Remove LegacySameSiteCookieBehaviorEnabled

Remove the policy handling code and pref.
Update the domain list policy to no longer reference the global policy.

Bug: 1214078
Change-Id: I002ce91b16d36e0d74e22faff845dcd3ae76a932
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2923803
Commit-Queue: Steven Bingler <bingler@chromium.org>
Reviewed-by: Owen Min <zmin@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#890782}
diff --git a/chrome/browser/net/samesite_cookies_policy_browsertest.cc b/chrome/browser/net/samesite_cookies_policy_browsertest.cc
index 318617001..fe10aea8 100644
--- a/chrome/browser/net/samesite_cookies_policy_browsertest.cc
+++ b/chrome/browser/net/samesite_cookies_policy_browsertest.cc
@@ -124,150 +124,6 @@
 };
 
 IN_PROC_BROWSER_TEST_P(SameSiteCookiesPolicyTest,
-                       DefaultLegacyCookieAccessSettingIsAllow) {
-  PolicyMap policies;
-  // Set a policy to allow Legacy access for all cookies.
-  SetPolicy(&policies, key::kLegacySameSiteCookieBehaviorEnabled,
-            base::Value(1));
-  UpdateProviderPolicy(policies);
-
-  GURL url(kURL);
-  Profile* profile = browser()->profile();
-
-  // No cookies at startup
-  ASSERT_TRUE(content::GetCookies(profile, url).empty());
-
-  // Set a cookie from a same-site context. The cookie does not specify
-  // SameSite, so it may default to Lax if the SameSite features are enabled.
-  // Since the context used is same-site, it should always work.
-  EXPECT_TRUE(content::SetCookie(profile, url, "samesite-unspecified=1",
-                                 net::CookieOptions::SameSiteCookieContext(
-                                     net::CookieOptions::SameSiteCookieContext::
-                                         ContextType::SAME_SITE_LAX)));
-  EXPECT_EQ("samesite-unspecified=1", content::GetCookies(profile, url));
-
-  // Overwrite the cookie from a cross-site context. Because we have a policy
-  // that allows Legacy access for all domains, this will work even if the
-  // SameSite features are enabled. (It works regardless, if they are disabled.)
-  EXPECT_TRUE(content::SetCookie(
-      profile, url, "samesite-unspecified=2",
-      net::CookieOptions::SameSiteCookieContext(
-          net::CookieOptions::SameSiteCookieContext::ContextType::CROSS_SITE)));
-  // Cookie has the new value because we were able to successfully overwrite it.
-  EXPECT_EQ("samesite-unspecified=2", content::GetCookies(profile, url));
-  // Fetching the cookies from a cross-site context also works because of the
-  // policy.
-  EXPECT_EQ("samesite-unspecified=2",
-            content::GetCookies(profile, url,
-                                net::CookieOptions::SameSiteCookieContext(
-                                    net::CookieOptions::SameSiteCookieContext::
-                                        ContextType::CROSS_SITE)));
-
-  // When Schemeful Same-Site is enabled a context downgrade to an insufficient
-  // context should still be allowed with legacy access. This'll always work if
-  // Schemeful Same-Site is disabled because the schemeless context is Lax
-  // which is sufficient.
-  EXPECT_TRUE(content::SetCookie(
-      profile, url, "samesite-lax=1; SameSite=Lax",
-      net::CookieOptions::SameSiteCookieContext(
-          net::CookieOptions::SameSiteCookieContext::ContextType::SAME_SITE_LAX,
-          net::CookieOptions::SameSiteCookieContext::ContextType::CROSS_SITE)));
-  // Similarly when we try to get the cookie.
-  EXPECT_THAT(
-      content::GetCookies(profile, url,
-                          net::CookieOptions::SameSiteCookieContext(
-                              net::CookieOptions::SameSiteCookieContext::
-                                  ContextType::SAME_SITE_LAX,
-                              net::CookieOptions::SameSiteCookieContext::
-                                  ContextType::CROSS_SITE)),
-      testing::HasSubstr("samesite-lax=1"));
-}
-
-IN_PROC_BROWSER_TEST_P(SameSiteCookiesPolicyTest,
-                       DefaultLegacyCookieAccessSettingIsBlock) {
-  PolicyMap policies;
-  // Set a policy to block Legacy access for all cookies.
-  SetPolicy(&policies, key::kLegacySameSiteCookieBehaviorEnabled,
-            base::Value(2));
-  UpdateProviderPolicy(policies);
-
-  GURL url(kURL);
-  Profile* profile = browser()->profile();
-
-  // No cookies at startup
-  ASSERT_TRUE(content::GetCookies(profile, url).empty());
-
-  // Set a cookie from a same-site context. The cookie does not specify
-  // SameSite, so it may default to Lax if the SameSite features are enabled.
-  // Since the context used is same-site, it should always work.
-  EXPECT_TRUE(content::SetCookie(profile, url, "samesite-unspecified=1",
