1 // Copyright 2012 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 // Brought to you by the letter D and the number 2. 6 7 #ifndef NET_COOKIES_COOKIE_MONSTER_H_ 8 #define NET_COOKIES_COOKIE_MONSTER_H_ 9 10 #include <stddef.h> 11 #include <stdint.h> 12 13 #include <map> 14 #include <memory> 15 #include <optional> 16 #include <set> 17 #include <string> 18 #include <string_view> 19 #include <vector> 20 21 #include "base/containers/circular_deque.h" 22 #include "base/containers/flat_map.h" 23 #include "base/functional/callback_forward.h" 24 #include "base/gtest_prod_util.h" 25 #include "base/memory/ref_counted.h" 26 #include "base/memory/weak_ptr.h" 27 #include "base/thread_annotations.h" 28 #include "base/threading/thread_checker.h" 29 #include "base/time/time.h" 30 #include "net/base/net_export.h" 31 #include "net/base/schemeful_site.h" 32 #include "net/cookies/canonical_cookie.h" 33 #include "net/cookies/cookie_access_delegate.h" 34 #include "net/cookies/cookie_constants.h" 35 #include "net/cookies/cookie_inclusion_status.h" 36 #include "net/cookies/cookie_monster_change_dispatcher.h" 37 #include "net/cookies/cookie_store.h" 38 #include "net/log/net_log_with_source.h" 39 #include "url/gurl.h" 40 41 namespace net { 42 43 class CookieChangeDispatcher; 44 45 // The cookie monster is the system for storing and retrieving cookies. It has 46 // an in-memory list of all cookies, and synchronizes non-session cookies to an 47 // optional permanent storage that implements the PersistentCookieStore 48 // interface. 49 // 50 // Tasks may be deferred if all affected cookies are not yet loaded from the 51 // backing store. Otherwise, callbacks may be invoked immediately. 52 // 53 // A cookie task is either pending loading of the entire cookie store, or 54 // loading of cookies for a specific domain key (GetKey(), roughly eTLD+1). In 55 // the former case, the cookie callback will be queued in tasks_pending_ while 56 // PersistentCookieStore chain loads the cookie store on DB thread. In the 57 // latter case, the cookie callback will be queued in tasks_pending_for_key_ 58 // while PermanentCookieStore loads cookies for the specified domain key on DB 59 // thread. 60 class NET_EXPORT CookieMonster : public CookieStore { 61 public: 62 class PersistentCookieStore; 63 64 // Terminology: 65 // * The 'top level domain' (TLD) of an internet domain name is 66 // the terminal "." free substring (e.g. "com" for google.com 67 // or world.std.com). 68 // * The 'effective top level domain' (eTLD) is the longest 69 // "." initiated terminal substring of an internet domain name 70 // that is controlled by a general domain registrar. 71 // (e.g. "co.uk" for news.bbc.co.uk). 72 // * The 'effective top level domain plus one' (eTLD+1) is the 73 // shortest "." delimited terminal substring of an internet 74 // domain name that is not controlled by a general domain 75 // registrar (e.g. "bbc.co.uk" for news.bbc.co.uk, or 76 // "google.com" for news.google.com). The general assumption 77 // is that all hosts and domains under an eTLD+1 share some 78 // administrative control. 79 80 // CookieMap is the central data structure of the CookieMonster. It 81 // is a map whose values are pointers to CanonicalCookie data 82 // structures (the data structures are owned by the CookieMonster 83 // and must be destroyed when removed from the map). The key is based on the 84 // effective domain of the cookies. If the domain of the cookie has an 85 // eTLD+1, that is the key for the map. If the domain of the cookie does not 86 // have an eTLD+1, the key of the map is the host the cookie applies to (it is 87 // not legal to have domain cookies without an eTLD+1). This rule 88 // excludes cookies for, e.g, ".com", ".co.uk", or ".internalnetwork". 89 // This behavior is the same as the behavior in Firefox v 3.6.10. 90 // CookieMap does not store cookies that were set with the Partitioned 91 // attribute, those are stored in PartitionedCookieMap. 92 93 // NOTE(deanm): 94 // I benchmarked hash_multimap vs multimap. We're going to be query-heavy 95 // so it would seem like hashing would help. However they were very 96 // close, with multimap being a tiny bit faster. I think this is because 97 // our map is at max around 1000 entries, and the additional complexity 98 // for the hashing might not overcome the O(log(1000)) for querying 99 // a multimap. Also, multimap is standard, another reason to use it. 100 // TODO(rdsmith): This benchmark should be re-done now that we're allowing 101 // substantially more entries in the map. 102 using CookieMap = 103 std::multimap<std::string, std::unique_ptr<CanonicalCookie>>; 104 using CookieMapItPair = std::pair<CookieMap::iterator, CookieMap::iterator>; 105 using CookieItVector = std::vector<CookieMap::iterator>; 106 using CookieItList = std::list<CookieMap::iterator>; 107 108 // PartitionedCookieMap only stores cookies that were set with the Partitioned 109 // attribute. The map is double-keyed on cookie's partition key and 110 // the cookie's effective domain of the cookie (the key of CookieMap). 