Notes for embedders on cookie-related API changes in M76 & M77

26 views
Skip to first unread message

Maksim Orlovich

unread,
Aug 1, 2019, 10:51:04 AM8/1/19
to Chromium Embedders

M76:

ContentBrowserClient::OnCookiesRead/OnCookiesChanged now called on IO thread. (In this release only, sorry about that). 


M77:

OnCookiesRead/OnCookiesChanged are now in WebContentsObserver (and back to UI thread).


The following methods were removed from ContentBrowserClient:

AllowGetCookie

AllowSetCookie

OnCookiesRead

OnCookieChange

OverrideCookieStoreForURL


Following were added:

ShouldTreatURLSchemeAsFirstPartyWhenTopLevel

WillCreateRestrictedCookieManager


The big picture here is that the browser process is no longer directly involved in handling individual cookies — all the network ones are handled entirely in the network service, while for JavaScript cookie access the renderer gets a RestrictedCookieManager from the browser, and then talks to the network service directly.


This means the policy for which cookies are permitted lives in the network service, and is applied to both network and JS cookies consistently.  If your settings requirements can be expressed via components/content_settings patterns and are per-NetworkContext, you can just fill them into the cookie_manager_params field in NetworkContextParams when creating the NetworkContext and not do anything else.  If they need to change dynamically, there are methods on CookieManager mojo interface (an instance is available on StoragePartition) to push new settings — see e.g. ProfileNetworkContextService::OnContentSettingChanged. 


If they are somewhat more complicated, you may be able to achieve them by proxying the URLLoaderFactory and the RestrictedCookieManager.  WillCreateRestrictedCookieManager will permit you to do the latter; and AwProxyingURLLoader and AwProxyingRestrictedCookieManager in android_webview are an example of doing that.  This approach is limited since per network request it can either turn off cookies entirely or turn off third-party cookies but not deal with individual ones; though that is possible for JavaScript access to cookies.


Really fine-grained modifications may be possible via TrustedHeaderClient. 


Hope this is of some use,
Maks

Reply all
Reply to author
Forward
0 new messages