar; " + shortLivedCookieMaxAge.lifetime + " path=/";
+
+        const twelveHoursAsExpiresDate = createExpiresDateFromMaxAge(twelveHoursInSeconds);
+        const shortLivedCookieExpires = { name : "shortLivedCookieExpires", lifetime : "Expires=" + twelveHoursAsExpiresDate + ";" };
+        document.cookie = shortLivedCookieExpires.name + "=foobar; " + shortLivedCookieExpires.lifetime + " path=/";
+
+        const oneDayInSeconds = 2 * twelveHoursInSeconds;
+        const twoDaysInSeconds = 2 * oneDayInSeconds;
+        const longLivedCookieMaxAge = { name : "longLivedCookieMaxAge", lifetime : "Max-Age=" + twoDaysInSeconds + ";" };
+        document.cookie = longLivedCookieMaxAge.name + "=foobar; " + longLivedCookieMaxAge.lifetime + " path=/";
+
+        const twoDaysAsExpiresDate = createExpiresDateFromMaxAge(twoDaysInSeconds);
+        const longLivedCookieExpires = { name : "longLivedCookieExpires", lifetime : "Expires=" + twoDaysAsExpiresDate + ";" };
+        document.cookie = longLivedCookieExpires.name + "=foobar; " + longLivedCookieExpires.lifetime + " path=/";
+
+        const overTwelveHoursInSeconds = twelveHoursInSeconds + 30;
+        const overOneDayInSeconds = oneDayInSeconds + 30;
+        if (internals) {
+            let cookies = internals.getCookies();
+            if (!cookies.length)
+                testFailed("No cookies found.");
+            for (let cookie of cookies) {
+                switch (cookie.name) {
+                    case shortLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case shortLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overTwelveHoursInSeconds);
+                        break;
+                    case longLivedCookieMaxAge.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                    case longLivedCookieExpires.name:
+                        checkThatCookieDoesNotExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                }
+            }
+
+            resetCookiesForCurrentOrigin();
+
+            if (passedTests === 4) {
+                testPassed("The two short-lived cookies don't expire after more than " + overTwelveHoursInSeconds + " seconds.");
+                testPassed("The two long-lived cookies don't expire after more than " + overOneDayInSeconds + " seconds.");
+            } else
+                testFailed("At least one cookie's expiry attribute was beyond the test thresholds.");
+        } else
+            testFailed("No internals object.");
+
+        setEnableFeature(false, finishJSTest);
+    }
+
+    function navigateCrossOrigin() {
+        document.location.href = destinationOrigin + "/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html?link=query";
+    }
+
+    const destinationOrigin = "http://localhost:8000";
+    const prevalentResourceOrigin = "http://127.0.0.1:8000";
+    function runTest() {
+        if (document.location.origin === prevalentResourceOrigin) {
+            setEnableFeature(true, function () {
+                testRunner.setStatisticsPrevalentResource(prevalentResourceOrigin, true, function() {
+                    if (!testRunner.isStatisticsPrevalentResource(prevalentResourceOrigin))
+                        testFailed("Host did not get set as prevalent resource.");
+                    testRunner.statisticsUpdateCookieBlocking(navigateCrossOrigin);
+                });
+
+            });
+        } else {
+            testCookies();
+        }
+    }
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource-expected.txt b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource-expected.txt
new file mode 100644 (file)
index 0000000..3bf649a
--- /dev/null
@@ -0,0 +1,10 @@
+Check that cookies created by JavaScript after a cross-site navigation without link decoration don't get capped to 24 hours.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS The two long-lived cookies expire after more than 86430 seconds.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html b/LayoutTests/http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html
new file mode 100644 (file)
index 0000000..a7b5792
--- /dev/null
@@ -0,0 +1,85 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="/js-test-resources/js-test.js"></script>
+    <script src="/cookies/resources/cookie-utilities.js"></script>
+    <script src="resources/util.js"></script>
+</head>
+<body onload="setTimeout('runTest()', 0)">
+<script>
+    description("Check that cookies created by JavaScript after a cross-site navigation without link decoration don't get capped to 24 hours.");
+    jsTestIsAsync = true;
+
+    function testCookies() {
+        let passedTests = 0;
+
+        function checkThatCookieDoesExpireAfter(cookieData, maxAgeInSeconds) {
+            let now = new Date();
+            let maxExpiryDateInMilliseconds = now.getTime() + (maxAgeInSeconds * 1000);
+
+            if (maxExpiryDateInMilliseconds < cookieData["expires"])
+                ++passedTests;
+            else
+                testFailed("Cookie named " + cookieData["name"] + " expires in less than " + maxAgeInSeconds + " seconds.");
+        }
+
+        const oneDayInSeconds = 24 * 60 * 60;
+        const twoDaysInSeconds = 2 * oneDayInSeconds;
+        const longLivedCookieMaxAge = { name : "longLivedCookieMaxAge", lifetime : "Max-Age=" + twoDaysInSeconds + ";" };
+        document.cookie = longLivedCookieMaxAge.name + "=foobar; " + longLivedCookieMaxAge.lifetime + " path=/";
+
+        const twoDaysAsExpiresDate = createExpiresDateFromMaxAge(twoDaysInSeconds);