111 // We store partitioned cookies in a separate map so that the queries for a 112 // request's unpartitioned and partitioned cookies will both be more 113 // efficient (since querying two smaller maps is more efficient that querying 114 // one larger map twice). 115 using PartitionedCookieMap = 116 std::map<CookiePartitionKey, std::unique_ptr<CookieMap>>; 117 using PartitionedCookieMapIterators = 118 std::pair<PartitionedCookieMap::iterator, CookieMap::iterator>; 119 120 // Cookie garbage collection thresholds. Based off of the Mozilla defaults. 121 // When the number of cookies gets to k{Domain,}MaxCookies 122 // purge down to k{Domain,}MaxCookies - k{Domain,}PurgeCookies. 123 // It might seem scary to have a high purge value, but really it's not. 124 // You just make sure that you increase the max to cover the increase 125 // in purge, and we would have been purging the same number of cookies. 126 // We're just going through the garbage collection process less often. 127 // Note that the DOMAIN values are per eTLD+1; see comment for the 128 // CookieMap typedef. So, e.g., the maximum number of cookies allowed for 129 // google.com and all of its subdomains will be 150-180. 130 // 131 // Any cookies accessed more recently than kSafeFromGlobalPurgeDays will not 132 // be evicted by global garbage collection, even if we have more than 133 // kMaxCookies. This does not affect domain garbage collection. 134 static const size_t kDomainMaxCookies; 135 static const size_t kDomainPurgeCookies; 136 static const size_t kMaxCookies; 137 static const size_t kPurgeCookies; 138 139 // Max number of keys to store for domains that have been purged. 140 static const size_t kMaxDomainPurgedKeys; 141 142 // Partitioned cookie garbage collection thresholds. 143 static const size_t kPerPartitionDomainMaxCookieBytes; 144 static const size_t kPerPartitionDomainMaxCookies; 145 // TODO(crbug.com/1225444): Add global limit to number of partitioned cookies. 146 147 // Quota for cookies with {low, medium, high} priorities within a domain. 148 static const size_t kDomainCookiesQuotaLow; 149 static const size_t kDomainCookiesQuotaMedium; 150 static const size_t kDomainCookiesQuotaHigh; 151 152 // The number of days since last access that cookies will not be subject 153 // to global garbage collection. 154 static const int kSafeFromGlobalPurgeDays; 155 156 // The store passed in should not have had Init() called on it yet. This 157 // class will take care of initializing it. The backing store is NOT owned by 158 // this class, but it must remain valid for the duration of the cookie 159 // monster's existence. If |store| is NULL, then no backing store will be 160 // updated. |net_log| must outlive the CookieMonster and can be null. 161 CookieMonster(scoped_refptr<PersistentCookieStore> store, NetLog* net_log); 162 163 // Only used during unit testing. 164 // |net_log| must outlive the CookieMonster. 165 CookieMonster(scoped_refptr<PersistentCookieStore> store, 166 base::TimeDelta last_access_threshold, 167 NetLog* net_log); 168 169 CookieMonster(const CookieMonster&) = delete; 170 CookieMonster& operator=(const CookieMonster&) = delete; 171 172 ~CookieMonster() override; 173 174 // Writes all the cookies in |list| into the store, replacing all cookies 175 // currently present in store. 176 // This method does not flush the backend. 177 // TODO(rdsmith, mmenke): Do not use this function; it is deprecated 178 // and should be removed. 179 // See https://codereview.chromium.org/2882063002/#msg64. 180 void SetAllCookiesAsync(const CookieList& list, SetCookiesCallback callback); 181 182 // CookieStore implementation. 183 void SetCanonicalCookieAsync( 184 std::unique_ptr<CanonicalCookie> cookie, 185 const GURL& source_url, 186 const CookieOptions& options, 187 SetCookiesCallback callback, 188 std::optional<CookieAccessResult> cookie_access_result = 189 std::nullopt) override; 190 void GetCookieListWithOptionsAsync(const GURL& url, 191 const CookieOptions& options, 192 const CookiePartitionKeyCollection& s, 193 GetCookieListCallback callback) override; 194 void GetAllCookiesAsync(GetAllCookiesCallback callback) override; 195 void GetAllCookiesWithAccessSemanticsAsync( 196 GetAllCookiesWithAccessSemanticsCallback callback) override; 197 void DeleteCanonicalCookieAsync(const CanonicalCookie& cookie, 198 DeleteCallback callback) override; 199 void DeleteAllCreatedInTimeRangeAsync( 200 const CookieDeletionInfo::TimeRange& creation_range, 201 DeleteCallback callback) override; 202 void DeleteAllMatchingInfoAsync(CookieDeletionInfo delete_info, 203 DeleteCallback callback) override; 204 void DeleteSessionCookiesAsync(DeleteCallback callback) override; 205 void DeleteMatchingCookiesAsync(DeletePredicate predicate, 206 DeleteCallback callback) override; 207 void FlushStore(base::OnceClosure callback) override; 208 void SetForceKeepSessionState() override; 209 CookieChangeDispatcher& GetChangeDispatcher() override; 210 void SetCookieableSchemes(const std::vector<std::string>& schemes, 211 SetCookieableSchemesCallback callback) override; 212 std::optional<bool> SiteHasCookieInOtherPartition( 213 const net::SchemefulSite& site, 214 const std::optional<CookiePartitionKey>& partition_key) const override; 215 216 // Enables writing session cookies into the cookie database. If this this 217 // method is called, it must be called before first use of the instance 218 // (i.e. as part of the instance initialization process). 