| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| // Brought to you by number 42. |
| |
| #ifndef NET_COOKIES_COOKIE_OPTIONS_H_ |
| #define NET_COOKIES_COOKIE_OPTIONS_H_ |
| |
| #include "base/time/time.h" |
| #include "net/base/net_export.h" |
| #include "net/cookies/cookie_constants.h" |
| #include "url/gurl.h" |
| |
| namespace net { |
| |
| class NET_EXPORT CookieOptions { |
| public: |
| |
| // Relation between the cookie and the navigational environment. |
| class NET_EXPORT SameSiteCookieContext { |
| public: |
| // CROSS_SITE to SAME_SITE_STRICT are ordered from least to most trusted |
| // environment. Don't renumber, used in histograms. |
| enum class ContextType { |
| CROSS_SITE = 0, |
| // Same rules as lax but the http method is unsafe. |
| SAME_SITE_LAX_METHOD_UNSAFE = 1, |
| SAME_SITE_LAX = 2, |
| SAME_SITE_STRICT = 3, |
| |
| // Keep last, used for histograms. |
| COUNT |
| }; |
| |
| // Used for when, and in what direction, same-site requests and responses |
| // are made in a cross-scheme context. Currently only used for metrics |
| // gathering and does not affect cookie behavior. |
| enum class CrossSchemeness { |
| NONE, |
| INSECURE_SECURE, // Insecure site-for-cookies, secure request/response |
| SECURE_INSECURE // Secure site-for-cookies, insecure request/response |
| }; |
| |
| SameSiteCookieContext() : SameSiteCookieContext(ContextType::CROSS_SITE) {} |
| explicit SameSiteCookieContext( |
| ContextType same_site_context, |
| CrossSchemeness cross_schemeness = CrossSchemeness::NONE) |
| : context(same_site_context), cross_schemeness(cross_schemeness) {} |
| |
| bool IsDifferentScheme() const { |
| return cross_schemeness != SameSiteCookieContext::CrossSchemeness::NONE; |
| } |
| |
| // Convenience method which returns a SameSiteCookieContext with the most |
| // inclusive context. This allows access to all SameSite cookies. |
| static SameSiteCookieContext MakeInclusive(); |
| |
| // The following functions are for conversion to the previous style of |
| // SameSiteCookieContext for metrics usage. This may be removed when the |
| // metrics using them are also removed. |
| |
| // Used as the "COUNT" entry in a histogram enum. |
| static constexpr int64_t MetricCount() { |
| return (static_cast<int>(ContextType::SAME_SITE_STRICT) | |
| kToInsecureMask) + |
| 1; |
| } |
| int64_t ConvertToMetricsValue() const; |
| |
| ContextType context; |
| |
| CrossSchemeness cross_schemeness; |
| |
| private: |
| // The following variables are for conversion to the previous style of |
| // SameSiteCookieContext for metrics usage. This may be removed when the |
| // metrics using them are also removed. |
| // Mask indicating insecure site-for-cookies and secure request/response. |
| static const int kToSecureMask = 1 << 5; |
| // Mask indicating secure site-for-cookies and insecure request/response. |
| static const int kToInsecureMask = kToSecureMask << 1; |
| }; |
| |
| // Creates a CookieOptions object which: |
| // |
| // * Excludes HttpOnly cookies |
| // * Excludes SameSite cookies |
| // * Updates last-accessed time. |
| // * Does not report excluded cookies in APIs that can do so. |
| // |
| // These settings can be altered by calling: |
| // |
| // * |set_{include,exclude}_httponly()| |
| // * |set_same_site_cookie_context( |
| // CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT)| |
| // * |set_do_not_update_access_time()| |
| CookieOptions(); |
| |
| void set_exclude_httponly() { exclude_httponly_ = true; } |
| void set_include_httponly() { exclude_httponly_ = false; } |
| bool exclude_httponly() const { return exclude_httponly_; } |
| |
| // How trusted is the current browser environment when it comes to accessing |
| // SameSite cookies. Default is not trusted, e.g. CROSS_SITE. |
| void set_same_site_cookie_context(SameSiteCookieContext context) { |
| same_site_cookie_context_ = context; |
| } |
| |
| // Strips off the cross-scheme bits to only return the same-site context. |
| SameSiteCookieContext same_site_cookie_context() const { |
| return same_site_cookie_context_; |
| } |
| |
| void set_update_access_time() { update_access_time_ = true; } |
| void set_do_not_update_access_time() { update_access_time_ = false; } |
| bool update_access_time() const { return update_access_time_; } |
| |
| void set_return_excluded_cookies() { return_excluded_cookies_ = true; } |
| void unset_return_excluded_cookies() { return_excluded_cookies_ = false; } |
| bool return_excluded_cookies() const { return return_excluded_cookies_; } |
| |
| // Convenience method for where you need a CookieOptions that will |
| // work for getting/setting all types of cookies, including HttpOnly and |
| // SameSite cookies. Also specifies not to update the access time, because |
| // usually this is done to get all the cookies to check that they are correct, |
| // including the creation time. This basically makes a CookieOptions that is |
| // the opposite of the default CookieOptions. |
| static CookieOptions MakeAllInclusive(); |
| |
| private: |
| bool exclude_httponly_; |
| SameSiteCookieContext same_site_cookie_context_; |
| bool update_access_time_; |
| bool return_excluded_cookies_; |
| }; |
| |
| NET_EXPORT bool operator==(const CookieOptions::SameSiteCookieContext& lhs, |
| const CookieOptions::SameSiteCookieContext& rhs); |
| |
| NET_EXPORT bool operator!=(const CookieOptions::SameSiteCookieContext& lhs, |
| const CookieOptions::SameSiteCookieContext& rhs); |
| |
| } // namespace net |
| |
| #endif // NET_COOKIES_COOKIE_OPTIONS_H_ |