1637670 - Same-site cookies are included in requests from content scripts in a foreign-site frame

Status: ASSIGNED

(WebExtensions :: General, defect, P2)

Description

[Rob Wu [:robwu]]

About the bug summary: The issue was present before the fix from bug 1635490, but reintroduced with the fix from bug 1629436 (which fixed a regression). This bug is filed to fix the bug again, to unblock the patch that fixes a regression that has already reached Beta.

During a code review at https://phabricator.services.mozilla.com/D74175#inline-433225, I described a scenario that should work as described, but fails.

On the web, requests from child frames are not expected to include SameSite cookies. This should also be the case for requests from content scripts of extensions. So if the test at test_ext_cookies_firstParty.js is modified to add a cross-origin frame:

<!-- the fetch is same-origin relative to this frame, but the frame is cross-site relative to the parent -->
<iframe src="http://example.org/contentScriptHere"></iframe>

... and a content script requests a resource from example.org, then the request should be treated as foreign-site, despite the URL being same-origin relative to the frame's document. This expectation is due to the frame's document being cross-site relative to its parent.

When :baku added the requested test, the test failed (i.e. SameSite cookies are still included in the request from the content script). This should be resolved.