Add ephemeral storage support for JavaScript cookies

[mrobinson]

This change adds a new class EphemeralStoragePartition which provides
access to an ephemeral version of a RestrictedCookieManager for the
content process. In an upcoming change this will also provide a
StoragePartition for navigation requests in third-party frames in order
to add support for navigation cookies.

Resolves brave/brave-browser#12591

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Added/updated tests for this change (for new code or code which already has tests).
• Verified that these changes build without errors on
  • Android
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that these changes pass automated tests (unit, browser, security tests) on
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that all lint errors/warnings are resolved (npm run lint, npm run gn_check)
• Ran git rebase master (if needed).
• Ran git rebase -i to squash commits (if needed).
• Tagged reviewers and labelled the pull request as needed.
• Requested a security/privacy review as needed.
• Added appropriate QA labels (QA/Yes or QA/No) to the associated issue
• Added appropriate release note labels (release-notes/include or release-notes/exclude) to the associated issue
• Public documentation has been updated as necessary. For instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-compatibility-issues-with-tracking-protection
  • https://github.com/brave/brave-browser/wiki/QA-Guide

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions
• Verify test plan is specified in PR before merging to source

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on.
• All relevant documentation has been updated.

[bridiver]

this method doesn't need to be in the header, you can pass in ephemeral_cookie_stores_ to non-class method

[mrobinson]

This method also uses net_log_ from CookieMonster in order to create the ephemeral monster. Since it's using two instance variables, I think it's simpler for it to be a method. Is there a reason why having fewer methods here is better?

[bridiver]

never add blank lines or comments to patches

[mrobinson]

👍

[bridiver]

I don't believe this is the correct behavior. You should create a URL from the domain even if it's empty and in turn Origin will create an opaque origin for those entries

[mrobinson]

This would mean that all sites that are accessed with IP addresses share the same ephemeral storage. If that the behaviour that we want, I think it makes sense to make that change in a separate PR that also adds tests for that functionality. Since this PR is just about adding support for ephemeral document.cookie, I'm not sure it belongs here.

[bridiver]

no, opaque origins are unique by design, but I think actually it would cause the opposite problem where the same IP in more than one tab would go into different ephemeral storage domains

[bridiver]

what is domain for a file url with this code?

[mrobinson]

The storage domain for a file URL is "file://" and for a IP address it will be "http://127.0.0.1:8000". This means that all file URLs share the same ephemeral storage lifetime and sites accessed via IP address have lifetimes that follow same-origin conventions.

[bridiver]

setting the ephemeral storage domain seems to overly complicate things compared to just setting the top level url and figuring out the storage domain inside the CookieMonster

[mrobinson]

👍

[bridiver]

I don't think this method is needed here https://github.com/brave/brave-core/pull/7154/files#r524857285

[mrobinson]

Where do you suggest this goes in a way that it can be used in the CookieMonster and also in EphemeralTabStorageHelper or do you prefer to have two versions of this code?

[bridiver]

I don't think we need two versions of the code if we just pass in the url and only convert it to ephemeral storage domain when we actually create it. The code would only ever be called from one file

[mrobinson]

This is also called in EphemeralStorageTabHelper to manage DOM storage. We need to make sure the conversion from URL to storage domain is in sync.

[bridiver]

why is this a scoped_refptr?

[mrobinson]

Reference-counting is used to manage the lifetime of all ephemeral storage. This matches how the lifetime of storage is managed for DOM storage via SessionStorageNamespace in upstream Chromium and in our ephemeral storage implementation.

[bridiver]

ok, I see what's happening now with the weakptr map

[mrobinson]

👍

[bridiver]

I think all of these can be eliminated by subclassing CookieMonster and doing a chromium_src override in content::CreateCookieStore

[mrobinson]

I did consider subclassing CookieMonster and maybe that does make sense. The issue is that content::CreateCookieStore is not always used to create the CookieStore. Crucially, it isn't used for navigation cookies and instead the constructor is called directly. See net/url_request/url_request_context_builder.cc and in services/network/network_context.cc (using make_unique). If we simply override the factory, there is a chance that this will require more work rebasing onto new versions of Chromium.

[mrobinson]

I chatted on slack with @bridiver about this and he clarified that by using chromium_src override, we should be able to create a subclass called CookieMonster and then use macros to rename the original CookieMonster. I will give this a shot.

[bridiver]

why does this need to be in content?

[mrobinson]

This class is the public interface that EphemeralStorageTabHelper uses to access private API in content. Is there a better place for this?

[bridiver]

what private api?

