diff --git a/browser/tor/test/BUILD.gn b/browser/tor/test/BUILD.gn index bee6d83adc93..f02fe38728f4 100644 --- a/browser/tor/test/BUILD.gn +++ b/browser/tor/test/BUILD.gn @@ -49,6 +49,7 @@ source_set("browser_tests") { "brave_tor_browsertest.cc", "onion_domain_throttle_browsertest.cc", "onion_location_navigation_throttle_browsertest.cc", + "samesite_strict_cookie_tor_browsertest.cc", "tor_profile_manager_browsertest.cc", ] diff --git a/browser/tor/test/samesite_strict_cookie_tor_browsertest.cc b/browser/tor/test/samesite_strict_cookie_tor_browsertest.cc new file mode 100644 index 000000000000..489149300a8d --- /dev/null +++ b/browser/tor/test/samesite_strict_cookie_tor_browsertest.cc @@ -0,0 +1,111 @@ +/* Copyright (c) 2026 The Brave Authors. All rights reserved. + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at https://mozilla.org/MPL/2.0/. */ + +#include "brave/browser/tor/tor_profile_manager.h" +#include "brave/components/tor/tor_navigation_throttle.h" +#include "brave/net/proxy_resolution/proxy_config_service_tor.h" +#include "chrome/browser/renderer_context_menu/render_view_context_menu_test_util.h" +#include "chrome/browser/ui/browser.h" +#include "chrome/test/base/in_process_browser_test.h" +#include "chrome/test/base/ui_test_utils.h" +#include "content/public/test/browser_test.h" +#include "content/public/test/browser_test_utils.h" +#include "content/public/test/test_navigation_observer.h" +#include "net/dns/mock_host_resolver.h" +#include "net/test/embedded_test_server/default_handlers.h" +#include "net/test/embedded_test_server/embedded_test_server.h" +#include "net/test/embedded_test_server/http_request.h" +#include "net/test/embedded_test_server/http_response.h" +#include "url/gurl.h" + +namespace { + +constexpr char kSiteA[] = "a.test"; +constexpr char kSiteB[] = "b.test"; +constexpr char kSameSiteStrictCookie[] = "strict_cookie=1; SameSite=Strict"; + +std::unique_ptr HandleSetStrictCookie( + const net::test_server::HttpRequest& request) { + if (request.relative_url.find("/set-strict-cookie") != 0) { + return nullptr; + } + auto response = std::make_unique(); + response->set_code(net::HTTP_OK); + response->set_content_type("text/html"); + response->set_content("cookie set"); + response->AddCustomHeader("Set-Cookie", kSameSiteStrictCookie); + return response; +} + +} // namespace + +class SameSiteStrictCookieTorBrowserTest : public InProcessBrowserTest { + void SetUpOnMainThread() override { + InProcessBrowserTest::SetUpOnMainThread(); + + host_resolver()->AddRule("*", "127.0.0.1"); + + https_server_ = std::make_unique( + net::EmbeddedTestServer::TYPE_HTTPS); + https_server_->SetSSLConfig(net::EmbeddedTestServer::CERT_TEST_NAMES); + https_server_->RegisterRequestHandler( + base::BindRepeating(&HandleSetStrictCookie)); + net::test_server::RegisterDefaultHandlers(https_server_.get()); + https_server_->SetSSLConfig(net::EmbeddedTestServer::CERT_TEST_NAMES); + ASSERT_TRUE(https_server_->Start()); + + net::ProxyConfigServiceTor::SetBypassTorProxyConfigForTesting(true); + tor::TorNavigationThrottle::SetSkipWaitForTorConnectedForTesting(true); + } + + protected: + std::unique_ptr https_server_; +}; + +IN_PROC_BROWSER_TEST_F(SameSiteStrictCookieTorBrowserTest, + OpenLinkInTorDoesNotSendSameSiteStrictCookie) { + Browser* tor_browser = + TorProfileManager::SwitchToTorProfile(browser()->profile()); + + const auto set_cookie_url = + https_server_->GetURL(kSiteB, "/set-strict-cookie"); + ASSERT_TRUE(ui_test_utils::NavigateToURL(tor_browser, set_cookie_url)); + + const GURL view_cookies_url = + https_server_->GetURL(kSiteB, "/echoheader?Cookie"); + + auto exec_and_check_cookies = [&](const GURL& site_url) { + content::ContextMenuParams params; + params.frame_origin = url::Origin::Create(site_url); + params.page_url = site_url; + params.frame_url = site_url; + params.link_url = view_cookies_url; + + TestRenderViewContextMenu menu(*browser() + ->tab_strip_model() + ->GetActiveWebContents() + ->GetPrimaryMainFrame(), + params); + content::TestNavigationObserver observer(view_cookies_url); + observer.StartWatchingNewWebContents(); + menu.ExecuteCommand(IDC_CONTENT_CONTEXT_OPENLINKTOR, 0); + observer.Wait(); + + auto* web_contents = tor_browser->tab_strip_model()->GetActiveWebContents(); + return content::EvalJs(web_contents, "document.body.textContent") == "None"; + }; + { + // Cross-site case + const auto cross_site_page_url = + https_server_->GetURL(kSiteA, "/cross-site-page.html"); + EXPECT_TRUE(exec_and_check_cookies(cross_site_page_url)); + } + { + // Same-site case + const auto same_site_page_url = + https_server_->GetURL(kSiteB, "/cross-site-page.html"); + EXPECT_FALSE(exec_and_check_cookies(same_site_page_url)); + } +} diff --git a/chromium_src/chrome/browser/renderer_context_menu/render_view_context_menu.cc b/chromium_src/chrome/browser/renderer_context_menu/render_view_context_menu.cc index 5b2bb6775ad5..3f69a3df1c2f 100644 --- a/chromium_src/chrome/browser/renderer_context_menu/render_view_context_menu.cc +++ b/chromium_src/chrome/browser/renderer_context_menu/render_view_context_menu.cc @@ -172,6 +172,7 @@ bool HasAlreadyOpenedTorWindow(Profile* profile) { // Modified OnProfileCreated() in render_view_context_menu.cc // to handle additional |use_new_tab| param. void OnTorProfileCreated(const GURL& link_url, + const url::Origin& initiator, bool use_new_tab, Browser* browser) { CHECK(browser); @@ -194,6 +195,7 @@ void OnTorProfileCreated(const GURL& link_url, nav_params.referrer = content::Referrer(GURL(), network::mojom::ReferrerPolicy::kStrictOrigin); nav_params.window_action = NavigateParams::WindowAction::kShowWindow; + nav_params.initiator_origin = initiator; Navigate(&nav_params); } @@ -467,7 +469,8 @@ void BraveRenderViewContextMenu::ExecuteCommand(int id, int event_flags) { Browser* tor_browser = TorProfileManager::SwitchToTorProfile(GetProfile()); if (tor_browser) { - OnTorProfileCreated(params_.link_url, has_tor_window, tor_browser); + OnTorProfileCreated(params_.link_url, params_.frame_origin, + has_tor_window, tor_browser); } } break; #endif