219 void SetPersistSessionCookies(bool persist_session_cookies); 220 221 // The default list of schemes the cookie monster can handle. 222 static const char* const kDefaultCookieableSchemes[]; 223 static const int kDefaultCookieableSchemesCount; 224 225 // Find a key based on the given domain, which will be used to find all 226 // cookies potentially relevant to it. This is used for lookup in cookies_ as 227 // well as for PersistentCookieStore::LoadCookiesForKey. See comment on keys 228 // before the CookieMap typedef. 229 static std::string GetKey(std::string_view domain); 230 231 // Exposes the comparison function used when sorting cookies. 232 static bool CookieSorter(const CanonicalCookie* cc1, 233 const CanonicalCookie* cc2); 234 235 // Triggers immediate recording of stats that are typically reported 236 // periodically. DoRecordPeriodicStatsForTesting()237 bool DoRecordPeriodicStatsForTesting() { return DoRecordPeriodicStats(); } 238 239 private: 240 // For garbage collection constants. 241 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestHostGarbageCollection); 242 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, 243 GarbageCollectWithSecureCookiesOnly); 244 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestGCTimes); 245 246 // For validation of key values. 247 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestDomainTree); 248 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestImport); 249 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, GetKey); 250 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, TestGetKey); 251 252 // For FindCookiesForKey. 253 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, ShortLivedSessionCookies); 254 255 // For CookieSource histogram enum. 256 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, CookieSourceHistogram); 257 258 // For kSafeFromGlobalPurgeDays in CookieStore. 259 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, EvictSecureCookies); 260 261 // For CookieDeleteEquivalent histogram enum. 262 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, 263 CookieDeleteEquivalentHistogramTest); 264 265 // For CookieSentToSamePort enum. 266 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, 267 CookiePortReadDiffersFromSetHistogram); 268 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, IsCookieSentToSamePortThatSetIt); 269 270 // For FilterCookiesWithOptions domain shadowing. 271 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, 272 FilterCookiesWithOptionsExcludeShadowingDomains); 273 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest, 274 FilterCookiesWithOptionsWarnShadowingDomains); 275 276 // For StoreLoadedCookies behavior with origin-bound cookies. 277 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest_StoreLoadedCookies, 278 NoSchemeNoPort); 279 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest_StoreLoadedCookies, 280 YesSchemeNoPort); 281 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest_StoreLoadedCookies, 282 NoSchemeYesPort); 283 FRIEND_TEST_ALL_PREFIXES(CookieMonsterTest_StoreLoadedCookies, 284 YesSchemeYesPort); 285 286 // Internal reasons for deletion, used to populate informative histograms 287 // and to provide a public cause for onCookieChange notifications. 288 // 289 // If you add or remove causes from this list, please be sure to also update 290 // the CookieChangeCause mapping inside ChangeCauseMapping. New items (if 291 // necessary) should be added at the end of the list, just before 292 // DELETE_COOKIE_LAST_ENTRY. 293 enum DeletionCause { 294 DELETE_COOKIE_EXPLICIT = 0, 295 DELETE_COOKIE_OVERWRITE = 1, 296 DELETE_COOKIE_EXPIRED = 2, 297 DELETE_COOKIE_EVICTED = 3, 298 DELETE_COOKIE_DUPLICATE_IN_BACKING_STORE = 4, 299 DELETE_COOKIE_DONT_RECORD = 5, // For final cleanup after flush to store. 300 301 // Cookies evicted during domain-level garbage collection. 302 DELETE_COOKIE_EVICTED_DOMAIN = 6, 303 304 // Cookies evicted during global garbage collection, which takes place after 305 // domain-level garbage collection fails to bring the cookie store under 306 // the overall quota. 