+        const longLivedCookieExpires = { name : "longLivedCookieExpires", lifetime : "Expires=" + twoDaysAsExpiresDate + ";" };
+        document.cookie = longLivedCookieExpires.name + "=foobar; " + longLivedCookieExpires.lifetime + " path=/";
+
+        const overOneDayInSeconds = oneDayInSeconds + 30;
+        if (internals) {
+            let cookies = internals.getCookies();
+            if (!cookies.length)
+                testFailed("No cookies found.");
+            for (let cookie of cookies) {
+                switch (cookie.name) {
+                    case longLivedCookieMaxAge.name:
+                        checkThatCookieDoesExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                    case longLivedCookieExpires.name:
+                        checkThatCookieDoesExpireAfter(cookie, overOneDayInSeconds);
+                        break;
+                }
+            }
+
+            resetCookiesForCurrentOrigin();
+
+            if (passedTests === 2) {
+                testPassed("The two long-lived cookies expire after more than " + overOneDayInSeconds + " seconds.");
+            } else
+                testFailed("At least one cookie's expiry attribute was below the test thresholds.");
+        } else
+            testFailed("No internals object.");
+
+        setEnableFeature(false, finishJSTest);
+    }
+
+    function navigateCrossOrigin() {
+        document.location.href = destinationOrigin + "/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html";
+    }
+
+    const destinationOrigin = "http://localhost:8000";
+    const prevalentResourceOrigin = "http://127.0.0.1:8000";
+    function runTest() {
+        if (document.location.origin === prevalentResourceOrigin) {
+            setEnableFeature(true, function () {
+                testRunner.setStatisticsPrevalentResource(prevalentResourceOrigin, true, function() {
+                    if (!testRunner.isStatisticsPrevalentResource(prevalentResourceOrigin))
+                        testFailed("Host did not get set as prevalent resource.");
+                    testRunner.statisticsUpdateCookieBlocking(navigateCrossOrigin);
+                });
+
+            });
+        } else {
+            testCookies();
+        }
+    }
+</script>
+</body>
+</html>
index 4747552..00cb175 100644 (file)
@@ -62,6 +62,9 @@
                     break;
             }
         }
+
+        resetCookiesForCurrentOrigin();
+
         if (passedTests === 4) {
             testPassed("The two short-lived cookies don't expire after more than " + overTwoDaysInSeconds + " seconds.");
             testPassed("The two long-lived cookies don't expire after more than " + overOneWeekInSeconds + " seconds.");
index 86b085c..0eac3da 100644 (file)
@@ -1,3 +1,45 @@
+2019-03-01  John Wilander  <wilander@apple.com>
+
+        Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration
+        https://bugs.webkit.org/show_bug.cgi?id=195196
+        <rdar://problem/48006419>
+
+        Reviewed by Brent Fulgham.
+
+        Tests: http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-decoration-same-site.html
+               http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-fragment-from-prevalent-resource.html
+               http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-and-fragment-from-prevalent-resource.html
+               http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-with-link-query-from-prevalent-resource.html
+               http/tests/resourceLoadStatistics/capped-lifetime-for-cookie-set-in-js-without-link-decoration-from-prevalent-resource.html
+
+        Trackers abuse link query parameters to transport user identifiers cross-site.
+        This patch detects such navigations and applies further restrictions to
+        client-site cookies on the destination page.
+
+        * platform/network/NetworkStorageSession.cpp:
+        (WebCore::NetworkStorageSession::setAgeCapForClientSideCookies):
+            Now sets the regular 7-day cap and a reduced 1-day cap.
+        (WebCore::NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics):
+            Renamed NetworkStorageSession::removeStorageAccessForAllFramesOnPage() to
+            NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics since
+            it now clears out two types of page-specific data.
+        (WebCore::NetworkStorageSession::committedCrossSiteLoadWithLinkDecoration):
+            This function receives a cross-site navigation and checks if the originating
+            site is a prevalent resource. If so, it marks the page or stricter cookie
+            rules.
+        (WebCore::NetworkStorageSession::resetCrossSiteLoadsWithLinkDecorationForTesting):
+            Test infrastructure. This sets a state that overrides the regular per-page
+            clear of data. The reason is that the double clear was racy and caused test
+            failures.
+        (WebCore::NetworkStorageSession::clientSideCookieCap const):
+            New function that returns the current cookie lifetime cap.
+        (WebCore::NetworkStorageSession::removeStorageAccessForAllFramesOnPage): Deleted.
+            Renamed to NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics().
+        * platform/network/NetworkStorageSession.h:
+        * platform/network/cocoa/NetworkStorageSessionCocoa.mm:
+        (WebCore::NetworkStorageSession::setCookiesFromDOM const):
+            Now calls NetworkStorageSession::clientSideCookieCap() to set the cap.
+
 2019-03-01  Rob Buis  <rbuis@igalia.com>
 
