// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module network.mojom;
import "services/network/public/mojom/cookie_manager.mojom";
import "mojo/public/mojom/base/shared_memory.mojom";
import "services/network/public/mojom/site_for_cookies.mojom";
import "services/network/public/mojom/storage_access_api.mojom";
import "url/mojom/url.mojom";
import "url/mojom/origin.mojom";
const uint64 kInvalidCookieVersion = 0;
const uint64 kInitialCookieVersion = 1;
enum CookieMatchType {
EQUALS,
STARTS_WITH,
};
struct CookieManagerGetOptions {
string name;
CookieMatchType match_type;
};
// Affects whether http-only cookies are accessible, and the rules used for
// SameSite cookie computations.
enum RestrictedCookieManagerRole {
// Used for script access to cookies. Will not be able to get to HttpOnly
// cookies, and will apply SameSite cookies access rules appropriate for
// script cookie access. OK to give to the renderer.
SCRIPT,
// Access to cookies appropriate for network requests --- meant for cases
// where, for some reason, a fetch needs to be performed by some external
// library. Will get HttpOnly cookies, and compute SameSite accessibility
// appropriate for subresource loading (but NOT for navigations).
//
// Should only be used within the browser.
NETWORK
};
// Capability to access the cookie store on behalf of a single origin.
//
// Instances of this interface are restricted to a single origin, and will
// fail operations on cookies that aren't visible within that origin. Untrusted
// processes, like renderer processes, should only receive
// RestrictedCookieManager instances for the origins that they are allowed to
// represent.
//
// Implementations of this interface must assume all inputs are untrusted, and
// must ensure that a potentially compromised caller process is not able to
// access more than the cookies visible to the RestrictedCookieManager's origin.
//
// TODO(pwnall): Make this a strict subset of CookieManager. At the moment (Q2
// 2018) the interface is diverged from CookieManager to allow its primary user
// (the Web Platform's Async Cookies API) to iterate quickly.
interface RestrictedCookieManager {
// Returns some of the cookies that would be sent in a request to |url|.
//
// |url| is an URL capable of receiving HTTP requests. |site_for_cookies| is
// the "site for cookies" values defined in RFC 6265bis, and roughly maps to
// the URL of the top-level frame in Document contexts, and to the script URL
// in service workers. |top_frame_origin| is the actual origin of the top
// level frame or the script url for service workers. |site_for_cookies| is
// used to determine if a cookie is accessed in a third-party context.
// |top_frame_origin| is used to check for content settings. |is_ad_tagged|
// indicates whether this cookie access is being used for advertising.
// |storage_access_api_status| is used to opt-in to using Storage Access API
// permission grants. (Note: it does *not* grant access on its own, but rather
// allows an existing permission grant to be used, if one exists.)
// |options| filters the returned list of cookies. The returned cookies
// include CookieAccessResult information of the cookie.
// Any information contained in the CookieInclusionStatus::WarningReasons
// as part of CookieAccessResult in the included cookies may be passed to an
// untrusted renderer.
GetAllForUrl(
url.mojom.Url url, SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status,
CookieManagerGetOptions options,
bool is_ad_tagged,
// Proxied restricted cookie managers need a way to signal to the
// restricted cookie manager that we need to filter out 3PCs.
// This is because we know of at least one case where this can
// be configured _per_ aw contents and the standard way of
// configuring this per cookie settings (from each browser
// context), is not sufficient.
bool force_disable_third_party_cookies) => (
array<CookieWithAccessResult> cookies);
// Sets a canonical cookie. |status| must be an inclusion status as defined
// by the C++ net::CookieInclusionStatus::IsInclude() method. It is expected
// that exclusion reasons have been taken care of on the renderer side.
SetCanonicalCookie(CanonicalCookie cookie,
url.mojom.Url url,
SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status,
CookieInclusionStatus status) => (bool success);
// Subscribes to changes in the cookies transmitted in a request to an URL.
//
// The subscription is canceled by closing the pipe.
AddChangeListener(url.mojom.Url url, SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status,
pending_remote<CookieChangeListener> listener) => ();
// Sets a cookie. If setting of this cookie is not permitted either by web
// platform rules, or user preferences, the attempt will be silently ignored.
// This does not extend to passing in a |url| that does not match the origin
// RestrictedCookieManager is bound to --- that will be treated as the
// renderer violating security rules.
//
// The implementation may block, e.g. while cookies are still being loaded, or
// to serialize with other operations.
[Sync]
SetCookieFromString(url.mojom.Url url, SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status,
string cookie) => ();
// Used to get cookies for the given URL. Cookies that are blocked by user
// preferences will be skipped, down to potentially returning an empty string.
// The implementation may block, e.g. while cookies are still being loaded, or
// to serialize with other operations.
//
// Passing in |url| that does not match the origin RestrictedCookieManager
// is bounded to will be treated as the renderer violating security rules.
//
// This function also sets up shared memory communication with the requester
// when get_version_shared_memory is true. This allows the requester to get
// versioning information without suffering the overhead of a full IPC.
//
// |version_buffer| is a handle to a shared memory region that only
// contains a single 64 bit atomic integer used as a cookie version number.
// The number is read from renderers and incremented monotonically from the
// network process when cookie state changes. It can be null if
// |get_version_shared_memory| was false or if initialization of the region
// failed. |version| contains the cookie version at the time of returning the
// string.
[Sync]
GetCookiesString(url.mojom.Url url,
SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status,
bool get_version_shared_memory,
bool is_ad_tagged,
// Proxied restricted cookie managers need a way to signal to
// the restricted cookie manager that we need to filter out
// 3PCs.
// This is because we know of at least one case where this
// can be configured _per_ aw contents and the standard way
// of configuring this per cookie settings (from each
// browser context), is not sufficient.
bool force_disable_third_party_cookies) => (
uint64 version,
mojo_base.mojom.ReadOnlySharedMemoryRegion? version_buffer,
string cookies);
// Used to check if cookies are enabled for the given URL in context of a
// given site.
//
// Passing in |url| that does not match the origin RestrictedCookieManager
// is bounded to will be treated as the renderer violating security rules.
[Sync]
CookiesEnabledFor(
url.mojom.Url url,
SiteForCookies site_for_cookies,
url.mojom.Origin top_frame_origin,
StorageAccessApiStatus storage_access_api_status)
=> (bool cookies_enabled);
};
Codebase Browser
chromium