307 DELETE_COOKIE_EVICTED_GLOBAL = 7, 308 309 // #8 was DELETE_COOKIE_EVICTED_DOMAIN_PRE_SAFE 310 // #9 was DELETE_COOKIE_EVICTED_DOMAIN_POST_SAFE 311 312 // A common idiom is to remove a cookie by overwriting it with an 313 // already-expired expiration date. This captures that case. 314 DELETE_COOKIE_EXPIRED_OVERWRITE = 10, 315 316 // Cookies are not allowed to contain control characters in the name or 317 // value. However, we used to allow them, so we are now evicting any such 318 // cookies as we load them. See http://crbug.com/238041. 319 DELETE_COOKIE_CONTROL_CHAR = 11, 320 321 // When strict secure cookies is enabled, non-secure cookies are evicted 322 // right after expired cookies. 323 DELETE_COOKIE_NON_SECURE = 12, 324 325 // Partitioned cookies evicted during per-partition domain-level garbage 326 // collection. 327 DELETE_COOKIE_EVICTED_PER_PARTITION_DOMAIN = 13, 328 329 DELETE_COOKIE_LAST_ENTRY = 14, 330 }; 331 332 // Used to populate a histogram containing information about the 333 // sources of Secure and non-Secure cookies: that is, whether such 334 // cookies are set by origins with cryptographic or non-cryptographic 335 // schemes. Please do not reorder the list when adding new 336 // entries. New items MUST be added at the end of the list, and kMaxValue 337 // should be updated to the last value. 338 // 339 // CookieSource::k(Non)SecureCookie(Non)CryptographicScheme means 340 // that a cookie was set or overwritten from a URL with the given type 341 // of scheme. This enum should not be used when cookies are *cleared*, 342 // because its purpose is to understand if Chrome can deprecate the 343 // ability of HTTP urls to set/overwrite Secure cookies. 344 enum class CookieSource : uint8_t { 345 kSecureCookieCryptographicScheme = 0, 346 kSecureCookieNoncryptographicScheme, 347 kNonsecureCookieCryptographicScheme, 348 kNonsecureCookieNoncryptographicScheme, 349 kMaxValue = kNonsecureCookieNoncryptographicScheme 350 }; 351 352 // Enum for collecting metrics on how frequently a cookie is sent to the same 353 // port it was set by. 354 // 355 // kNoButDefault exists because we expect for cookies being sent between 356 // schemes to have a port mismatch and want to separate those out from other, 357 // more interesting, cases. 358 // 359 // Do not reorder or renumber. Used for metrics. 360 enum class CookieSentToSamePort { 361 kSourcePortUnspecified = 0, // Cookie's source port is unspecified, we 362 // can't know if this is the same port or not. 363 kInvalid = 1, // The source port was corrupted to be PORT_INVALID, we 364 // can't know if this is the same port or not. 365 kNo = 2, // Source port and destination port are different. 366 kNoButDefault = 367 3, // Source and destination ports are different but they're 368 // the defaults for their scheme. This can mean that an http 369 // cookie was sent to a https origin or vice-versa. 370 kYes = 4, // They're the same. 371 kMaxValue = kYes 372 }; 373 374 // Record statistics every kRecordStatisticsIntervalSeconds of uptime. 375 static const int kRecordStatisticsIntervalSeconds = 10 * 60; 376 377 // Sets a canonical cookie, deletes equivalents and performs garbage 378 // collection. |source_url| indicates what URL the cookie is being set 379 // from; secure cookies cannot be altered from insecure schemes, and some 380 // schemes may not be authorized. 381 // 382 // |options| indicates if this setting operation is allowed 383 // to affect http_only or same-site cookies. 384 // 385 // |cookie_access_result| is an optional input status, to allow for status 386 // chaining from callers. It helps callers provide the status of a 387 // canonical cookie that may have warnings associated with it. 388 void SetCanonicalCookie( 389 std::unique_ptr<CanonicalCookie> cookie, 390 const GURL& source_url, 391 const CookieOptions& options, 392 SetCookiesCallback callback, 393 std::optional<CookieAccessResult> cookie_access_result = std::nullopt); 394 395 void GetAllCookies(GetAllCookiesCallback callback); 396 397 void AttachAccessSemanticsListForCookieList( 398 GetAllCookiesWithAccessSemanticsCallback callback, 399 const CookieList& cookie_list); 400 401 void GetCookieListWithOptions( 402 const GURL& url, 403 const CookieOptions& options, 404 const CookiePartitionKeyCollection& cookie_partition_key_collection, 405 GetCookieListCallback callback); 406 407 void DeleteAllCreatedInTimeRange( 408 const CookieDeletionInfo::TimeRange& creation_range, 409 DeleteCallback callback); 410 411 // Returns whether |cookie| matches |delete_info|. 412 bool MatchCookieDeletionInfo(const CookieDeletionInfo& delete_info, 413 const net::CanonicalCookie& cookie); 414 415 void DeleteCanonicalCookie(const CanonicalCookie& cookie, 416 DeleteCallback callback); 417 418 void DeleteMatchingCookies(DeletePredicate predicate, 419 DeletionCause cause, 420 DeleteCallback callback); 421 422 // The first access to the cookie store initializes it. This method should be 423 // called before any access to the cookie store. 424 void MarkCookieStoreAsInitialized(); 425 426 // Fetches all cookies if the backing store exists and they're not already 427 // being fetched. 