RESOLVED FIXED 209761
Experimental: Enforce SameSite=strict for domains classified as bounce trackers 
https://bugs.webkit.org/show_bug.cgi?id=209761
Summary Experimental: Enforce SameSite=strict for domains classified as bounce trackers
John Wilander
Reported 2020-03-30 13:19:45 PDT
Domains that are classified as bounce trackers and hit a certain threshold of unique top frame redirects should have their cookies rewritten as SameSite=strict.
Attachments
Patch (75.42 KB, patch)
2020-03-30 13:46 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch (78.40 KB, patch)
2020-03-30 17:36 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Patch for landing (78.44 KB, patch)
2020-03-30 18:47 PDT, John Wilander 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
John Wilander
Comment 1 2020-03-30 13:19:56 PDT
<rdar://problem/59394943>
John Wilander
Comment 2 2020-03-30 13:46:44 PDT
Created attachment 394957 [details] Patch
John Wilander
Comment 3 2020-03-30 15:05:56 PDT
Ugh. The tests are failing on mac-wk2 because that bot is on a version of macOS which lacks the CFNetwork APIs. I'll update the expectations file accordingly before landing.
Kate Cheney
Comment 4 2020-03-30 15:20:47 PDT
Comment on attachment 394957 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394957&action=review > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:1653 > + return; Probably need to call the completionHandler here in case of a database I/O error. > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:1718 > ASSERT_NOT_REACHED(); Nice catch! > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:2068 > + result = ensureResourceStatisticsForRegistrableDomain(redirectDomain); This is not necessary, it is done already in ResourceLoadStatisticsDatabaseStore::ensureAndMakeDomainList. > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:2280 > + Nice! :) > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsMemoryStore.cpp:455 > + RELEASE_LOG_INFO_IF(debugLoggingEnabled(), ITPDebug, "Did set %" PUBLIC_LOG_STRING " as making a top frame redirect to %" PUBLIC_LOG_STRING ".", sourceDomain.string().utf8().data(), targetDomain.string().utf8().data()); Did you mean to add logging even if the if-statement is false? > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to-database.html:33 > + finishJSTest(); setEnableFeature(false, finishJSTest)? > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to-database.html:49 > + finishJSTest(); Ditto. > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to.html:49 > + finishJSTest(); Ditto > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to.html:74 > + finishJSTest(); Ditto.
John Wilander
Comment 5 2020-03-30 17:13:31 PDT
(In reply to katherine_cheney from comment #4) > Comment on attachment 394957 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394957&action=review > > > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:1653 > > + return; > > Probably need to call the completionHandler here in case of a database I/O > error. Good catch! Will fix. > > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:1718 > > ASSERT_NOT_REACHED(); > > Nice catch! Yeah, I was working my way thorough existing functionality to design mine and came across this copy pasta. > > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:2068 > > + result = ensureResourceStatisticsForRegistrableDomain(redirectDomain); > > This is not necessary, it is done already in > ResourceLoadStatisticsDatabaseStore::ensureAndMakeDomainList. I kind of suspected that since we hadn't seen issues in testing. I'll just remove the comment then. > > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:2280 > > + > > Nice! :) Yes, I find this part especially nice. > > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsMemoryStore.cpp:455 > > + RELEASE_LOG_INFO_IF(debugLoggingEnabled(), ITPDebug, "Did set %" PUBLIC_LOG_STRING " as making a top frame redirect to %" PUBLIC_LOG_STRING ".", sourceDomain.string().utf8().data(), targetDomain.string().utf8().data()); > > Did you mean to add logging even if the if-statement is false? Yes, since the two if statements are only false if the entry already exists and I wanted the log to show the event for any developer looking. > > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to-database.html:33 > > + finishJSTest(); > > setEnableFeature(false, finishJSTest)? Good catch! > > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to-database.html:49 > > + finishJSTest(); > > Ditto. > > > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to.html:49 > > + finishJSTest(); > > Ditto > > > LayoutTests/http/tests/resourceLoadStatistics/enforce-samesite-strict-based-on-top-frame-unique-redirects-to.html:74 > > + finishJSTest(); > > Ditto. Thanks for the review! I'll fix all the relevant things. (And thanks for the help on the DB query stuff.)
John Wilander
Comment 6 2020-03-30 17:36:41 PDT
Created attachment 394993 [details] Patch
Brent Fulgham
Comment 7 2020-03-30 18:11:08 PDT
Comment on attachment 394993 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394993&action=review > Source/WebKit/NetworkProcess/Classifier/ResourceLoadStatisticsDatabaseStore.cpp:1740 > + RELEASE_LOG_ERROR_IF_ALLOWED(m_sessionID, "%p - ResourceLoadStatisticsDatabaseStore::clearUserInteraction failed to bind, error message: %{private}s", this, m_database.lastErrorMsg()); Oops! :-)
John Wilander
Comment 8 2020-03-30 18:41:53 PDT
Thanks, Brent! I'll put it on the queue given that the ios-wk2 bot was happy with the previous patch.
EWS
Comment 9 2020-03-30 18:42:57 PDT
ChangeLog entry in Source/WebCore/ChangeLog contains OOPS!.
John Wilander
Comment 10 2020-03-30 18:47:49 PDT
Created attachment 395001 [details] Patch for landing
EWS
Comment 11 2020-03-30 19:45:44 PDT
Committed r259275: <https://trac.webkit.org/changeset/259275> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395001 [details].
Note You need to log in before you can comment on or make changes to this bug.