Validate Cookie-Indices when serving prefetch responses.
If a Cookie-Indices header is present (along with a Vary header
that includes the Cookie field name), the mentioned cookies are
hashed both at prefetch time and when the prefetch is being
served. If that hash fails to match, the response is not served,
though it's still possible for a subsequent response in the
redirect chain to be served if it remains servable.
Why send a new IPC rather than use a cookie listener? The issue
is that the cookie listener has a separate pipe and therefore
its IPC is not guaranteed to arrive in the browser before the
browser considers serving -- and this could in theory manifest
in a way observable by script.
That is, if a page:
- prefetches
- after some time, sets document.cookie
- immediately navigates
Then though the cookie change should be deterministically visible
(because it definitely happened before the navigation in the
renderer), it would be possible for the cookie listener to lose
the race with the code in the renderer that did a navigation
shortly after.
On the other hand, since the network service does have up to
date cookies by that point, a new IPC sent from the browser to
the network service will observe the current state -- at least,
as current as if a new request had been actually sent to the
server. (It is still possible for some other request or activity
to update a cookie, and that's normal.)
This case is demonstrated in the following beautiful sequence
diagram:
+-----------+ +---------+ +---------+
| renderer | | browser | | network |
+-----------+ +---------+ +---------+
-----------\ | | |
| prefetch |-| | |
|----------| | | |
| prefetch | |
|-------------------->| |
| | prefetch |
| |--------------------->|
| | prefetched |
| |<---------------------|
------------------\ | | |
| document.cookie |-| | |
|-----------------| | | |
| set cookie | |
|-------------------->| |
| | set cookie |
| |--------------------->|
| | cookie changed |
| |<---------------------|
| cookie changed | |
|<--------------------| |
-----------\ | | |
| navigate |-| | |
|----------| | | |
| navigate | |
|-------------------->| |
|-------------------\ | |
|| consider serving |-| |
||------------------| | |
| | |
| | cookie listener |
| |<---------------------|
Bug: 328628231
Change-Id: Idbfccb941e1750010b6e27d0b4d548c1843f8926
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5539400
Reviewed-by: Kevin McNee mcnee@chromium.org
Reviewed-by: Vladimir Levin vmpstr@chromium.org
Commit-Queue: Jeremy Roman jbroman@chromium.org
Cr-Commit-Position: refs/heads/main@{#1309980}