428 void FetchAllCookiesIfNecessary(); 429 430 // Fetches all cookies from the backing store. 431 void FetchAllCookies(); 432 433 // Whether all cookies should be fetched as soon as any is requested. 434 bool ShouldFetchAllCookiesWhenFetchingAnyCookie(); 435 436 // Stores cookies loaded from the backing store and invokes any deferred 437 // calls. |beginning_time| should be the moment PersistentCookieStore::Load 438 // was invoked and is used for reporting histogram_time_blocked_on_load_. 439 // See PersistentCookieStore::Load for details on the contents of cookies. 440 void OnLoaded(base::TimeTicks beginning_time, 441 std::vector<std::unique_ptr<CanonicalCookie>> cookies); 442 443 // Stores cookies loaded from the backing store and invokes the deferred 444 // task(s) pending loading of cookies associated with the domain key 445 // (GetKey, roughly eTLD+1). Called when all cookies for the domain key have 446 // been loaded from DB. See PersistentCookieStore::Load for details on the 447 // contents of cookies. 448 void OnKeyLoaded(const std::string& key, 449 std::vector<std::unique_ptr<CanonicalCookie>> cookies); 450 451 // Stores the loaded cookies. 452 void StoreLoadedCookies( 453 std::vector<std::unique_ptr<CanonicalCookie>> cookies); 454 455 // Invokes deferred calls. 456 void InvokeQueue(); 457 458 // Checks that |cookies_| matches our invariants, and tries to repair any 459 // inconsistencies. (In other words, it does not have duplicate cookies). 460 void EnsureCookiesMapIsValid(); 461 462 // Checks for any duplicate cookies for CookieMap key |key| which lie between 463 // |begin| and |end|. If any are found, all but the most recent are deleted. 464 // 465 // If |cookie_partition_it| is not nullopt, then this function trims cookies 466 // from the CookieMap in |partitioned_cookies_| at |cookie_partition_it| 467 // instead of trimming cookies from |cookies_|. 468 void TrimDuplicateCookiesForKey( 469 const std::string& key, 470 CookieMap::iterator begin, 471 CookieMap::iterator end, 472 std::optional<PartitionedCookieMap::iterator> cookie_partition_it); 473 474 void SetDefaultCookieableSchemes(); 475 476 std::vector<CanonicalCookie*> FindCookiesForRegistryControlledHost( 477 const GURL& url, 478 CookieMap* cookie_map = nullptr, 479 PartitionedCookieMap::iterator* partition_it = nullptr); 480 481 std::vector<CanonicalCookie*> FindPartitionedCookiesForRegistryControlledHost( 482 const CookiePartitionKey& cookie_partition_key, 483 const GURL& url); 484 485 void FilterCookiesWithOptions(const GURL url, 486 const CookieOptions options, 487 std::vector<CanonicalCookie*>* cookie_ptrs, 488 CookieAccessResultList* included_cookies, 489 CookieAccessResultList* excluded_cookies); 490 491 // Possibly delete an existing cookie equivalent to |cookie_being_set| (same 492 // path, domain, and name). 493 // 494 // |allowed_to_set_secure_cookie| indicates if the source may override 495 // existing secure cookies. If the source is not trustworthy, and there is an 496 // existing "equivalent" cookie that is Secure, that cookie will be preserved, 497 // under "Leave Secure Cookies Alone" (see 498 // https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01). 499 // ("equivalent" here is in quotes because the equivalency check for the 500 // purposes of preserving existing Secure cookies is slightly more inclusive.) 501 // 502 // If |skip_httponly| is true, httponly cookies will not be deleted even if 503 // they are equivalent. 504 // |key| is the key to find the cookie in cookies_; see the comment before the 505 // CookieMap typedef for details. 506 // 507 // If a cookie is deleted, and its value matches |cookie_being_set|'s value, 508 // then |creation_date_to_inherit| will be set to that cookie's creation date. 509 // 510 // The cookie will not be deleted if |*status| is not "include" when calling 511 // the function. The function will update |*status| with exclusion reasons if 512 // a secure cookie was skipped or an httponly cookie was skipped. 513 // 514 // If |cookie_partition_it| is nullopt, it will search |cookies_| for 515 // duplicates of |cookie_being_set|. Otherwise, |cookie_partition_it|'s value 516 // is the iterator of the CookieMap in |partitioned_cookies_| we should search 517 // for duplicates. 518 // 519 // NOTE: There should never be more than a single matching equivalent cookie. 520 void MaybeDeleteEquivalentCookieAndUpdateStatus( 521 const std::string& key, 522 const CanonicalCookie& cookie_being_set, 523 bool allowed_to_set_secure_cookie, 524 bool skip_httponly, 525 bool already_expired, 526 base::Time* creation_date_to_inherit, 527 CookieInclusionStatus* status, 528 std::optional<PartitionedCookieMap::iterator> cookie_partition_it); 529 530 // Inserts `cc` into cookies_. Returns an iterator that points to the inserted 531 // cookie in `cookies_`. Guarantee: all iterators to `cookies_` remain valid. 