[bridiver]

the only private apis I see are accessed outside of this class and we're now adding two new patches for this. It would be better I think to just keep it all included in the browser_context override. Also brave/content should never have been created in the first place and the files that are already in there are misplaced

[bridiver]

if you created a separate file for tld_ephemeral_storage.cc/.h and included it from browser_context.cc you would put it in chromium_src because if brave/content was a valid location to put files, it would be confusing that these files were not part of brave/content/BUILD.gn

[mrobinson]

There are three interfaces into private API here CreateSessionStorageNamespace and GetSessionStorageNamespaceId, which used to be in BrowserContext (still part of content). The final piece is TLDEphemeralStorage which talks to the CookieStore in order to manage ephemeral cookie lifetime. The idea is that eventually CreateSessionStorageNamespace and GetSessionStorageNamespaceId would become part of TLDEphemeralStorage.

[mrobinson]

@bridiver Okay. I've pushed a new commit, which I believe addresses your concerns. PTAL.

[bridiver]

nit: I don't think we need to specify that this is for ephemeral storage here

[bridiver]

looks like you need to add //net

[mrobinson]

Okay. I've pushed a new version of the branch which I believe addresses the review comments above. Thanks!

[iefremov]

I don't quite follow why do we need a weak pointer instead of a raw one?

[mrobinson]

In this case the weak pointer is just a sanity check which catches errors where the TLDEphemeralStorage is dereferenced and deleted.

[iefremov]

which checks do you have in mind?

[mrobinson]

.get() on the weak pointer will return nullptr instead of a garbage value, but I will also add a DCHECK to also produce an assertion failure.

[iefremov]

using WeakPtr in this way sounds unusual to me, but probably fine - could you write a comment describing this?

[mrobinson]

Okay. I'll leave a comment.

[iefremov]

there are many unused headers, probably if we drop them we could move the whole class outside of chromium_src?

[mrobinson]

I will definitely remove the unused headers, but the idea is that eventually the private API exposed in browser_context.h can move into this class and it can eventually handle keeping track of all TLD-associated ephemeral DOM storage as well.

[iefremov]

I agree if this refactoring is a short-term plan. Otherwise it most probably will stuck forever :)

[iefremov]

ChromiumCookieMonster?

[iefremov]

not needed?

[iefremov]

no need for this check, emplace will do the trick on its own

[mrobinson]

Won't this result in creating another instantiation of ChromiumCookieMonster every time we call this method?

[iefremov]

yeah, it seems we should leave it alone

[iefremov]

I'm not sure about future plans for this class, but for now it doesn't look like a "storage", rather something like TLDEphemeralLifetime

[mrobinson]

I haven't changed this yet, because perhaps it doesn't make sense to rename this class and then rename it back in a followup change. I'm happy to keep discussing it though.

[iefremov]

But even with encapsulated DOMStorage - would it still be "storage"? For now we basically only keep namespaces and manage their lifetime in the tab helper, instead of "storing" something

[mrobinson]

Okay. I will change the name.

[iefremov]

Assuming that the patching work is negotiated with @bridiver and most probably cannot be done any better, the whole thing looks good. I'll try to give it test, but for now it fails to build on top of master

[iefremov]

(I also assume that commit messages will be updated before merging)

[mrobinson]

Assuming that the patching work is negotiated with @bridiver and most probably cannot be done any better, the whole thing looks good. I'll try to give it test, but for now it fails to build on top of master

I've pushed a rebased version of this PR and as well a commit addressing review comments.

[mrobinson]

I've pushed a commit which I believe addresses the remaining review comments.

[mrobinson]

It seems that the Windows build has an issue with patches to mojom trait headers. I've taken a different tactic, which is to extend the CookieStore API to add two special methods for ephemeral cookie access. This also has the added benefit of reducing the number of Chromium patches necessary by 2. PTAL.

[iefremov]

pls mention a link to the wiki explainer somewhere in the code (e.g. ephemeral_storage_tab_helper.h and/or ephemeral_storage_lifetime.h)

[bridiver]

what is this change? Doesn't seem related and also should have 4 space indent for continuation of a line

[mrobinson]

There have been changes to the lint script which mean that the CI fails unless you do a full format. This will possibly be resolved when #7402 lands.

[mrobinson]

In the meantime, I can remove these full format changes.

[bridiver]

do not use brave/chromium_src in the include path

[bridiver]

do not use brave/chromium_src in the include path

[bridiver]

don't use brave/chromium_src in the include path

[bridiver]

approved pending the few small fixes

[mrobinson]

There are three failures in CI:

• Linux and Android: This is failing in the lint stage (while successful in build and testing). Lint has passed on other platforms and locally. There seem to be issues with the new lint script running on CI and the advice given to me is that this can be ignored if it's unrelated to my change.
• iOS: It seems that the AdsWrapperTest testPreferencePersistance test is failing. This is a known issue and the current advice is to ignore it. Finally, this change should be unrelated to that test failure.

Given this, I feel fairly confident about merging this change despite the CI failures.