search

GoogleChromeLabs / ps-analysis-tool

Privacy Sandbox Analysis Chrome Extension and CLI for analysis and understanding of cookie usage on web pages, and new privacy-preserving Chrome APIs
https://www.privacysandbox.com
Apache License 2.0
90 stars 18 forks source link

Javascript cookies set in cross-site iframes are not detected/considered by PSAT #645

Open lcrespilho opened 2 months ago

lcrespilho commented 2 months ago

Describe the bug Javascript cookies (those set with document.cookie) set in cross-site iframes are not being detected by PSAT. They are considered by the browser, though.

To Reproduce Steps to reproduce the behavior:

  1. Create the https://domain-aaa.com/topframe.html file with this code: 
    <!DOCTYPE html>
<body>
<iframe src="https://domain-bbb.com/iframe.html" frameborder="1"></iframe>
</body>
</html>
  2. Create the https://domain-bbb.com/iframe.html file with this code: 
    <!DOCTYPE html>
<body>
<script>
document.cookie = 'test=test1; SameSite=none; Secure'
</script>
</body>
</html>
  3. Open Chrome via helper chrome-3pcd-ps.
  4. Open the page https://domain-aaa.com/topframe.html.

Obs: I have set up a similar test lab here: https://louren.co.in/PSAT/issue645/topframe.html

Expected behavior The cross-site iframe tries to create a third-party cookie without the Partitioned attribute and can't because chrome-3pcd-ps has 3pc disabled. This is the expected behavior and even the DevTools console logs the try in the issues tab. The problem is that the try should be detected/logged by PSAT, but it doesn't.

Screenshots Screenshot 1: DevTools issues panel evidencing that there was a failed attempt to create the 3PC without Partitioned attribute: Screenshot 2024-04-25 at 12 55 56

Screenshot 2: PSAT didn't detect the failed attempt to create the cookie: Screenshot 2024-04-25 at 12 58 35

Desktop (please complete the following information):

Additional context PSAT System Information:

Open Tabs: 1 Active Extensions: Google Docs Offline: ghbmnnjooekpmoecnnnilnnbdlolhkhi Privacy Sandbox Analysis Tool: ikodlagpencphdljdpelmcajjlloiomb Chrome Version: Version 124.0.0.0 (arm64) PSAT Version: 0.7.0 OS - System Architecture: MacOS (arm64)

milindmore22 commented 2 months ago

Hello @lcrespilho

Thanks for bringing this to our attention! You’re correct, PSAT’s JavaScript cookie detection (specifically the document.cookie ) is currently limited to the main website frame and doesn’t extend to sub frames (iframes).

We recognize this as a bug and are actively working on a fix. The solution will be included in an upcoming version, so stay tuned!