1st-party-independent cookie exception for Google auth (fixes brave/b…

…rave-browser#3534) This also fixes brave/brave-browser#3115 and brave/brave-browser#1179.
brave · Mar 1, 2019 · ee53f9a · ee53f9a
1 parent 680cb0f
commit ee53f9a
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 3 deletions.
diff --git a/common/brave_cookie_blocking.cc b/common/brave_cookie_blocking.cc
@@ -2,6 +2,7 @@
 
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "url/gurl.h"
+#include "brave/common/shield_exceptions.h"
 
 bool ShouldBlockCookie(bool allow_brave_shields, bool allow_1p_cookies,
     bool allow_3p_cookies, const GURL& primary_url, const GURL& url) {
@@ -24,6 +25,11 @@ bool ShouldBlockCookie(bool allow_brave_shields, bool allow_1p_cookies,
     return false;
   }
 
+  // If it is whitelisted, we shouldn't block
+  if (brave::IsWhitelistedCookieException(primary_url, url)) {
+    return false;
+  }
+
   // Same TLD+1 whouldn't set the referrer
   return !SameDomainOrHost(url, primary_url,
       net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);

diff --git a/common/shield_exceptions.cc b/common/shield_exceptions.cc
@@ -113,10 +113,26 @@ bool IsWhitelistedReferrer(const GURL& firstPartyOrigin,
     });
 }
 
-bool IsWhitelistedCookieExeption(const GURL& firstPartyOrigin,
+bool IsWhitelistedCookieException(const GURL& firstPartyOrigin,
     const GURL& subresourceUrl) {
   // Note that there's already an exception for TLD+1, so don't add those here.
   // Check with the security team before adding exceptions.
+
+  // 1st-party-INdependent whitelist
+  std::vector<URLPattern> fpi_whitelist_patterns = {
+    URLPattern(URLPattern::SCHEME_ALL,
+        "https://accounts.google.com/o/oauth2/*")
+  };
+  bool any_match = std::any_of(fpi_whitelist_patterns.begin(),
+      fpi_whitelist_patterns.end(),
+      [&subresourceUrl](const URLPattern& pattern) {
+        return pattern.MatchesURL(subresourceUrl);
+      });
+  if (any_match) {
+    return true;
+  }
+
+  // 1st-party-dependent whitelist
   static std::map<GURL, std::vector<URLPattern> > whitelist_patterns = {};
   std::map<GURL, std::vector<URLPattern> >::iterator i =
       whitelist_patterns.find(firstPartyOrigin);

diff --git a/common/shield_exceptions.h b/common/shield_exceptions.h
@@ -9,8 +9,8 @@ namespace brave {
 bool IsEmptyDataURLRedirect(const GURL& gurl);
 bool IsUAWhitelisted(const GURL& gurl);
 bool IsBlockedResource(const GURL& gurl);
-bool IsWhitelistedCookieExeption(const GURL& firstPartyOrigin,
-                                 const GURL& subresourceUrl);
+bool IsWhitelistedCookieException(const GURL& firstPartyOrigin,
+                                  const GURL& subresourceUrl);
 bool IsWhitelistedReferrer(const GURL& firstPartyOrigin,
                            const GURL& subresourceUrl);
 

diff --git a/common/shield_exceptions_unittest.cc b/common/shield_exceptions_unittest.cc
@@ -11,6 +11,7 @@ namespace {
 
 typedef testing::Test BraveShieldsExceptionsTest;
 using brave::IsWhitelistedReferrer;
+using brave::IsWhitelistedCookieException;
 
 TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) {
   // *.fbcdn.net not allowed on some other URL
@@ -55,4 +56,12 @@ TEST_F(BraveShieldsExceptionsTest, IsWhitelistedReferrer) {
       GURL("https://ajax.googleapis.com/ajax/libs/d3js/5.7.0/d3.min.js")));
 }
 
+TEST_F(BraveShieldsExceptionsTest, IsWhitelistedCookieException) {
+  // Cookie exceptions for Google auth domains
+  EXPECT_TRUE(IsWhitelistedCookieException(GURL("https://www.airbnb.com/"),
+      GURL("https://accounts.google.com/o/oauth2/iframe")));
+  EXPECT_FALSE(IsWhitelistedCookieException(GURL("https://www.mozilla.org/"),
+      GURL("https://www.googletagmanager.com/gtm.js")));
+}
+
 }  // namespace