         Adjust XMLHttpRequest Content-Type handling
index 9906078..3b18e62 100644 (file)
@@ -100,6 +100,7 @@ Optional<Seconds> NetworkStorageSession::maxAgeCacheCap(const ResourceRequest& r
 void NetworkStorageSession::setAgeCapForClientSideCookies(Optional<Seconds> seconds)
 {
     m_ageCapForClientSideCookies = seconds;
+    m_ageCapForClientSideCookiesShort = seconds ? Seconds { seconds->seconds() / 7. } : seconds;
 }
 
 void NetworkStorageSession::setPrevalentDomainsToBlockCookiesFor(const Vector<RegistrableDomain>& domains)
@@ -190,10 +191,12 @@ void NetworkStorageSession::removeStorageAccessForFrame(uint64_t frameID, uint64
     iteration->value.remove(frameID);
 }
 
-void NetworkStorageSession::removeStorageAccessForAllFramesOnPage(uint64_t pageID)
+void NetworkStorageSession::clearPageSpecificDataForResourceLoadStatistics(uint64_t pageID)
 {
     m_pagesGrantedStorageAccess.remove(pageID);
     m_framesGrantedStorageAccess.remove(pageID);
+    if (!m_navigationWithLinkDecorationTestMode)
+        m_navigatedToWithLinkDecorationByPrevalentResource.remove(pageID);
 }
 
 void NetworkStorageSession::removeAllStorageAccess()
@@ -211,6 +214,33 @@ void NetworkStorageSession::resetCacheMaxAgeCapForPrevalentResources()
 {
     m_cacheMaxAgeCapForPrevalentResources = WTF::nullopt;
 }
+
+void NetworkStorageSession::committedCrossSiteLoadWithLinkDecoration(const RegistrableDomain& fromDomain, const RegistrableDomain& toDomain, uint64_t pageID)
+{
+    if (shouldBlockThirdPartyCookies(fromDomain))
+        m_navigatedToWithLinkDecorationByPrevalentResource.add(pageID, toDomain);
+}
+
+void NetworkStorageSession::resetCrossSiteLoadsWithLinkDecorationForTesting()
+{
+    m_navigatedToWithLinkDecorationByPrevalentResource.clear();
+    m_navigationWithLinkDecorationTestMode = true;
+}
+
+Optional<Seconds> NetworkStorageSession::clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const
+{
+    if (!m_ageCapForClientSideCookies || !pageID || m_navigatedToWithLinkDecorationByPrevalentResource.isEmpty())
+        return m_ageCapForClientSideCookies;
+
+    auto domainIterator = m_navigatedToWithLinkDecorationByPrevalentResource.find(*pageID);
+    if (domainIterator == m_navigatedToWithLinkDecorationByPrevalentResource.end())
+        return m_ageCapForClientSideCookies;
+
+    if (domainIterator->value == firstParty)
+        return m_ageCapForClientSideCookiesShort;
+
+    return m_ageCapForClientSideCookies;
+}
 #endif // ENABLE(RESOURCE_LOAD_STATISTICS)
 
