fix(chromium): disable same site by default and improved controls (#2097)

pavelfeldman · web-flow · commit 710c156d4815 · 2020-05-04T13:43:44.000-07:00
diff --git a/src/chromium/crBrowser.ts b/src/chromium/crBrowser.ts
@@ -343,13 +343,6 @@ export class CRBrowserContext extends BrowserContextBase {
   }
 
   async addCookies(cookies: network.SetNetworkCookieParam[]) {
-    cookies = cookies.map(c => {
-      const copy = { ...c };
-      // Working around setter issue in Chrome. Cookies are now None by default.
-      if (copy.sameSite === 'None')
-        delete copy.sameSite;
-      return copy;
-    });
     await this._browser._session.send('Storage.setCookies', { cookies: network.rewriteCookies(cookies), browserContextId: this._browserContextId || undefined });
   }
 
diff --git a/src/server/chromium.ts b/src/server/chromium.ts
@@ -304,7 +304,7 @@ const DEFAULT_ARGS = [
   '--disable-dev-shm-usage',
   '--disable-extensions',
   // BlinkGenPropertyTrees disabled due to crbug.com/937609
-  '--disable-features=TranslateUI,BlinkGenPropertyTrees',
+  '--disable-features=TranslateUI,BlinkGenPropertyTrees,ImprovedCookieControls,SameSiteByDefaultCookies',
   '--disable-hang-monitor',
   '--disable-ipc-flooding-protection',
   '--disable-popup-blocking',
diff --git a/test/headful.spec.js b/test/headful.spec.js
@@ -79,4 +79,39 @@ describe('Headful', function() {
     await page.click('button');
     await browser.close();
   });
+  it('should(not) block third party cookies', async({browserType, defaultBrowserOptions, server}) => {
+    const browser = await browserType.launch({...defaultBrowserOptions, headless: false });
+    const page = await browser.newPage();
+    await page.goto(server.EMPTY_PAGE);
+    await page.evaluate(src => {
+      let fulfill;
+      const promise = new Promise(x => fulfill = x);
+      const iframe = document.createElement('iframe');
+      document.body.appendChild(iframe);
+      iframe.onload = fulfill;
+      iframe.src = src;
+      return promise;
+    }, server.CROSS_PROCESS_PREFIX + '/grid.html');
+    await page.frames()[1].evaluate(`document.cookie = 'username=John Doe'`);
+    await page.waitForTimeout(2000);
+    const allowsThirdParty = CHROMIUM || FFOX;
+    const cookies = await page.context().cookies(server.CROSS_PROCESS_PREFIX + '/grid.html');
+    if (allowsThirdParty) {
+      expect(cookies).toEqual([
+        {
+          "domain": "127.0.0.1",
+          "expires": -1,
+          "httpOnly": false,
+          "name": "username",
+          "path": "/",
+          "sameSite": "None",
+          "secure": false,
+          "value": "John Doe"
+        }
+      ]);
+    } else {
+      expect(cookies).toEqual([]);
+    }
+    await browser.close();
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -343,13 +343,6 @@ export class CRBrowserContext extends BrowserContextBase {`
`343`	`343`	`}`
`344`	`344`
`345`	`345`	`async addCookies(cookies: network.SetNetworkCookieParam[]) {`
`346`		`- cookies = cookies.map(c => {`
`347`		`- const copy = { ...c };`
`348`		`- // Working around setter issue in Chrome. Cookies are now None by default.`
`349`		`- if (copy.sameSite === 'None')`
`350`		`- delete copy.sameSite;`
`351`		`- return copy;`
`352`		`- });`
`353`	`346`	`await this._browser._session.send('Storage.setCookies', { cookies: network.rewriteCookies(cookies), browserContextId: this._browserContextId \|\| undefined });`
`354`	`347`	`}`
`355`	`348`