-                                 net::CookieOptions::SameSiteCookieContext(
-                                     net::CookieOptions::SameSiteCookieContext::
-                                         ContextType::SAME_SITE_LAX)));
-  EXPECT_EQ("samesite-unspecified=1", content::GetCookies(profile, url));
-
-  // Overwrite the cookie from a cross-site context. Because we have a policy
-  // that blocks Legacy access for all domains, this will not work even if the
-  // SameSite features are disabled. (It doesn't work regardless, if they are
-  // enabled.)
-  EXPECT_FALSE(content::SetCookie(
-      profile, url, "samesite-unspecified=2",
-      net::CookieOptions::SameSiteCookieContext(
-          net::CookieOptions::SameSiteCookieContext::ContextType::CROSS_SITE)));
-  // Cookie still has the previous value because re-setting it failed.
-  EXPECT_EQ("samesite-unspecified=1", content::GetCookies(profile, url));
-  // Fetching the unspecified-samesite cookie from a cross-site context does not
-  // work because of the policy.
-  EXPECT_EQ("",
-            content::GetCookies(profile, url,
-                                net::CookieOptions::SameSiteCookieContext(
-                                    net::CookieOptions::SameSiteCookieContext::
-                                        ContextType::CROSS_SITE)));
-
-  // When Schemeful Same-Site is enabled a context downgrade to an insufficient
-  // context should always be blocked. If Schemeful Same-Site is disabled then
-  // this shouldn't be blocked.
-  // Similarly when we try to get the cookie.
-  if (AreSameSiteFeaturesEnabled()) {
-    EXPECT_FALSE(
-        content::SetCookie(profile, url, "samesite-lax=1; SameSite=Lax",
-                           net::CookieOptions::SameSiteCookieContext(
-                               net::CookieOptions::SameSiteCookieContext::
-                                   ContextType::SAME_SITE_LAX,
-                               net::CookieOptions::SameSiteCookieContext::
-                                   ContextType::CROSS_SITE)));
-    // We should be able to get the cookie which was previously added.
-    EXPECT_EQ("samesite-unspecified=1", content::GetCookies(profile, url));
-    // But no cookies should be returned for a downgrade to an insufficient
-    // context, since SameSite-by-default is active which requires a minimum of
-    // a Lax context.
-    EXPECT_EQ(
-        "", content::GetCookies(profile, url,
-                                net::CookieOptions::SameSiteCookieContext(
-                                    net::CookieOptions::SameSiteCookieContext::
-                                        ContextType::SAME_SITE_LAX,
-                                    net::CookieOptions::SameSiteCookieContext::
-                                        ContextType::CROSS_SITE)));
-  } else {
-    EXPECT_TRUE(
-        content::SetCookie(profile, url, "samesite-lax=1; SameSite=Lax",
-                           net::CookieOptions::SameSiteCookieContext(
-                               net::CookieOptions::SameSiteCookieContext::
-                                   ContextType::SAME_SITE_LAX,
-                               net::CookieOptions::SameSiteCookieContext::
-                                   ContextType::CROSS_SITE)));
-    EXPECT_THAT(
-        content::GetCookies(profile, url,
-                            net::CookieOptions::SameSiteCookieContext(
-                                net::CookieOptions::SameSiteCookieContext::
-                                    ContextType::SAME_SITE_LAX,
-                                net::CookieOptions::SameSiteCookieContext::
-                                    ContextType::CROSS_SITE)),
-        testing::HasSubstr("samesite-lax=1"));
-  }
-}
-
-IN_PROC_BROWSER_TEST_P(SameSiteCookiesPolicyTest,
                        AllowLegacyCookieAccessForDomain) {
   GURL legacy_allowed_domain_url(kURL);
   GURL other_domain_url("http://other-domain.example");
@@ -417,10 +273,11 @@
 IN_PROC_BROWSER_TEST_F(SchemefulSameSiteCookiesPolicyIntegrationTest,
                        AllowCrossSchemeFrameLegacyCookies) {
   PolicyMap policies;
-  // Set a policy to force legacy access for all cookies.
-  PolicyTest::SetPolicy(&policies,
-                        policy::key::kLegacySameSiteCookieBehaviorEnabled,
-                        base::Value(1));
+  // Set a policy to force legacy access for our cookies.
+  base::Value policy_value(base::Value::Type::LIST);
+  policy_value.Append(GURL("http://a.test").host());
+  SetPolicy(&policies, key::kLegacySameSiteCookieBehaviorEnabledForDomainList,
+            std::move(policy_value));
   PolicyTest::UpdateProviderPolicy(policies);
 
