Liberty: Support for CHIPS (Cookies Having Independent Partitioned State)

[volosied]

Description

To reduce the cross-site tracking, browsers will eventually restrict third-party cookies (such as Chrome by Q3 2024). The only allowed use of third-party cookies will be "partitioned" cookies. This new behavior means that no other website can access these cookies because they can only be used with their top level site.

For example, using the following scenario: Site A (top level) embeds site C and C sets a cookie. C can be an embedded map service, a chat box, ...etc.

Without Partitioning: If the browser goes to Site B (top level) which also embeds C then C can access the cookie from Site A.

With: If the browser goes to Site B (top level) which also embeds C then C cannot access the cookie from Site A. This this because the top level site has changed.

This is accomplished via the “Partitioned” attribute (used only with SameSite=None the secure flag). 
 Useful information and examples can be found here. However, not all browsers support the new attribute yet as it's still experimental. (Need to look into Safari and Firefox)

This will impact Liberty in a few ways:

• JSESSIONID
• LTPA Cookies
• Any other cookies set by Liberty

New configurations will need to be added to enable / disable the “Partitioned” attribute.

User Experience / Implementation Proposal:

Our idea is to follow the SameSite precedence (see blog here) and create a new partitioned metatype on the samesite element. Partitioned is mostly a follow up to SameSite, and therefore, we are aligning them together.

When partitioned is enabled (default is false for channel and defer for webAppSecurity and httpSession. ), it would add the partitioned attribute to the specified cookies. Partitioned can only be added when SameSite=None and secure exist (note that secure is automatically added when SameSite=None). As an example: <!— sugarcookie would be partitioned , but chocolatechip would not be —> <samesite lax="chocolatechip" none="sugarcookie" partitioned="true"/> Result:

set-cookie: sugarcookie=someValue; SameSite=None; Secure; Partitioned;
set-cookie: chocolatechip=someValue; SameSite=Lax; Secure;

Another example:

<httpEndpoint id="defaultHttpEndpoint"
              httpPort="9080"
              httpsPort="9443"
              samesiteRef="samesiteReference">
</httpEndpoint>
<samesite none="cookieOne" id="samesiteReference" partitioned="false"/>

Result: set-cookie: cookieOne=someValue; SameSite=None; Secure;

Similar logic would apply to httpSession and webAppSecurity. For example:

<httpSession cookieSameSite="None" cookiePartitioned="true"/>
<webAppSecurity sameSiteCookie="None partitionedCookie="true" />

Default Value - False / Defer (No Partition)

• The default value is false for Channel and defer for webAppSecurity and httpSession. Defer means the http channel config determines the partitioned value. In other words, webAppSecurity and httpSession's partitioned config take precedence over channel's config.
• The documentation lists that partitioned should be an opt-in, so we will follow the recommendation. Developers will need to find out wish cookies need partitioning, and then enable it for those cookies. Chrome offers various support tools for identifying these cookies.

Other Info:

Partitioned will be added a a known cookie attribute (for cookie parsing), can then be added via HttpServletResponse.setHeader and HttpServletResponse.addHeader.

The Webcontainer SPI will also be updated to support Partitioned ( Note: Currently using this API to add anything but the SameSite attribute will be ignored.)

---

Documents

When available, add links to required feature documents. Use "N/A" to mark particular documents which are not required by the feature.

• Externally raised requests for enhancements:

  • Aha: Link to the Aha idea (also add a link to this issue in the Aha idea)
  • Feature owner adds label Aha idea
  • Open Liberty Feature Request: Link to the OL GH issue (also add a link to this issue in the Feature Request GH issue)
  • Feature owner adds label Requested feature

• UFO: Link to Upcoming Feature Overview document

  • Upload the feature UFO to Box and set the link to be publicly accessible, with a long expiration (10 years)
  • Click "Share" > select "People with link" > click "Link Settings" > under "Link Expiration" select "Disable Shared Link on" > set an expiration date ~10 years into the future
  • If you lack permissions, contact OpenLiberty/release-architect

• FTS: https://github.com/OpenLiberty/open-liberty/issues/28222

• Beta Blog: https://github.com/OpenLiberty/open-liberty/issues/28921

• GA Blog: https://github.com/OpenLiberty/open-liberty/issues/28443

• ---

  Process Overview

• Prioritization

• Design

• Implementation

• Legal and Translation

• Beta

• GA

  • Focal Point Approvals

• Other Deliverables

General Instructions

The process steps occur roughly in the order as presented. Process steps occasionally overlap.