532 // Dispatches the change to `change_dispatcher_` iff `dispatch_change` is 533 // true. 534 CookieMap::iterator InternalInsertCookie( 535 const std::string& key, 536 std::unique_ptr<CanonicalCookie> cc, 537 bool sync_to_store, 538 const CookieAccessResult& access_result, 539 bool dispatch_change = true); 540 541 // Returns true if the cookie should be (or is already) synced to the store. 542 // Used for cookies during insertion and deletion into the in-memory store. 543 bool ShouldUpdatePersistentStore(CanonicalCookie* cc); 544 545 // Inserts `cc` into partitioned_cookies_. Should only be used when 546 // cc->IsPartitioned() is true. 547 PartitionedCookieMapIterators InternalInsertPartitionedCookie( 548 std::string key, 549 std::unique_ptr<CanonicalCookie> cc, 550 bool sync_to_store, 551 const CookieAccessResult& access_result, 552 bool dispatch_change = true); 553 554 // Sets all cookies from |list| after deleting any equivalent cookie. 555 // For data gathering purposes, this routine is treated as if it is 556 // restoring saved cookies; some statistics are not gathered in this case. 557 void SetAllCookies(CookieList list, SetCookiesCallback callback); 558 559 void InternalUpdateCookieAccessTime(CanonicalCookie* cc, 560 const base::Time& current_time); 561 562 // |deletion_cause| argument is used for collecting statistics and choosing 563 // the correct CookieChangeCause for OnCookieChange notifications. Guarantee: 564 // All iterators to cookies_, except for the deleted entry, remain valid. 565 void InternalDeleteCookie(CookieMap::iterator it, 566 bool sync_to_store, 567 DeletionCause deletion_cause); 568 569 // Deletes a Partitioned cookie. Returns true if the deletion operation 570 // resulted in the CookieMap the cookie was stored in was deleted. 571 // 572 // If the CookieMap which contains the deleted cookie only has one entry, then 573 // this function will also delete the CookieMap from PartitionedCookieMap. 574 // This may invalidate the |cookie_partition_it| argument. 575 void InternalDeletePartitionedCookie( 576 PartitionedCookieMap::iterator partition_it, 577 CookieMap::iterator cookie_it, 578 bool sync_to_store, 579 DeletionCause deletion_cause); 580 581 // If the number of cookies for CookieMap key |key|, or globally, are 582 // over the preset maximums above, garbage collect, first for the host and 583 // then globally. See comments above garbage collection threshold 584 // constants for details. Also removes expired cookies. 585 // 586 // Returns the number of cookies deleted (useful for debugging). 587 size_t GarbageCollect(const base::Time& current, const std::string& key); 588 589 // Run garbage collection for PartitionedCookieMap keys |cookie_partition_key| 590 // and |key|. 591 // 592 // Partitioned cookies are subject to different limits than unpartitioned 593 // cookies in order to prevent leaking entropy about user behavior across 594 // cookie partitions. 595 size_t GarbageCollectPartitionedCookies( 596 const base::Time& current, 597 const CookiePartitionKey& cookie_partition_key, 598 const std::string& key); 599 600 // Helper for GarbageCollect(). Deletes up to |purge_goal| cookies with a 601 // priority less than or equal to |priority| from |cookies|, while ensuring 602 // that at least the |to_protect| most-recent cookies are retained. 603 // |protected_secure_cookies| specifies whether or not secure cookies should 604 // be protected from deletion. 605 // 606 // |cookies| must be sorted from least-recent to most-recent. 607 // 608 // Returns the number of cookies deleted. 609 size_t PurgeLeastRecentMatches(CookieItVector* cookies, 610 CookiePriority priority, 611 size_t to_protect, 612 size_t purge_goal, 613 bool protect_secure_cookies); 614 // Same as above except that for a given {priority, secureness} tuple domain 615 // cookies will be deleted before host cookies. 616 size_t PurgeLeastRecentMatchesForOBC(CookieItList* cookies, 617 CookiePriority priority, 618 size_t to_protect, 619 size_t purge_goal, 620 bool protect_secure_cookies); 621 622 // Helper for GarbageCollect(); can be called directly as well. Deletes all 623 // expired cookies in |itpair|. If |cookie_its| is non-NULL, all the 624 // non-expired cookies from |itpair| are appended to |cookie_its|. 625 // 626 // Returns the number of cookies deleted. 627 size_t GarbageCollectExpired(const base::Time& current, 628 const CookieMapItPair& itpair, 629 CookieItVector* cookie_its); 630 631 // Deletes all expired cookies in the double-keyed PartitionedCookie map in 632 // the CookieMap at |cookie_partition_it|. It deletes all cookies in that 633 // CookieMap in |itpair|. If |cookie_its| is non-NULL, all non-expired cookies 634 // from |itpair| are appended to |cookie_its|. 635 // 636 // Returns the number of cookies deleted. 