 }
index 5897941..8de4249 100644 (file)
@@ -149,11 +149,13 @@ public:
     WEBCORE_EXPORT Vector<String> getAllStorageAccessEntries() const;
     WEBCORE_EXPORT void grantStorageAccess(const RegistrableDomain& resourceDomain, const RegistrableDomain& firstPartyDomain, Optional<uint64_t> frameID, uint64_t pageID);
     WEBCORE_EXPORT void removeStorageAccessForFrame(uint64_t frameID, uint64_t pageID);
-    WEBCORE_EXPORT void removeStorageAccessForAllFramesOnPage(uint64_t pageID);
+    WEBCORE_EXPORT void clearPageSpecificDataForResourceLoadStatistics(uint64_t pageID);
     WEBCORE_EXPORT void removeAllStorageAccess();
     WEBCORE_EXPORT void setCacheMaxAgeCapForPrevalentResources(Seconds);
     WEBCORE_EXPORT void resetCacheMaxAgeCapForPrevalentResources();
     WEBCORE_EXPORT Optional<Seconds> maxAgeCacheCap(const ResourceRequest&);
+    WEBCORE_EXPORT void committedCrossSiteLoadWithLinkDecoration(const RegistrableDomain& fromDomain, const RegistrableDomain& toDomain, uint64_t pageID);
+    WEBCORE_EXPORT void resetCrossSiteLoadsWithLinkDecorationForTesting();
 #endif
 
 private:
@@ -178,11 +180,15 @@ private:
 
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
     bool shouldBlockThirdPartyCookies(const RegistrableDomain&) const;
+    Optional<Seconds> clientSideCookieCap(const RegistrableDomain& firstParty, Optional<uint64_t> pageID) const;
     HashSet<RegistrableDomain> m_registrableDomainsToBlockCookieFor;
     HashMap<uint64_t, HashMap<uint64_t, RegistrableDomain, DefaultHash<uint64_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>>, DefaultHash<uint64_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>> m_framesGrantedStorageAccess;
     HashMap<uint64_t, HashMap<RegistrableDomain, RegistrableDomain>, DefaultHash<uint64_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>> m_pagesGrantedStorageAccess;
     Optional<Seconds> m_cacheMaxAgeCapForPrevalentResources { };
     Optional<Seconds> m_ageCapForClientSideCookies { };
+    Optional<Seconds> m_ageCapForClientSideCookiesShort { };
+    HashMap<uint64_t, RegistrableDomain, DefaultHash<uint64_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<uint64_t>> m_navigatedToWithLinkDecorationByPrevalentResource;
+    bool m_navigationWithLinkDecorationTestMode = false;
 #endif
 
 #if PLATFORM(COCOA)
index e05940e..318f53e 100644 (file)
@@ -403,7 +403,7 @@ void NetworkStorageSession::setCookiesFromDOM(const URL& firstParty, const SameS
 #endif
 
