Google Git
Sign in
chromium / chromium / src.git / refs/tags/84.0.4117.0 / . / net / cookies / cookie_options.h
blob: 4fb1248b99d9fc7c7daf72729c1a629d50d95c4c [file] [log] [blame]
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Brought to you by number 42.
#ifndef NET_COOKIES_COOKIE_OPTIONS_H_
#define NET_COOKIES_COOKIE_OPTIONS_H_
#include "base/time/time.h"
#include "net/base/net_export.h"
#include "net/cookies/cookie_constants.h"
#include "url/gurl.h"
namespace net {
class NET_EXPORT CookieOptions {
public:
// Relation between the cookie and the navigational environment.
class NET_EXPORT SameSiteCookieContext {
public:
// CROSS_SITE to SAME_SITE_STRICT are ordered from least to most trusted
// environment. Don't renumber, used in histograms.
enum class ContextType {
CROSS_SITE = 0,
// Same rules as lax but the http method is unsafe.
SAME_SITE_LAX_METHOD_UNSAFE = 1,
SAME_SITE_LAX = 2,
SAME_SITE_STRICT = 3,
// Keep last, used for histograms.
COUNT
};
// Used for when, and in what direction, same-site requests and responses
// are made in a cross-scheme context. Currently only used for metrics
// gathering and does not affect cookie behavior.
enum class CrossSchemeness {
NONE,
INSECURE_SECURE, // Insecure site-for-cookies, secure request/response
SECURE_INSECURE // Secure site-for-cookies, insecure request/response
};
SameSiteCookieContext() : SameSiteCookieContext(ContextType::CROSS_SITE) {}
explicit SameSiteCookieContext(
ContextType same_site_context,
CrossSchemeness cross_schemeness = CrossSchemeness::NONE)
: context_(same_site_context), cross_schemeness_(cross_schemeness) {}
// Convenience method which returns a SameSiteCookieContext with the most
// inclusive context. This allows access to all SameSite cookies.
static SameSiteCookieContext MakeInclusive();
// Returns the context for determining SameSite cookie inclusion.
// TODO(https://crbug.com/1030938): When schemeful_context is
// implemented choose to return it based on feature::kSchemefulSameSite.
ContextType GetContextForCookieInclusion() const;
// The following functions are for conversion to the previous style of
// SameSiteCookieContext for metrics usage. This may be removed when the
// metrics using them are also removed.
// Used as the "COUNT" entry in a histogram enum.
static constexpr int64_t MetricCount() {
return (static_cast<int>(ContextType::SAME_SITE_STRICT) |
kToInsecureMask) +
1;
}
int64_t ConvertToMetricsValue() const;
// If you're just trying to determine if a cookie is accessible you likely
// want to use GetContextForCookieInclusion() which will return the correct
// context regardless the status of same-site features.
ContextType context() const { return context_; }
void set_context(ContextType context) { context_ = context; }
CrossSchemeness cross_schemeness() const { return cross_schemeness_; }
void set_cross_schemeness(CrossSchemeness cross_schemeness) {
cross_schemeness_ = cross_schemeness;
}
NET_EXPORT friend bool operator==(
const CookieOptions::SameSiteCookieContext& lhs,
const CookieOptions::SameSiteCookieContext& rhs);
NET_EXPORT friend bool operator!=(
const CookieOptions::SameSiteCookieContext& lhs,
const CookieOptions::SameSiteCookieContext& rhs);
private:
// The following variables are for conversion to the previous style of
// SameSiteCookieContext for metrics usage. This may be removed when the
// metrics using them are also removed.
// Mask indicating insecure site-for-cookies and secure request/response.
static const int kToSecureMask = 1 << 5;
// Mask indicating secure site-for-cookies and insecure request/response.
static const int kToInsecureMask = kToSecureMask << 1;
ContextType context_;
CrossSchemeness cross_schemeness_;
};
// Creates a CookieOptions object which:
//
// * Excludes HttpOnly cookies
// * Excludes SameSite cookies
// * Updates last-accessed time.
// * Does not report excluded cookies in APIs that can do so.
//
// These settings can be altered by calling:
//
// * |set_{include,exclude}_httponly()|
// * |set_same_site_cookie_context(
// CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT)|
// * |set_do_not_update_access_time()|
CookieOptions();
void set_exclude_httponly() { exclude_httponly_ = true; }
void set_include_httponly() { exclude_httponly_ = false; }
bool exclude_httponly() const { return exclude_httponly_; }
// How trusted is the current browser environment when it comes to accessing
// SameSite cookies. Default is not trusted, e.g. CROSS_SITE.
void set_same_site_cookie_context(SameSiteCookieContext context) {
same_site_cookie_context_ = context;
}
// Strips off the cross-scheme bits to only return the same-site context.
SameSiteCookieContext same_site_cookie_context() const {
return same_site_cookie_context_;
}
void set_update_access_time() { update_access_time_ = true; }
void set_do_not_update_access_time() { update_access_time_ = false; }
bool update_access_time() const { return update_access_time_; }
void set_return_excluded_cookies() { return_excluded_cookies_ = true; }
void unset_return_excluded_cookies() { return_excluded_cookies_ = false; }
bool return_excluded_cookies() const { return return_excluded_cookies_; }
// Convenience method for where you need a CookieOptions that will
// work for getting/setting all types of cookies, including HttpOnly and
// SameSite cookies. Also specifies not to update the access time, because
// usually this is done to get all the cookies to check that they are correct,
// including the creation time. This basically makes a CookieOptions that is
// the opposite of the default CookieOptions.
static CookieOptions MakeAllInclusive();
private:
bool exclude_httponly_;
SameSiteCookieContext same_site_cookie_context_;
bool update_access_time_;
bool return_excluded_cookies_;
};
} // namespace net
#endif // NET_COOKIES_COOKIE_OPTIONS_H_