build: {do-not-merge} walk through the pieces

2026-02-19 03:14:51 -05:00 · 2023-12-06 16:21:43 -08:00
7 changed files with 145 additions and 1 deletions
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@@ -9,5 +9,6 @@
  "embedded_asar_integrity_validation": "0",
  "only_load_app_from_asar": "0",
  "load_browser_process_specific_v8_snapshot": "0",
-  "grant_file_protocol_extra_privileges": "1"
+  "grant_file_protocol_extra_privileges": "1",
+  "same_site_storage_api": "0"
 }
--- a/docs/tutorial/fuses.md
+++ b/docs/tutorial/fuses.md
@@ -74,6 +74,23 @@ The extra privileges granted to the `file://` protocol by this fuse are incomple
 * `file://` protocol pages can use service workers
 * `file://` protocol pages have universal access granted to child frames also running on `file://` protocols regardless of sandbox settings

+### `sameSiteStorageAPI`
+
+**Default:** Disabled
+**@electron/fuses:** `FuseV1Options.EnableSameSiteStorageAPI`
+
+This {better-name} fuse changes how {top-level site, requested origin} pair permissions are granted.
+
+When this fuse is enabled, we request permission via the permissions API. This would allow implementation-defined acceptance or rejection steps, inherited from Chrome; if any are triggered, reject the requestStorageAccessFor call or skip to the permission-saving step. If acceptance is returned, save a permission for the pair {top-level site, requested origin}. Note that the permission would be separate from the permission granted by requestStorageAccess.
+
+See more information here: https://github.com/privacycg/requestStorageAccessFor?tab=readme-ov-file#proposed-draft-spec-addition
+
+At request time, if the request is cross-site and the appropriate permission for {top-level site, requested origin} exists, attach cookies only if all of the below checks are met:
+1. The request is made by the top-level frame and is for a subresource on the requested origin (i.e., not a navigation), and the request is CORS-enabled. In other words, a plain <img> or <script> without the appropriate crossorigin attribute would not have cross-site SameSite=None cookies attached, regardless of whether access had been granted. Similarly, a fetch or XHR request would omit cross-site SameSite=None cookies unless CORS was enabled. This is recommended in a recent security analysis.
+2. The cookies to be included must be marked SameSite=None. In other words, the cookies must have been explicitly opted in by the requested domain. Cookies with any other SameSite option are ignored and not sent, regardless of whether a grant exists.
+  - This specific behavior is what we want to change
+3. NOTE: requests from <iframe> elements would need to invoke and be granted requestStorageAccess for SameSite=None cookies to be sent. This ensures the per-frame semantics of requestStorageAccess are respected.
+
 ## How do I flip the fuses?

 ### The easy way
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -127,3 +127,5 @@ fix_activate_background_material_on_windows.patch
 feat_allow_passing_of_objecttemplate_to_objecttemplatebuilder.patch
 chore_remove_check_is_test_on_script_injection_tracker.patch
 fix_restore_original_resize_performance_on_macos.patch
+fix_font_flooding_in_dev_tools.patch
+add-rsafor-lax-support.patch
--- a/patches/chromium/add-rsafor-lax-support.patch
+++ b/patches/chromium/add-rsafor-lax-support.patch
@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keeley Hammond <vertedinde@electronjs.org>
+Date: Wed, 6 Dec 2023 16:20:01 -0800
+Subject: chore: patch in rsafor
+
+This sucks but lets try it
+
+diff --git a/content/browser/cookie_store/cookie_change_subscription.cc b/content/browser/cookie_store/cookie_change_subscription.cc
+index dbe3c5b8a6c83c5e8d26b109f24e77b4ab2e604e..aaa6301de776e4bb6bc9608f8b4596acefe0f77d 100644
+--- a/content/browser/cookie_store/cookie_change_subscription.cc
+++ b/content/browser/cookie_store/cookie_change_subscription.cc
+@@ -175,11 +175,21 @@ bool CookieChangeSubscription::ShouldObserveChangeTo(
+       net::CookieOptions::SameSiteCookieContext::MakeInclusive());
+ 
+   return cookie
+-      .IncludeForRequestURL(url_, net_options,
+-                            net::CookieAccessParams{
+-                                access_semantics,
+-                                network::IsUrlPotentiallyTrustworthy(url_),
+-                            })
+      // .IncludeForRequestURL(url_, net_options,
+      //                       net::CookieAccessParams{
+      //                           access_semantics,
+      //                           network::IsUrlPotentiallyTrustworthy(url_),
+      //                       })
+      .IncludeForRequestURL(
+          url_, net_options,
+          net::CookieAccessParams{
+              access_semantics,
+              network::IsUrlPotentiallyTrustworthy(url_),
+              net::cookie_util::GetSamePartyStatus(
+                  cookie, net_options,
+                  base::FeatureList::IsEnabled(
+                      net::features::kSamePartyAttributeEnabled)),
+          })
+       .status.IsInclude();
+ }
+ 
--- a/shell/browser/api/electron_api_app.cc
+++ b/shell/browser/api/electron_api_app.cc
@@ -1478,6 +1478,24 @@ void App::SetUserAgentFallback(const std::string& user_agent) {
  ElectronBrowserClient::Get()->SetUserAgent(user_agent);
 }