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
-    RetainPtr<NSArray> filteredCookies = filterCookies(unfilteredCookies, m_ageCapForClientSideCookies);
+    RetainPtr<NSArray> filteredCookies = filterCookies(unfilteredCookies, clientSideCookieCap(RegistrableDomain { firstParty }, pageID));
 #else
     RetainPtr<NSArray> filteredCookies = filterCookies(unfilteredCookies, WTF::nullopt);
 #endif
index 6eb4a1e..bc666f1 100644 (file)
@@ -1,3 +1,48 @@
+2019-03-01  John Wilander  <wilander@apple.com>
+
+        Resource Load Statistics: Further restrict client-side cookie persistence after cross-site navigations with link decoration
+        https://bugs.webkit.org/show_bug.cgi?id=195196
+        <rdar://problem/48006419>
+
+        Reviewed by Brent Fulgham.
+
+        Trackers abuse link query parameters to transport user identifiers cross-site.
+        This patch detects such navigations and applies further restrictions to
+        client-site cookies on the destination page.
+
+        * NetworkProcess/NetworkConnectionToWebProcess.cpp:
+        (WebKit::NetworkConnectionToWebProcess::clearPageSpecificDataForResourceLoadStatistics):
+        (WebKit::NetworkConnectionToWebProcess::removeStorageAccessForAllFramesOnPage): Deleted.
+            Renamed NetworkConnectionToWebProcess::clearPageSpecificDataForResourceLoadStatistics().
+        * NetworkProcess/NetworkConnectionToWebProcess.h:
+        * NetworkProcess/NetworkConnectionToWebProcess.messages.in:
+        * NetworkProcess/NetworkProcess.cpp:
+        (WebKit::NetworkProcess::committedCrossSiteLoadWithLinkDecoration):
+            Reporting IPC message when a link decorated cross-site navigation happens.
+        (WebKit::NetworkProcess::resetCrossSiteLoadsWithLinkDecorationForTesting):
+        * NetworkProcess/NetworkProcess.h:
+        * NetworkProcess/NetworkProcess.messages.in:
+        * UIProcess/API/C/WKWebsiteDataStoreRef.cpp:
+        (WKWebsiteDataStoreStatisticsResetToConsistentState):
+            Added clearing of the new state between test runs.
+        * UIProcess/Network/NetworkProcessProxy.cpp:
+        (WebKit::NetworkProcessProxy::resetCrossSiteLoadsWithLinkDecorationForTesting):
+            Test infrastructure.
+        * UIProcess/Network/NetworkProcessProxy.h:
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::isNonUniqueNavigationWithLinkDecoration):
+            Convenience function.
+        (WebKit::WebPageProxy::didCommitLoadForFrame):
+            This function now reports to the network process when a link decorated
+            cross-site navigation happens.
+        * UIProcess/WebsiteData/WebsiteDataStore.cpp:
+        (WebKit::WebsiteDataStore::resetCrossSiteLoadsWithLinkDecorationForTesting):
+            Test infrastructure.
+        * UIProcess/WebsiteData/WebsiteDataStore.h:
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::close):
+            Name change of function called.
+
 2019-03-01  Tim Horton  <timothy_horton@apple.com>
 
         Remove unused code in WebKitLegacy
index e59a433..e279066 100644 (file)
@@ -579,10 +579,10 @@ void NetworkConnectionToWebProcess::removeStorageAccessForFrame(PAL::SessionID s
         storageSession->removeStorageAccessForFrame(frameID, pageID);
 }
 
-void NetworkConnectionToWebProcess::removeStorageAccessForAllFramesOnPage(PAL::SessionID sessionID, uint64_t pageID)
+void NetworkConnectionToWebProcess::clearPageSpecificDataForResourceLoadStatistics(PAL::SessionID sessionID, uint64_t pageID)
 {
     if (auto* storageSession = networkProcess().storageSession(sessionID))
-        storageSession->removeStorageAccessForAllFramesOnPage(pageID);
+        storageSession->clearPageSpecificDataForResourceLoadStatistics(pageID);
 }
 
 void NetworkConnectionToWebProcess::logUserInteraction(PAL::SessionID sessionID, const RegistrableDomain& domain)
index 97ea335..cf47f37 100644 (file)
@@ -200,7 +200,7 @@ private:
 