Each process step has a number of tasks which must be completed or must be marked as not applicable ("N/A").

Unless otherwise indicated, the tasks are the responsibility of the Feature Owner or a Delegate of the Feature Owner.

If you need assistance, reach out to the OpenLiberty/release-architect.

Important: Labels are used to trigger particular steps and must be added as indicated.

---

Prioritization (Complete Before Development Starts)

The (OpenLiberty/chief-architect) and area leads are responsible for prioritizing the features and determining which features are being actively worked on.

Prioritization

• [x] Feature added to the "New" column of the Open Liberty project board

  • Epics can be added to the board in one of two ways:
  • From this issue, use the "Projects" section to select the appropriate project board.
  • From the appropriate project board click "Add card" and select your Feature Epic issue

• [x] Priority assigned

  • Attend the Liberty Backlog Prioritization meeting

• ---

  Design (Complete Before Development Starts)

Design preliminaries determine whether a formal design, which will be provided by an Upcoming Feature Overview (UFO) document, must be created and reviewed. A formal design is required if the feature requires any of the following: UI, Serviceability, SVT, Performance testing, or non-trivial documentation/ID. Furthermore, each identified item places a blocking requirement on another team so it must be identified early in the process. The feature owner may check-off the item if they know it doesn't apply, but otherwise they should work with the focal point to determine what work, if any, will be necessary and make them aware of it.

Design Preliminaries

• [x] UI requirements identified, or N/A. (Feature owner and UI focal point)
• [x] Accessibility requirements identified, or N/A. (Feature owner and Accessibility focal point)
• [x] ID requirements identified, or N/A. (Feature owner and ID focal point)
  • Refer to Documenting Open Liberty.
  • Feature Owner adds label ID Required, if non-trivial documentation needs to be created by the ID team.
  • ID adds label ID Required - Trivial, if no design will be performed and only trivial ID updates are needed.
• [x] Serviceability requirements identified, or N/A. (Feature owner and Serviceability focal point)
• [x] SVT requirements identified, or N/A. (Feature owner and SVT focal point)
• [x] Performance testing requirements identified, or N/A. (Feature owner and Performance focal point)

Design

• [ ] POC Design / UFO review requested.
  • Feature owner adds label Design Review Request
• [ ] POC Design / UFO review scheduled.
  • Follow the instructions in POC-Forum repo
• [ ] POC Design / UFO review completed.
• [ ] POC / UFO Review follow-ons completed.
• [ ] POC Design / UFO approval requested.
  • Feature owner adds label Design Approval Request
• [ ] Design / UFO approved. (OpenLiberty/chief-architect) or N/A
  • (OpenLiberty/chief-architect) adds label Design Approved
  • Add the public link to the UFO in Box to the Documents section.
  • The UFO must always accurately reflect the final implementation of the feature. Any changes must be first approved. Afterwards, update the UFO by creating a copy of the original approved slide(s) at the end of the deck and prepend "OLD" to the title(s). A single updated copy of the slide(s) should take the original's place, and have its title(s) prepended with "UPDATED".

No Design

• [x] No Design requested.
  • Feature owner adds label No Design Approval Request
• [x] No Design / No UFO approved. (OpenLiberty/chief-architect) or N/A
  • Approver adds label No Design Approved
• [x] Feature / Capability stabilization or discontinuation or N/A
  • Feature owner adds label Product Management Approval Request and notifies OpenLiberty/product-management
  • Approver adds label Product Management Approved (OpenLiberty/product-management)
  • Note: For stabilized, superseded, and discontinued feature/capability, skip the Beta section of the template (you may delete it). Otherwise, proceed as normal.