+// TODO: This is a rough mockup/psuedocode for allowing same-site=lax cookies
+// from 1) related web sets and 2) from an app that has third-party cookies
+// blocked to use the requestStoreAccessFor API to grant the same permissions
+// for both (more than 2?) of the provided sites of the same origin. If it
+// merges with this comment in place, we're having a bad time.
+void App::RequestStorageAccessFor() {
+  if (electron::fuses::IsSameSiteOriginCookiesEnabled()) {
+    // TODO: How tf are these sets formatted
+    void requestStorageAccessFor(USVString requestedOrigin) {
+      // void requestStorageAccessFor(std::string raw_sets) {
+      // apply this logic if the fuse is enabled and third party cookies are
+    }
+  } else {
+    CHECK(false) << "request_storage_access_for fuse is disabled";
+    return 1;
+  }
+}
+
 #if BUILDFLAG(IS_WIN)
 bool App::IsRunningUnderARM64Translation() const {
  return base::win::OSInfo::IsRunningEmulatedOnArm64();
--- a/shell/browser/api/electron_api_storage_access.cc
+++ b/shell/browser/api/electron_api_storage_access.cc
@@ -0,0 +1,57 @@
+// Copyright (c) 2023 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "shell/browser/api/electron_api_storage_access.h"
+
+#include <string>
+
+// using Browser::TopLevelStorage;
+
+namespace electron::api {
+
+void TopLevelStorageAccessPermissionContext::DecidePermission(
+    permissions::PermissionRequestData request_data,
+    permissions::BrowserPermissionCallback callback) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  content::RenderFrameHost* rfh = content::RenderFrameHost::FromID(
+      request_data.id.global_render_frame_host_id());
+  CHECK(rfh);
+  if (!request_data.user_gesture ||
+      !base::FeatureList::IsEnabled(
+          blink::features::kStorageAccessAPIForOriginExtension) ||
+      !request_data.requesting_origin.is_valid() ||
+      !request_data.embedding_origin.is_valid()) {
+    if (!request_data.user_gesture) {
+      rfh->AddMessageToConsole(
+          blink::mojom::ConsoleMessageLevel::kError,
+          "requestStorageAccessFor: Must be handling a user gesture to use.");
+    }
+    RecordOutcomeSample(
+        TopLevelStorageAccessRequestOutcome::kDeniedByPrerequisites);
+    std::move(callback).Run(CONTENT_SETTING_BLOCK);
+    return;
+  }
+
+  // if (!base::FeatureList::IsEnabled(features::kFirstPartySets)) {
+  //   // First-Party Sets is disabled, so reject the request.
+  //   RecordOutcomeSample(
+  //       TopLevelStorageAccessRequestOutcome::kDeniedByPrerequisites);
+  //   std::move(callback).Run(CONTENT_SETTING_BLOCK);
+  //   return;
+  // }
+
+  net::SchemefulSite embedding_site(request_data.embedding_origin);
+  net::SchemefulSite requesting_site(request_data.requesting_origin);
+
+  first_party_sets::FirstPartySetsPolicyServiceFactory::GetForBrowserContext(
+      browser_context())
+      ->ComputeFirstPartySetMetadata(
+          requesting_site, &embedding_site,
+          base::BindOnce(&TopLevelStorageAccessPermissionContext::
+                             CheckForAutoGrantOrAutoDenial,
+                         weak_factory_.GetWeakPtr(), std::move(request_data),
+                         std::move(callback)));
+}
+
+}  // namespace electron::api
--- a/shell/browser/api/electron_api_storage_access.h
+++ b/shell/browser/api/electron_api_storage_access.h
@@ -0,0 +1,11 @@
+// Copyright (c) 2023 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef SHELL_BROWSER_API_ELECTRON_API_STORAGE_ACCESS_H_
+#define SHELL_BROWSER_API_ELECTRON_API_STORAGE_ACCESS_H_
+
+#include "browser/storage_access_api/storage_access_grant_permission_context.h"
+#include "browser/top_level_storage_access_api/top_level_storage_access_permission_context.h"
+
+#endif  // ELECTRON_SHELL_BROWSER_API_ELECTRON_API_SESSION_H_