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
     void removeStorageAccessForFrame(PAL::SessionID, uint64_t frameID, uint64_t pageID);
-    void removeStorageAccessForAllFramesOnPage(PAL::SessionID, uint64_t pageID);
+    void clearPageSpecificDataForResourceLoadStatistics(PAL::SessionID, uint64_t pageID);
 
     void logUserInteraction(PAL::SessionID, const RegistrableDomain&);
     void logWebSocketLoading(PAL::SessionID, const RegistrableDomain& targetDomain, const RegistrableDomain& topFrameDomain, WallTime lastSeen);
index bcf8944..9fc2127 100644 (file)
@@ -57,7 +57,7 @@ messages -> NetworkConnectionToWebProcess LegacyReceiver {
 
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
     RemoveStorageAccessForFrame(PAL::SessionID sessionID, uint64_t frameID, uint64_t pageID);
-    RemoveStorageAccessForAllFramesOnPage(PAL::SessionID sessionID, uint64_t pageID);
+    ClearPageSpecificDataForResourceLoadStatistics(PAL::SessionID sessionID, uint64_t pageID);
     LogUserInteraction(PAL::SessionID sessionID, WebCore::RegistrableDomain domain)
     LogWebSocketLoading(PAL::SessionID sessionID, WebCore::RegistrableDomain targetDomain, WebCore::RegistrableDomain topFrameDomain, WallTime lastSeen)
     LogSubresourceLoading(PAL::SessionID sessionID, WebCore::RegistrableDomain targetDomain, WebCore::RegistrableDomain topFrameDomain, WallTime lastSeen)
index ffca9bc..55cbab8 100644 (file)
@@ -1179,6 +1179,23 @@ void NetworkProcess::resetCacheMaxAgeCapForPrevalentResources(PAL::SessionID ses
         ASSERT_NOT_REACHED();
     completionHandler();
 }
+
+void NetworkProcess::committedCrossSiteLoadWithLinkDecoration(PAL::SessionID sessionID, const RegistrableDomain& fromDomain, const RegistrableDomain& toDomain, uint64_t pageID)
+{
+    if (auto* networkStorageSession = storageSession(sessionID))
+        networkStorageSession->committedCrossSiteLoadWithLinkDecoration(fromDomain, toDomain, pageID);
+    else
+        ASSERT_NOT_REACHED();
+}
+
+void NetworkProcess::resetCrossSiteLoadsWithLinkDecorationForTesting(PAL::SessionID sessionID, CompletionHandler<void()>&& completionHandler)
+{
+    if (auto* networkStorageSession = storageSession(sessionID))
+        networkStorageSession->resetCrossSiteLoadsWithLinkDecorationForTesting();
+    else
+        ASSERT_NOT_REACHED();
+    completionHandler();
+}
 #endif // ENABLE(RESOURCE_LOAD_STATISTICS)
 
 bool NetworkProcess::sessionIsControlledByAutomation(PAL::SessionID sessionID) const
index 58a4c9e..532f3f7 100644 (file)
@@ -252,6 +252,8 @@ public:
     void setTopFrameUniqueRedirectTo(PAL::SessionID, const TopFrameDomain&, const RedirectedToDomain&, CompletionHandler<void()>&&);
     void setTopFrameUniqueRedirectFrom(PAL::SessionID, const TopFrameDomain&, const RedirectedFromDomain&, CompletionHandler<void()>&&);
     void registrableDomainsWithWebsiteData(PAL::SessionID, OptionSet<WebsiteDataType>, bool shouldNotifyPage, CompletionHandler<void(HashSet<RegistrableDomain>&&)>&&);
+    void committedCrossSiteLoadWithLinkDecoration(PAL::SessionID, const RegistrableDomain& fromDomain, const RegistrableDomain& toDomain, uint64_t pageID);
+    void resetCrossSiteLoadsWithLinkDecorationForTesting(PAL::SessionID, CompletionHandler<void()>&&);
 #endif
 
