diff --git a/common/brave_cookie_blocking.cc b/common/brave_cookie_blocking.cc index 44f25dce1750..15286459ef83 100644 --- a/common/brave_cookie_blocking.cc +++ b/common/brave_cookie_blocking.cc @@ -2,6 +2,7 @@ #include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "url/gurl.h" +#include "brave/common/shield_exceptions.h" bool ShouldBlockCookie(bool allow_brave_shields, bool allow_1p_cookies, bool allow_3p_cookies, const GURL& primary_url, const GURL& url) { @@ -24,6 +25,11 @@ bool ShouldBlockCookie(bool allow_brave_shields, bool allow_1p_cookies, return false; } + // If it is whitelisted, we shouldn't block + if (brave::IsWhitelistedCookieException(primary_url, url)) { + return false; + } + // Same TLD+1 whouldn't set the referrer return !SameDomainOrHost(url, primary_url, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); diff --git a/common/shield_exceptions.cc b/common/shield_exceptions.cc index c3400ff89a9a..278e0342cddd 100644 --- a/common/shield_exceptions.cc +++ b/common/shield_exceptions.cc @@ -103,10 +103,26 @@ bool IsWhitelistedReferrer(const GURL& firstPartyOrigin, }); } -bool IsWhitelistedCookieExeption(const GURL& firstPartyOrigin, +bool IsWhitelistedCookieException(const GURL& firstPartyOrigin, const GURL& subresourceUrl) { // Note that there's already an exception for TLD+1, so don't add those here. // Check with the security team before adding exceptions. + + // 1st-party-INdependent whitelist + std::vector fpi_whitelist_patterns = { + URLPattern(URLPattern::SCHEME_ALL, + "https://accounts.google.com/o/oauth2/*") + }; + bool any_match = std::any_of(fpi_whitelist_patterns.begin(), + fpi_whitelist_patterns.end(), + [&subresourceUrl](const URLPattern& pattern) { + return pattern.MatchesURL(subresourceUrl); + }); + if (any_match) { + return true; + } + + // 1st-party-dependent whitelist static std::map > whitelist_patterns = {}; std::map >::iterator i = whitelist_patterns.find(firstPartyOrigin); diff --git a/common/shield_exceptions.h b/common/shield_exceptions.h index 6924a8815919..f9c93ca3631c 100644 --- a/common/shield_exceptions.h +++ b/common/shield_exceptions.h @@ -8,8 +8,8 @@ namespace brave { bool IsUAWhitelisted(const GURL& gurl); bool IsBlockedResource(const GURL& gurl); -bool IsWhitelistedCookieExeption(const GURL& firstPartyOrigin, - const GURL& subresourceUrl); +bool IsWhitelistedCookieException(const GURL& firstPartyOrigin, + const GURL& subresourceUrl); bool IsWhitelistedReferrer(const GURL& firstPartyOrigin, const GURL& subresourceUrl); diff --git a/common/shield_exceptions_unittest.cc b/common/shield_exceptions_unittest.cc index 0e17ec8d2d02..c27f7736fcd2 100644 --- a/common/shield_exceptions_unittest.cc +++ b/common/shield_exceptions_unittest.cc @@ -11,6 +11,7 @@ namespace { typedef testing::Test BraveShieldsExceptionsTest; using brave::IsWhitelistedReferrer; +using brave::IsWhitelistedCookieException; TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) { // *.fbcdn.net not allowed on some other URL @@ -55,4 +56,12 @@ TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) { GURL("https://ajax.googleapis.com/ajax/libs/d3js/5.7.0/d3.min.js"))); } +TEST_F(BraveShieldsExceptionsTest, IsWhitelistedCookieException) { + // Cookie exceptions for Google auth domains + EXPECT_TRUE(IsWhitelistedCookieException(GURL("https://www.airbnb.com/"), + GURL("https://accounts.google.com/o/oauth2/iframe"))); + EXPECT_FALSE(IsWhitelistedCookieException(GURL("https://www.mozilla.org/"), + GURL("https://www.googletagmanager.com/gtm.js"))); +} + } // namespace