   // Set a cookie that will only be sent with legacy behavior.
@@ -445,12 +302,7 @@
 
 IN_PROC_BROWSER_TEST_F(SchemefulSameSiteCookiesPolicyIntegrationTest,
                        DisallowCrossSchemeFrameNonLegacyCookies) {
-  PolicyMap policies;
-  // Set a policy to force non-legacy access for all cookies.
-  PolicyTest::SetPolicy(&policies,
-                        policy::key::kLegacySameSiteCookieBehaviorEnabled,
-                        base::Value(2));
-  PolicyTest::UpdateProviderPolicy(policies);
+  // Don't set a policy, this results in the cookies having non-legacy behavior.
 
   // Set a cookie that will only be sent with legacy behavior.
   content::SetCookie(browser()->profile(), GetURL("a.test", false),
@@ -475,10 +327,11 @@
 IN_PROC_BROWSER_TEST_F(SchemefulSameSiteCookiesPolicyIntegrationTest,
                        AllowStrictOnCrossSchemeNavigation) {
   PolicyMap policies;
-  // Set a policy to force legacy access for all cookies.
-  PolicyTest::SetPolicy(&policies,
-                        policy::key::kLegacySameSiteCookieBehaviorEnabled,
-                        base::Value(1));
+  // Set a policy to force legacy access for our cookies.
+  base::Value policy_value(base::Value::Type::LIST);
+  policy_value.Append(GURL("http://a.test").host());
+  SetPolicy(&policies, key::kLegacySameSiteCookieBehaviorEnabledForDomainList,
+            std::move(policy_value));
   PolicyTest::UpdateProviderPolicy(policies);
 
   // Set a cookie that will only be sent with legacy behavior.
@@ -496,12 +349,7 @@
 
 IN_PROC_BROWSER_TEST_F(SchemefulSameSiteCookiesPolicyIntegrationTest,
                        DisallowStrictOnCrossSchemeNavigation) {
-  PolicyMap policies;
-  // Set a policy to force non-legacy access for all cookies.
-  PolicyTest::SetPolicy(&policies,
-                        policy::key::kLegacySameSiteCookieBehaviorEnabled,
-                        base::Value(2));
-  PolicyTest::UpdateProviderPolicy(policies);
+  // Don't set a policy, this results in the cookies having non-legacy behavior.
 
