-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FedCM] Don't send SameSite=Strict cookies for FedCM requests
See w3c-fedid/FedCM#320 (comment) Bug: 329145816 Change-Id: I6408255a01118cd5ac4d0d0263a34051796dc301
- Loading branch information
1 parent
2d1637c
commit b71cde5
Showing
7 changed files
with
77 additions
and
3 deletions.
There are no files selected for viewing
25 changes: 25 additions & 0 deletions
25
credential-management/fedcm-same-site-none/fedcm-same-site-none.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| <!DOCTYPE html> | ||
| <title>Federated Credential Management API SameSite=None tests.</title> | ||
| <link rel="help" href="https://fedidcg.github.io/FedCM"> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="/resources/testdriver.js"></script> | ||
| <script src="/resources/testdriver-vendor.js"></script> | ||
|
|
||
| <body> | ||
|
|
||
| <script type="module"> | ||
| import {fedcm_test, | ||
| alt_request_options_with_mediation_required, | ||
| select_manifest, | ||
| fedcm_get_and_select_first_account} from '../support/fedcm-helper.sub.js'; | ||
|
|
||
| fedcm_test(async t => { | ||
| const options = alt_request_options_with_mediation_required('manifest_check_same_site_strict.json'); | ||
| await select_manifest(t, options); | ||
| const cred = await fedcm_get_and_select_first_account(t, options); | ||
| assert_equals(cred.token, "token"); | ||
| assert_equals(cred.isAutoSelected, false); | ||
| }, "FedCM requests should be considered cross-origin and therefore not send SameSite=Strict cookies."); | ||
|
|
||
| </script> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 28 additions & 0 deletions
28
credential-management/support/fedcm/accounts_check_same_site_strict.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| import importlib | ||
| error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") | ||
|
|
||
| def main(request, response): | ||
| request_error = error_checker.accountsCheck(request) | ||
| if (request_error): | ||
| return request_error | ||
| if request.cookies.get(b"same_site_strict") == b"1": | ||
| return (546, [], "Should not send SameSite=Strict cookies") | ||
| if request.headers.get(b"Sec-Fetch-Site") != b"cross-site": | ||
| return (538, [], "Wrong Sec-Fetch-Site header") | ||
|
|
||
| response.headers.set(b"Content-Type", b"application/json") | ||
|
|
||
| return """ | ||
| { | ||
| "accounts": [{ | ||
| "id": "1234", | ||
| "given_name": "John", | ||
| "name": "John Doe", | ||
| "email": "[email protected]", | ||
| "picture": "https://idp.example/profile/123", | ||
| "approved_clients": ["123", "456", "789"], | ||
| "login_hints": ["john_doe"], | ||
| "domain_hints": ["idp.example", "example"] | ||
| }] | ||
| } | ||
| """ |
7 changes: 7 additions & 0 deletions
7
credential-management/support/fedcm/manifest_check_same_site_strict.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| { | ||
| "accounts_endpoint": "accounts_check_same_site_strict.py", | ||
| "client_metadata_endpoint": "client_metadata.py", | ||
| "id_assertion_endpoint": "token_check_same_site_strict.py", | ||
| "login_url": "login.html" | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
credential-management/support/fedcm/token_check_same_site_strict.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| import importlib | ||
| error_checker = importlib.import_module("credential-management.support.fedcm.request-params-check") | ||
|
|
||
| def main(request, response): | ||
| request_error = error_checker.tokenCheck(request) | ||
| if (request_error): | ||
| return request_error | ||
| if request.cookies.get(b"same_site_strict") == b"1": | ||
| return (546, [], "Should not send SameSite=Strict cookies") | ||
|
|
||
| response.headers.set(b"Content-Type", b"application/json") | ||
| response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) | ||
| response.headers.set(b"Access-Control-Allow-Credentials", "true") | ||
|
|
||
| return "{\"token\": \"token\"}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,3 @@ | ||
| Content-Type: text/html | ||
| Set-Cookie: cookie=1; SameSite=None; Secure | ||
| Set-Cookie: same_site_strict=1; SameSite=Strict; Secure |