1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Brought to you by number 42.
#ifndef NET_COOKIES_COOKIE_OPTIONS_H_
#define NET_COOKIES_COOKIE_OPTIONS_H_
#include "base/time/time.h"
#include "net/base/net_export.h"
#include "net/cookies/cookie_constants.h"
#include "url/gurl.h"
namespace net {
class NET_EXPORT CookieOptions {
public:
// Relation between the cookie and the navigational environment.
class NET_EXPORT SameSiteCookieContext {
public:
// CROSS_SITE to SAME_SITE_STRICT are ordered from least to most trusted
// environment. Don't renumber, used in histograms.
enum class ContextType {
CROSS_SITE = 0,
// Same rules as lax but the http method is unsafe.
SAME_SITE_LAX_METHOD_UNSAFE = 1,
SAME_SITE_LAX = 2,
SAME_SITE_STRICT = 3,
// Keep last, used for histograms.
COUNT
};
// Used for when, and in what direction, same-site requests and responses
// are made in a cross-scheme context. Currently only used for metrics
// gathering and does not affect cookie behavior.
enum class CrossSchemeness {
NONE,
INSECURE_SECURE, // Insecure site-for-cookies, secure request/response
SECURE_INSECURE // Secure site-for-cookies, insecure request/response
};
SameSiteCookieContext() : SameSiteCookieContext(ContextType::CROSS_SITE) {}
explicit SameSiteCookieContext(
ContextType same_site_context,
CrossSchemeness cross_schemeness = CrossSchemeness::NONE)
: context(same_site_context), cross_schemeness(cross_schemeness) {}
// Convenience method which returns a SameSiteCookieContext with the most
// inclusive context. This allows access to all SameSite cookies.
static SameSiteCookieContext MakeInclusive();
// The following functions are for conversion to the previous style of
// SameSiteCookieContext for metrics usage. This may be removed when the
// metrics using them are also removed.
// Used as the "COUNT" entry in a histogram enum.
static constexpr int64_t MetricCount() {
return (static_cast<int>(ContextType::SAME_SITE_STRICT) |
kToInsecureMask) +
1;
}
int64_t ConvertToMetricsValue() const;
ContextType context;
CrossSchemeness cross_schemeness;
private:
// The following variables are for conversion to the previous style of
// SameSiteCookieContext for metrics usage. This may be removed when the
// metrics using them are also removed.
// Mask indicating insecure site-for-cookies and secure request/response.
static const int kToSecureMask = 1 << 5;
// Mask indicating secure site-for-cookies and insecure request/response.
static const int kToInsecureMask = kToSecureMask << 1;
};
// Creates a CookieOptions object which:
//
// * Excludes HttpOnly cookies
// * Excludes SameSite cookies
// * Updates last-accessed time.
// * Does not report excluded cookies in APIs that can do so.
//
// These settings can be altered by calling:
//
// * |set_{include,exclude}_httponly()|
// * |set_same_site_cookie_context(
// CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT)|
// * |set_do_not_update_access_time()|
CookieOptions();
void set_exclude_httponly() { exclude_httponly_ = true; }
void set_include_httponly() { exclude_httponly_ = false; }
bool exclude_httponly() const { return exclude_httponly_; }
// How trusted is the current browser environment when it comes to accessing
// SameSite cookies. Default is not trusted, e.g. CROSS_SITE.
void set_same_site_cookie_context(SameSiteCookieContext context) {
same_site_cookie_context_ = context;
}
// Strips off the cross-scheme bits to only return the same-site context.
SameSiteCookieContext same_site_cookie_context() const {
return same_site_cookie_context_;
}
void set_update_access_time() { update_access_time_ = true; }
void set_do_not_update_access_time() { update_access_time_ = false; }
bool update_access_time() const { return update_access_time_; }
void set_return_excluded_cookies() { return_excluded_cookies_ = true; }
void unset_return_excluded_cookies() { return_excluded_cookies_ = false; }
bool return_excluded_cookies() const { return return_excluded_cookies_; }
// Convenience method for where you need a CookieOptions that will
// work for getting/setting all types of cookies, including HttpOnly and
// SameSite cookies. Also specifies not to update the access time, because
// usually this is done to get all the cookies to check that they are correct,
// including the creation time. This basically makes a CookieOptions that is
// the opposite of the default CookieOptions.
static CookieOptions MakeAllInclusive();
private:
bool exclude_httponly_;
SameSiteCookieContext same_site_cookie_context_;
bool update_access_time_;
bool return_excluded_cookies_;
};
NET_EXPORT bool operator==(const CookieOptions::SameSiteCookieContext& lhs,
const CookieOptions::SameSiteCookieContext& rhs);
NET_EXPORT bool operator!=(const CookieOptions::SameSiteCookieContext& lhs,
const CookieOptions::SameSiteCookieContext& rhs);
} // namespace net
#endif // NET_COOKIES_COOKIE_OPTIONS_H_
|