     using CacheStorageParametersCallback = CompletionHandler<void(const String&, uint64_t quota)>;
index 4dad906..e3a3dc7 100644 (file)
@@ -132,6 +132,8 @@ messages -> NetworkProcess LegacyReceiver {
     SetTopFrameUniqueRedirectTo(PAL::SessionID sessionID, WebCore::RegistrableDomain topFrameDomain, WebCore::RegistrableDomain redirectedToDomain) -> () Async
     SetTopFrameUniqueRedirectFrom(PAL::SessionID sessionID, WebCore::RegistrableDomain topFrameDomain, WebCore::RegistrableDomain redirectedFromDomain) -> () Async
     ResetCacheMaxAgeCapForPrevalentResources(PAL::SessionID sessionID) -> () Async
+    CommittedCrossSiteLoadWithLinkDecoration(PAL::SessionID sessionID, WebCore::RegistrableDomain fromDomain, WebCore::RegistrableDomain toDomain, uint64_t pageID)
+    ResetCrossSiteLoadsWithLinkDecorationForTesting(PAL::SessionID sessionID) -> () Async
 #endif
 
     SetSessionIsControlledByAutomation(PAL::SessionID sessionID, bool controlled);
index e318721..c0ebb87 100644 (file)
@@ -429,6 +429,7 @@ void WKWebsiteDataStoreStatisticsResetToConsistentState(WKWebsiteDataStoreRef da
     auto& store = WebKit::toImpl(dataStoreRef)->websiteDataStore();
     store.clearResourceLoadStatisticsInWebProcesses([callbackAggregator = callbackAggregator.copyRef()] { });
     store.resetCacheMaxAgeCapForPrevalentResources([callbackAggregator = callbackAggregator.copyRef()] { });
+    store.resetCrossSiteLoadsWithLinkDecorationForTesting([callbackAggregator = callbackAggregator.copyRef()] { });
     store.resetParametersToDefaultValues([callbackAggregator = callbackAggregator.copyRef()] { });
     store.scheduleClearInMemoryAndPersistent(ShouldGrandfatherStatistics::No, [callbackAggregator = callbackAggregator.copyRef()] { });
 #else
index 7940fdd..c3bb3cf 100644 (file)
@@ -931,6 +931,16 @@ void NetworkProcessProxy::notifyResourceLoadStatisticsTelemetryFinished(unsigned
 
     WebProcessProxy::notifyPageStatisticsTelemetryFinished(API::Dictionary::create(messageBody).ptr());
 }
+
+void NetworkProcessProxy::resetCrossSiteLoadsWithLinkDecorationForTesting(PAL::SessionID sessionID, CompletionHandler<void()>&& completionHandler)
+{
+    if (!canSendMessage()) {
+        completionHandler();
+        return;
+    }
+    
+    sendWithAsyncReply(Messages::NetworkProcess::ResetCrossSiteLoadsWithLinkDecorationForTesting(sessionID), WTFMove(completionHandler));
+}
 #endif // ENABLE(RESOURCE_LOAD_STATISTICS)
 
 void NetworkProcessProxy::sendProcessWillSuspendImminently()
index 4c51f2f..e315408 100644 (file)
@@ -144,6 +144,7 @@ public:
     void setResourceLoadStatisticsDebugMode(PAL::SessionID, bool debugMode, CompletionHandler<void()>&&);
     void setShouldClassifyResourcesBeforeDataRecordsRemoval(PAL::SessionID, bool, CompletionHandler<void()>&&);
     void resetCacheMaxAgeCapForPrevalentResources(PAL::SessionID, CompletionHandler<void()>&&);
+    void resetCrossSiteLoadsWithLinkDecorationForTesting(PAL::SessionID, CompletionHandler<void()>&&);
 #endif
 
     void processReadyToSuspend();
index ccdfdd7..80591d3 100644 (file)
@@ -4048,6 +4048,13 @@ void WebPageProxy::clearLoadDependentCallbacks()
     }
 }
 
+#if ENABLE(RESOURCE_LOAD_STATISTICS)
+static bool isNonUniqueNavigationWithLinkDecoration(const SecurityOriginData requesterOrigin, const URL& currentURL)
+{
+    return !requesterOrigin.securityOrigin()->isUnique() && (!currentURL.query().isEmpty() || !currentURL.fragmentIdentifier().isEmpty());
+}
+#endif
+
 void WebPageProxy::didCommitLoadForFrame(uint64_t frameID, uint64_t navigationID, const String& mimeType, bool frameHasCustomContentProvider, uint32_t opaqueFrameLoadType, const WebCore::CertificateInfo& certificateInfo, bool containsPluginDocument, Optional<HasInsecureContent> hasInsecureContent, const UserData& userData)
 {
     LOG(Loading, "(Loading) WebPageProxy %" PRIu64 " didCommitLoadForFrame in navigation %" PRIu64, m_pageID, m_navigationID);
@@ -4061,8 +4068,19 @@ void WebPageProxy::didCommitLoadForFrame(uint64_t frameID, uint64_t navigationID
 
     // FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
     RefPtr<API::Navigation> navigation;
-    if (frame->isMainFrame() && navigationID)
+    if (frame->isMainFrame() && navigationID) {
         navigation = navigationState().navigation(navigationID);
+#if ENABLE(RESOURCE_LOAD_STATISTICS)
+        auto requesterOrigin = navigation->lastNavigationAction().requesterOrigin;
+        auto currentURL = navigation->currentRequest().url();
+        if (isNonUniqueNavigationWithLinkDecoration(requesterOrigin, currentURL)) {
+            RegistrableDomain currentDomain { currentURL };
+            URL requesterURL { URL(), requesterOrigin.toString() };
+            if (!currentDomain.matches(requesterURL))
+                m_process->processPool().sendToNetworkingProcess(Messages::NetworkProcess::CommittedCrossSiteLoadWithLinkDecoration(m_websiteDataStore->sessionID(), RegistrableDomain { requesterURL }, currentDomain, m_pageID));
+        }
+#endif
+    }
 
     m_hasCommittedAnyProvisionalLoads = true;
     m_process->didCommitProvisionalLoad();
index acea90c..728324d 100644 (file)
@@ -1753,6 +1753,16 @@ void WebsiteDataStore::setGrandfathered(const URL& url, bool isGrandfathered, Co
             process->setGrandfathered(m_sessionID, RegistrableDomain { url }, isGrandfathered, [callbackAggregator = callbackAggregator.copyRef()] { });
     }
 }
+
+void WebsiteDataStore::resetCrossSiteLoadsWithLinkDecorationForTesting(CompletionHandler<void()>&& completionHandler)
+{
+    auto callbackAggregator = CallbackAggregator::create(WTFMove(completionHandler));
+    
+    for (auto& processPool : processPools()) {
+        if (auto* networkProcess = processPool->networkProcess())
+            networkProcess->resetCrossSiteLoadsWithLinkDecorationForTesting(m_sessionID, [callbackAggregator = callbackAggregator.copyRef()] { });
+    }
+}
 #endif // ENABLE(RESOURCE_LOAD_STATISTICS)
 
 void WebsiteDataStore::setCacheMaxAgeCapForPrevalentResources(Seconds seconds, CompletionHandler<void()>&& completionHandler)
index b6323a9..0c635cf 100644 (file)
@@ -167,6 +167,7 @@ public:
     void requestStorageAccess(const String& subFrameHost, const String& topFrameHost, uint64_t frameID, uint64_t pageID, bool promptEnabled, CompletionHandler<void(StorageAccessStatus)>&&);
     void grantStorageAccess(String&& subFrameHost, String&& topFrameHost, uint64_t frameID, uint64_t pageID, bool userWasPrompted, CompletionHandler<void(bool)>&&);
     void setSubframeUnderTopFrameDomain(const URL& subframe, const URL& topFrame);
+    void resetCrossSiteLoadsWithLinkDecorationForTesting(CompletionHandler<void()>&&);
 #endif
     void setCacheMaxAgeCapForPrevalentResources(Seconds, CompletionHandler<void()>&&);
     void resetCacheMaxAgeCapForPrevalentResources(CompletionHandler<void()>&&);
index b4c585c..269f6ad 100644 (file)
@@ -1236,7 +1236,7 @@ void WebPage::close()
         return;
 
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
-    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::RemoveStorageAccessForAllFramesOnPage(sessionID(), m_pageID), 0);
+    WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::ClearPageSpecificDataForResourceLoadStatistics(sessionID(), m_pageID), 0);
 #endif
 
     m_isClosed = true;