FAT Documentation

• [x] "Feature Test Summary" child task created
  • Use the Feature Test Summary Template
  • FTS issue: https://github.com/OpenLiberty/open-liberty/issues/28222

• ---

  Implementation

A feature must be prioritized before any implementation work may begin to be delivered (inaccessible/no-ship). However, a design focused approach should still be applied to features, and developers should think about the feature design prior to writing and delivering any code.
Besides being prioritized, a feature must also be socialized (or No Design Approved) before any beta code may be delivered. All new Liberty content must be inaccessible in our GA releases until it is Feature Complete by either marking it kind=noship or beta fencing it.
Code may not GA until this feature has obtained the Design Approved or No Design Approved label, along with all other tasks outlined in the GA section.

Feature Development Begins

• [x] Add the In Progress label

Legal and Translation

In order to avoid last minute blockers and significant disruptions to the feature, the legal items need to be done as early in the feature process as possible, either in design or as early into the development as possible. Similarly, translation is to be done concurrently with development. Both MUST be completed before Beta or GA is requested.

Legal (Complete before Feature Complete Date)

• [x] Changed or new open source libraries are cleared and approved, or N/A. (Legal Release Services/Cass Tucker/Release PM).

Innovation (Complete 1 week before Feature Complete Date)

• [x] Consider whether any aspects of the feature may be patentable. If any identified, disclosures have been submitted.

Translation (Complete by Feature Complete Date)

• [x] PII (Program Integrated Information) updates are merged (i.e. all English strings due for translation have been delivered), or N/A.

• ---

  Beta

In order to facilitate early feedback from users, all new features and functionality should first be released as part of a beta release.

Beta Code

• [x] Beta fence the functionality
  • E.g. kind=beta, ibm:beta, ProductInfo.getBetaEdition()
• [x] Beta development complete and feature ready for inclusion in a beta release
  • Add label target:beta and the appropriate target:YY00X-beta (where YY00X is the targeted beta version).
• [x] Feature delivered into beta
  • (OpenLiberty/release-manager) adds label release:YY00X-beta (where YY00X is the first beta version that included the functionality).

Beta Blog (Complete by beta eGA)

• [x] Beta blog issue created and populated using the Open Liberty BETA blog post template.

  • Add a link to the beta blog issue in the Documents section.
  • Note: This is for inclusion into the overall beta release blog post. If, in addition, you'd also like to create a dedicated blog post about your feature, then follow the "Standalone Feature Blog Post" instructions under the Other Deliverables section.

• ---

  GA

A feature is ready to GA after it is Feature Complete and has obtained all necessary Focal Point Approvals.

Feature Complete

• [x] Feature implementation and tests completed.
  • [x] All PRs are merged.
  • [x] All related/child issues are closed.
  • [x] All stop ship issues are completed.
• [x] Legal: all necessary approvals granted.
• [ ] Translation: Feature may only proceed to GA if it has either Translation - Complete or Translation - Missing label
  • If all translation has been delivered to release branch, feature owner adds label Translation - Complete.
  • If missing translation does not cause a break in functionality, nor a security or production outage risk, feature owner adds label Translation - Missing.
  • Once all missing translations are delivered, the Translation - Missing label is replaced with Translation - Complete.
  • If missing translation could cause a break in functionality or a security or production outage risk, feature owner adds the Translation - Blocked label.
  • Featues with Translation - Blocked may NOT proceed to GA until the label has been replaced with either Translation - Missing or Translation - Complete.
  • For further guidance, contact Globalization focal point or the Release Architect.
• [x] GA development complete and feature ready for inclusion in a GA release
  • Add label target:ga and the appropriate target:YY00X (where YY00X is the targeted GA version).
  • Inclusion in a release requires the completion of all Focal Point Approvals.

Focal Point Approvals (Complete by Feature Complete Date)

These occur only after GA of this feature is requested (by adding a target:ga label). GA of this feature may not occur until all approvals are obtained.

