Hello, blink-dev! (and security-dev@ on BCC)!
I'd like to make a small change* to the definition of "first-party" that we use for third-party cookie blocking: we currently look only at the top-level origin to determine the first-party origin for a request. I'd like to start walking the whole ancestor chain of a frame.
https://codereview.chromium.org/1075163002/ adjusts `Document::firstPartyForCookies` in the way I'm suggesting. At the moment, that value is only used way up in the network stack, and only for those users who have chosen to "block third-party cookies and site data".
The motivation is consistency with First-Party-Only cookies, which I believe will need to support this definition of "first-partyness" in order to mitigate some risks (maliciously purchased ads, for instance, make it completely viable to create `
target.com` -> `
adnetwork.com` -> `
target.com` nestings). I believe that these instances should be fairly uncommon in practice, and so should have fairly limited effect on non-malicious sites.
I plan to add a runtime flag for the behavior change so that we can evaluate the effect. I fear that the evaluation is going to have to be subjective, however; blocking third-party cookies already breaks specific things in a number of ways (intentionally). It's not clear that we can gather metrics about meaningful breakage vs. blocking cookies in accordance with user wishes (suggestions welcome!).
Thanks!
*so small that I'm not even using the template. :)