637 size_t GarbageCollectExpiredPartitionedCookies( 638 const base::Time& current, 639 const PartitionedCookieMap::iterator& cookie_partition_it, 640 const CookieMapItPair& itpair, 641 CookieItVector* cookie_its); 642 643 // Helper function to garbage collect all expired cookies in 644 // PartitionedCookieMap. 645 void GarbageCollectAllExpiredPartitionedCookies(const base::Time& current); 646 647 // Helper for GarbageCollect(). Deletes all cookies in the range specified by 648 // [|it_begin|, |it_end|). Returns the number of cookies deleted. 649 size_t GarbageCollectDeleteRange(const base::Time& current, 650 DeletionCause cause, 651 CookieItVector::iterator cookie_its_begin, 652 CookieItVector::iterator cookie_its_end); 653 654 // Helper for GarbageCollect(). Deletes cookies in |cookie_its| from least to 655 // most recently used, but only before |safe_date|. Also will stop deleting 656 // when the number of remaining cookies hits |purge_goal|. 657 // 658 // Sets |earliest_time| to be the earliest last access time of a cookie that 659 // was not deleted, or base::Time() if no such cookie exists. 660 size_t GarbageCollectLeastRecentlyAccessed(const base::Time& current, 661 const base::Time& safe_date, 662 size_t purge_goal, 663 CookieItVector cookie_its, 664 base::Time* earliest_time); 665 666 bool HasCookieableScheme(const GURL& url); 667 668 // Get the cookie's access semantics (LEGACY or NONLEGACY), by checking for a 669 // value from the cookie access delegate, if it is non-null. Otherwise returns 670 // UNKNOWN. 671 CookieAccessSemantics GetAccessSemanticsForCookie( 672 const CanonicalCookie& cookie) const; 673 674 // Statistics support 675 676 // This function should be called repeatedly, and will record 677 // statistics if a sufficient time period has passed. 678 void RecordPeriodicStats(const base::Time& current_time); 679 680 // Records the aforementioned stats if we have already finished loading all 681 // cookies. Returns whether stats were recorded. 682 bool DoRecordPeriodicStats(); 683 684 // Records periodic stats related to First-Party Sets usage. Note that since 685 // First-Party Sets presents a potentially asynchronous interface, these stats 686 // may be collected asynchronously w.r.t. the rest of the stats collected by 687 // `RecordPeriodicStats`. 688 void RecordPeriodicFirstPartySetsStats( 689 base::flat_map<SchemefulSite, FirstPartySetEntry> sets) const; 690 691 // Defers the callback until the full coookie database has been loaded. If 692 // it's already been loaded, runs the callback synchronously. 693 void DoCookieCallback(base::OnceClosure callback); 694 695 // Defers the callback until the cookies relevant to given URL have been 696 // loaded. If they've already been loaded, runs the callback synchronously. 697 void DoCookieCallbackForURL(base::OnceClosure callback, const GURL& url); 698 699 // Defers the callback until the cookies relevant to given host or domain 700 // have been loaded. If they've already been loaded, runs the callback 701 // synchronously. 702 void DoCookieCallbackForHostOrDomain(base::OnceClosure callback, 703 std::string_view host_or_domain); 704 705 // Checks to see if a cookie is being sent to the same port it was set by. For 706 // metrics. 707 // 708 // This is in CookieMonster because only CookieMonster uses it. It's otherwise 709 // a standalone utility function. 710 static CookieSentToSamePort IsCookieSentToSamePortThatSetIt( 711 const GURL& destination, 712 int source_port, 713 CookieSourceScheme source_scheme); 714 715 // Set of keys (eTLD+1's) for which non-expired cookies have 716 // been evicted for hitting the per-domain max. The size of this set is 717 // histogrammed periodically. The size is limited to |kMaxDomainPurgedKeys|. 718 std::set<std::string> domain_purged_keys_ GUARDED_BY_CONTEXT(thread_checker_); 719 720 // The number of distinct keys (eTLD+1's) currently present in the |cookies_| 721 // multimap. This is histogrammed periodically. 722 size_t num_keys_ = 0u; 723 724 CookieMap cookies_ GUARDED_BY_CONTEXT(thread_checker_); 725 726 PartitionedCookieMap partitioned_cookies_ GUARDED_BY_CONTEXT(thread_checker_); 727 728 // Number of distinct partitioned cookies globally. This is used to enforce a 729 // global maximum on the number of partitioned cookies. 730 size_t num_partitioned_cookies_ = 0u; 731 // Number of partitioned cookies whose partition key has a nonce. 732 size_t num_nonced_partitioned_cookies_ = 0u; 733 734 // Number of bytes used by the partitioned cookie jar. 735 size_t num_partitioned_cookies_bytes_ = 0u; 736 // Number of bytes used by partitioned cookies whose partition key has a 737 // nonce. 738 size_t num_nonced_partitioned_cookie_bytes_ = 0u; 739 // Cookie jar sizes per partition. 740 std::map<CookiePartitionKey, size_t> bytes_per_cookie_partition_; 741 742 CookieMonsterChangeDispatcher change_dispatcher_; 743 744 // Indicates whether the cookie store has been initialized. 745 bool initialized_ = false; 746 747 // Indicates whether the cookie store has started fetching all cookies. 