[FedCM] Don't send SameSite=Strict cookies for FedCM requests

See w3c-fedid/FedCM#320 (comment)

Bug: 329145816
Change-Id: I6408255a01118cd5ac4d0d0263a34051796dc301

credential-management/support/fedcm-helper.sub.js

@@ -22,7 +22,7 @@ export function open_and_wait_for_popup(origin, path) {
 // Set the identity provider cookie.
 export function set_fedcm_cookie(host) {
   if (host == undefined) {
-    document.cookie = 'cookie=1; SameSite=Strict; Path=/credential-management/support; Secure';
+    document.cookie = 'cookie=1; SameSite=None; Path=/credential-management/support; Secure';
     return Promise.resolve();
   } else {
     return open_and_wait_for_popup(host, '/credential-management/support/set_cookie');

credential-management/support/fedcm/request-params-check.py

@@ -17,7 +17,7 @@ def commonUncredentialedRequestCheck(request):
 def commonCredentialedRequestCheck(request):
   if request.cookies.get(b"cookie") != b"1":
     return (537, [], "Missing cookie")
-  if request.headers.get(b"Sec-Fetch-Site") != b"none":
+  if request.headers.get(b"Sec-Fetch-Site") == b"none":
     return (538, [], "Wrong Sec-Fetch-Site header")
 
 def commonPostCheck(request):
@@ -76,6 +76,11 @@ def tokenCheck(request):
   if (post_error):
     return post_error
 
+  # This check cannot be in commonCredentialedRequestCheck because user info
+  # does send SameSite=Strict cookies as it is initiated from a same-origin
+  # iframe.
+  if request.cookies.get(b"same_site_strict") == b"1":
+    return (546, [], "Should not send SameSite=Strict cookies")
   if not request.POST.get(b"account_id"):
     return (544, [], "Missing 'account_id' POST parameter")
   if not request.POST.get(b"disclosure_text_shown"):

credential-management/support/set_cookie.headers

@@ -1,2 +1,3 @@
 Content-Type: text/html
 Set-Cookie: cookie=1; SameSite=None; Secure
+Set-Cookie: same_site_strict=1; SameSite=Strict; Secure