All Features

• [x] APIs/Externals - Externals have been reviewed or N/A. (OpenLiberty/externals-approvers)
  • Approver adds label focalApproved:externals
• [x] Demo - Demo is scheduled for an upcoming EOI or N/A. (OpenLiberty/demo-approvers)
  • Add comment @OpenLiberty/demo-approvers Demo scheduled for EOI [Iteration Number] to this issue.
  • Approver adds label focalApproved:demo.
• [x] FAT - All Tests complete and running successfully in SOE or N/A. (OpenLiberty/fat-approvers)
  • Approver adds label focalApproved:fat.

Design Approved Features

• [x] ID - Documentation is complete or N/A. (OpenLiberty/id-approvers)
  • Approver adds label focalApproved:id.

  • NOTE: If only trivial documentation changes are required, you may reach out to the ID Feature Focal to request a ID Required - Trivial label. Unlike features with regular ID requirement, those with ID Required - Trivial label do not have a hard requirement for a Design/UFO.

• [ ] InstantOn - InstantOn capable or N/A. (OpenLiberty/instantOn-approvers)
  • Approver adds label focalApproved:instantOn.
• [ ] Performance - Performance testing is complete or N/A. (OpenLiberty/performance-approvers)
  • Approver adds label focalApproved:performance.
• [ ] Serviceability - Serviceability has been addressed or N/A. (OpenLiberty/serviceability-approvers)
  • Approver adds label focalApproved:sve.
• [ ] STE - Skills Transfer Education chart deck is complete or N/A. (OpenLiberty/ste-approvers)
  • Approver adds label focalApproved:ste.
• [ ] SVT - System Verification Test is complete or N/A. (OpenLiberty/svt-approvers)
  • Approver adds label focalApproved:svt.

Remove Beta Fencing (Complete by Feature Complete Date)

• [x] Beta guards are removed, or N/A
  • Only after all necessary Focal Point Approvals have been granted.

GA Blog (Complete by Friday after GM)

• [x] GA Blog issue created and populated using the Open Liberty GA release blog post template.
  • Add a link to the GA Blog issue in the Documents section.
  • Note: This is for inclusion into the overall release blog post. If, in addition, you'd also like to create a dedicated blog post about your feature, then follow the "Standalone Feature Blog Post" instructions under the Other Deliverables section.

Post GM (Complete before GA)

• [x] After confirming this feature has been included in the GM driver, feature owner closes this issue.

Post GA

• [x] Remove the target:ga and target:YY00X labels, and add the appropriate release:YY00X. (OpenLiberty/release-manager)

• ---

  Other Deliverables

• [x] Standalone Feature Blog Post - A blog post specifically about your feature or N/A. (Feature owner and OpenLiberty/release-architect)

  • This should be strongly considered for larger or more prominent features.
  • Follow instructions in the blogs repo.

• [ ] OL Guides - OL Guides assessment is complete or N/A. (OpenLiberty/guide-assessment)

• [ ] Dev Experience - Developer Experience & Tools work is complete or N/A. (OpenLiberty/dev-experience-assessment)

• ---

[volosied]

User Experience / Implementation Proposal:

Our idea is to follow the SameSite precedence (see blog here) and create a new partitioned metatype on the samesite element. Partitioned is mostly a follow up to SameSite, and therefore, we are aligning them together.

When partitioned is enabled (default is false), it would add the partitioned attribute to the specified cookies. Partitioned can only be added when SameSite=None and secure exist (note that secure is automatically added when SameSite=None). As an example: <!— sugarcookie would be partitioned , but chocolatechip would not be —> <samesite lax="chocolatechip" none="sugarcookie" partitioned="true"/> Result:

set-cookie: sugarcookie=someValue; SameSite=None; Secure; Partitioned;
set-cookie: chocolatechip=someValue; SameSite=Lax; Secure;

Another example:

<httpEndpoint id="defaultHttpEndpoint"
              httpPort="9080"
              httpsPort="9443"
              samesiteRef="samesiteReference">
</httpEndpoint>
<samesite none="cookieOne" id="samesiteReference" paritioned="false"/>

Result: set-cookie: cookieOne=someValue; SameSite=None; Secure;

Similar logic would apply to httpSession and webAppSecurity. For example:

<httpSession cookieSameSite="None" cookieParitioned="true"/>
<webAppSecurity sameSiteCookie="None partitionedCookie="true" />

Default Value - False (No Partition)

• The documentation lists that partitioned should be an opt-in, so we will follow the recommendation. Developers will need to find out wish cookies need partitioning, and then enable it for those cookies. Chrome offers various support tools for identifying these cookies.