748 bool started_fetching_all_cookies_ = false; 749 // Indicates whether the cookie store has finished fetching all cookies. 750 bool finished_fetching_all_cookies_ = false; 751 752 // List of domain keys that have been loaded from the DB. 753 std::set<std::string> keys_loaded_; 754 755 // Map of domain keys to their associated task queues. These tasks are blocked 756 // until all cookies for the associated domain key eTLD+1 are loaded from the 757 // backend store. 758 std::map<std::string, base::circular_deque<base::OnceClosure>> 759 tasks_pending_for_key_ GUARDED_BY_CONTEXT(thread_checker_); 760 761 // Queues tasks that are blocked until all cookies are loaded from the backend 762 // store. 763 base::circular_deque<base::OnceClosure> tasks_pending_ 764 GUARDED_BY_CONTEXT(thread_checker_); 765 766 // Once a global cookie task has been seen, all per-key tasks must be put in 767 // |tasks_pending_| instead of |tasks_pending_for_key_| to ensure a reasonable 768 // view of the cookie store. This is more to ensure fancy cookie export/import 769 // code has a consistent view of the CookieStore, rather than out of concern 770 // for typical use. 771 bool seen_global_task_ = false; 772 773 NetLogWithSource net_log_; 774 775 scoped_refptr<PersistentCookieStore> store_; 776 777 // Minimum delay after updating a cookie's LastAccessDate before we will 778 // update it again. 779 const base::TimeDelta last_access_threshold_; 780 781 // Approximate date of access time of least recently accessed cookie 782 // in |cookies_|. Note that this is not guaranteed to be accurate, only a) 783 // to be before or equal to the actual time, and b) to be accurate 784 // immediately after a garbage collection that scans through all the cookies 785 // (When garbage collection does not scan through all cookies, it may not be 786 // updated). This value is used to determine whether global garbage collection 787 // might find cookies to purge. Note: The default Time() constructor will 788 // create a value that compares earlier than any other time value, which is 789 // wanted. Thus this value is not initialized. 790 base::Time earliest_access_time_; 791 792 std::vector<std::string> cookieable_schemes_; 793 794 base::Time last_statistic_record_time_; 795 796 bool persist_session_cookies_ = false; 797 798 THREAD_CHECKER(thread_checker_); 799 800 base::WeakPtrFactory<CookieMonster> weak_ptr_factory_{this}; 801 }; 802 803 typedef base::RefCountedThreadSafe<CookieMonster::PersistentCookieStore> 804 RefcountedPersistentCookieStore; 805 806 class NET_EXPORT CookieMonster::PersistentCookieStore 807 : public RefcountedPersistentCookieStore { 808 public: 809 typedef base::OnceCallback<void( 810 std::vector<std::unique_ptr<CanonicalCookie>>)> 811 LoadedCallback; 812 813 PersistentCookieStore(const PersistentCookieStore&) = delete; 814 PersistentCookieStore& operator=(const PersistentCookieStore&) = delete; 815 816 // Initializes the store and retrieves the existing cookies. This will be 817 // called only once at startup. The callback will return all the cookies 818 // that are not yet returned to CookieMonster by previous priority loads. 819 // 820 // |loaded_callback| may not be NULL. 821 // |net_log| is a NetLogWithSource that may be copied if the persistent 822 // store wishes to log NetLog events. 823 virtual void Load(LoadedCallback loaded_callback, 824 const NetLogWithSource& net_log) = 0; 825 826 // Does a priority load of all cookies for the domain key (eTLD+1). The 827 // callback will return all the cookies that are not yet returned by previous 828 // loads, which includes cookies for the requested domain key if they are not 829 // already returned, plus all cookies that are chain-loaded and not yet 830 // returned to CookieMonster. 831 // 832 // |loaded_callback| may not be NULL. 833 virtual void LoadCookiesForKey(const std::string& key, 834 LoadedCallback loaded_callback) = 0; 835 836 virtual void AddCookie(const CanonicalCookie& cc) = 0; 837 virtual void UpdateCookieAccessTime(const CanonicalCookie& cc) = 0; 838 virtual void DeleteCookie(const CanonicalCookie& cc) = 0; 839 840 // Instructs the store to not discard session only cookies on shutdown. 841 virtual void SetForceKeepSessionState() = 0; 842 843 // Sets a callback that will be run before the store flushes. If |callback| 844 // performs any async operations, the store will not wait for those to finish 845 // before flushing. 846 virtual void SetBeforeCommitCallback(base::RepeatingClosure callback) = 0; 847 848 // Flushes the store and posts |callback| when complete. |callback| may be 849 // NULL. 850 virtual void Flush(base::OnceClosure callback) = 0; 851 852 protected: 853 PersistentCookieStore() = default; 854 virtual ~PersistentCookieStore() = default; 855 856 private: 857 friend class base::RefCountedThreadSafe<PersistentCookieStore>; 858 }; 859 860 } // namespace net 861 862 #endif // NET_COOKIES_COOKIE_MONSTER_H_ 863