   // Set a cookie that will only be sent with legacy behavior.
   content::SetCookie(browser()->profile(), GetURL("a.test", false),
diff --git a/chrome/browser/policy/configuration_policy_handler_list_factory.cc b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
index 90fbf6e2..84ed7cf 100644
--- a/chrome/browser/policy/configuration_policy_handler_list_factory.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list_factory.cc
@@ -260,9 +260,6 @@
   { key::kDefaultImagesSetting,
     prefs::kManagedDefaultImagesSetting,
     base::Value::Type::INTEGER },
-  { key::kLegacySameSiteCookieBehaviorEnabled,
-    prefs::kManagedDefaultLegacyCookieAccessSetting,
-    base::Value::Type::INTEGER },
   { key::kDefaultPopupsSetting,
     prefs::kManagedDefaultPopupsSetting,
     base::Value::Type::INTEGER },
diff --git a/components/content_settings/core/browser/content_settings_policy_provider.cc b/components/content_settings/core/browser/content_settings_policy_provider.cc
index 9113d20..f807733 100644
--- a/components/content_settings/core/browser/content_settings_policy_provider.cc
+++ b/components/content_settings/core/browser/content_settings_policy_provider.cc
@@ -139,7 +139,6 @@
     prefs::kManagedDefaultInsecureContentSetting,
     prefs::kManagedDefaultInsecurePrivateNetworkSetting,
     prefs::kManagedDefaultJavaScriptSetting,
-    prefs::kManagedDefaultLegacyCookieAccessSetting,
     prefs::kManagedDefaultMediaStreamSetting,
     prefs::kManagedDefaultNotificationsSetting,
     prefs::kManagedDefaultPopupsSetting,
@@ -189,8 +188,6 @@
          prefs::kManagedDefaultFileSystemReadGuardSetting},
         {ContentSettingsType::FILE_SYSTEM_WRITE_GUARD,
          prefs::kManagedDefaultFileSystemWriteGuardSetting},
-        {ContentSettingsType::LEGACY_COOKIE_ACCESS,
-         prefs::kManagedDefaultLegacyCookieAccessSetting},
         {ContentSettingsType::SERIAL_GUARD,
          prefs::kManagedDefaultSerialGuardSetting},
         {ContentSettingsType::SENSORS, prefs::kManagedDefaultSensorsSetting},
diff --git a/components/content_settings/core/common/pref_names.cc b/components/content_settings/core/common/pref_names.cc
index 19561c3..bd5d9d7 100644
--- a/components/content_settings/core/common/pref_names.cc
+++ b/components/content_settings/core/common/pref_names.cc
@@ -51,8 +51,6 @@
     "profile.managed_default_content_settings.file_system_read_guard";
 const char kManagedDefaultFileSystemWriteGuardSetting[] =
     "profile.managed_default_content_settings.file_system_write_guard";
-const char kManagedDefaultLegacyCookieAccessSetting[] =
-    "profile.managed_default_content_settings.legacy_cookie_access";
 const char kManagedDefaultSerialGuardSetting[] =
     "profile.managed_default_content_settings.serial_guard";
 const char kManagedDefaultInsecurePrivateNetworkSetting[] =
diff --git a/components/content_settings/core/common/pref_names.h b/components/content_settings/core/common/pref_names.h
index 4638673..4666870 100644
--- a/components/content_settings/core/common/pref_names.h
+++ b/components/content_settings/core/common/pref_names.h
@@ -33,7 +33,6 @@
 extern const char kManagedDefaultFileHandlingGuardSetting[];
 extern const char kManagedDefaultFileSystemReadGuardSetting[];
 extern const char kManagedDefaultFileSystemWriteGuardSetting[];
-extern const char kManagedDefaultLegacyCookieAccessSetting[];
 extern const char kManagedDefaultSerialGuardSetting[];
 extern const char kManagedDefaultInsecurePrivateNetworkSetting[];
 
diff --git a/components/policy/resources/policy_templates.json b/components/policy/resources/policy_templates.json
index 38091ca..ddcf5a58 100644
--- a/components/policy/resources/policy_templates.json
+++ b/components/policy/resources/policy_templates.json
@@ -7160,7 +7160,7 @@
       'tags': [],
       'desc': '''Cookies set for domains matching these patterns will revert to legacy <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> behavior. Reverting to legacy behavior causes cookies that don't specify a <ph name="ATTRIBUTE_SAMESITE_NAME">SameSite</ph> attribute to be treated as if they were "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>", removes the requirement for "<ph name="ATTRIBUTE_VALUE_SAMESITE_NONE">SameSite=None</ph>" cookies to carry the "<ph name="ATTRIBUTE_SECURE_NAME">Secure</ph>" attribute, and skips the scheme comparison when evaluating if two sites are same-site. See https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies for full description.
 
-          For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be used either from the <ph name="LEGACY_SAMESITE_COOKIE_BEHAVIOR_ENABLED_POLICY_NAME">LegacySameSiteCookieBehaviorEnabled</ph> policy, if it is set, or the user's personal configuration otherwise.
+          For cookies on domains not covered by the patterns specified here, or for all cookies if this policy is not set, the global default value will be the user's personal configuration.
 
           Note that patterns you list here are treated as domains, not URLs, so you should not specify a scheme or port.''',
     },