Other Info:

Partitioned will be added a a known cookie attribute (for cookie parsing), can then be added via HttpServletResponse.setHeader and HttpServletResponse.addHeader.

The Webcontainer SPI will also be updated to support Partitioned ( Note: Currently using this API to add anything but the SameSite attribute will be ignored.)

[volosied]

Our CHIPS implementation attempts to use the samesite config as the baseline and any overriding changes (i.e session / security) are applied on top.

I think this overriding makes sense.

• Consistent with the existing SameSite
• But it complicates the implementation since one config can set the samesite and the other can enable / disable partitioning. See point 2 below.

However, there are two notes: 1) By default SameSite / Partitioning is disabled.
2) Partitioned is only accepted by browsers when SameSite=None. Liberty tries to only set Partitioned on SameSite=None (see first expected scenario) 2) Partitioned isn't set unless samesite is specified. However, session doesn't know what the samesite config is, so we have to set the values on it. This creates an unexpected scenario (see last)

List of scenarios with Liberty's current implementation:

Expected Scenarios:

Scenario:

    <samesite/>
    <httpSession cookieSameSite="Lax" cookiePartitioned="true" />

Result: Partitioned is ignored since it doesn't apply Regular Cookie:
Session Cookie: SameSite=Lax;

---

Scenario:

    <samesite/>
    <httpSession cookieSameSite="None" cookiePartitioned="true" />

Result: Regular Cookie:
Session Cookie: SameSite=None; Partitioned

---

Scenario:

    <samesite none="*" partitioned="true"/>
    <httpSession />

Result:
Regular Cookie: SameSite=None; Partitioned Session Cookie: SameSite=None; Partitioned

---

Scenario:

    <samesite none="*" partitioned="true"/>
    <httpSession cookiePartitioned="false"/>

Result: cookiePartitioned overrides samesite's partitioned Regular Cookie: SameSite=None; Partitioned Session Cookie: SameSite=None;

---

Scenario:

    <samesite none="*"/>
    <httpSession cookiePartitioned="true"/>

Result: Split config; only session cookie is partitioned Regular Cookie: SameSite=None; Session Cookie: SameSite=None; Partitioned

---

Scenario:

    <samesite partitioned="true"/>
    <httpSession/>

Result: No samesite, so no partitioned Regular Cookie: Session Cookie:

Unexpected Scenario:

Scenario:

    <samesite />
    <httpSession cookiePartitioned="true"/>

Result: Unexpected -- samesite is not set, but partitioned exists. However, we don't have a way to check samesite config from the session code. Regular Cookie: Session Cookie: Partitioned

[volosied]

With the time crunch, and I think we should let this one unexpected scenario slide by for the following reasons:

1) https://github.com/privacycg/CHIPS?tab=readme-ov-file#using-set-cookie-with-partitioned

User agents may only accept Partitioned cookies if their SameSite attribute is None.

Note: a Partitioned cookie without SameSite=None is effectively just a same-site cookie which cannot be sent in a third-party context anyway.

This mean browsers won't do anything since SameSite=None is missing.

2) I don't expected many users to only set partitioned on -- any support cases will just tell them to disable it if they won't want it.

Security cookies might also encounter this too, but I think that the same reasoning above also applies.

[chirp1]

Based on a slack with David, Volodymyr, and me, Volodymyr will have blog post and an autogenerted metatype. No doc need from the ID team. Approving the epic.

[volosied]

Issue to GA CHIPS: https://github.com/OpenLiberty/open-liberty/issues/28070