Fix 5869: Google OAuth should work by default

[jumde]

Fix brave/brave-browser#5869

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Added/updated tests for this change (for new code or code which already has tests).
• Verified that these changes build without errors on
  • Android
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that these changes pass automated tests (unit, browser, security tests) on
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that all lint errors/warnings are resolved (npm run lint)
• Ran git rebase master (if needed).
• Ran git rebase -i to squash commits (if needed).
• Tagged reviewers and labelled the pull request as needed.
• Request a security/privacy review as needed.
• Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone
• Public documentation has been updated as necessary. For instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protection-Mode
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-compatibility-issues-with-tracking-protection
  • https://github.com/brave/brave-browser/wiki/QA-Guide

Test Plan:

1. Navigate to expensify.com
2. Verify that Cross-Site cookie blocking is enabled
3. Click login using Google
4. Login should succeed
5. Navigate to brave://settings/socialBlocking and disable Google login
6. Navigate to brave://settings/clearBrowserData and clear all data
7. Try logging in again, login should fail

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions
• Verify test plan is specified in PR before merging to source

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on.
• All relevant documentation has been updated.

[bridiver]

it's confusing to me that we have a method called SetCookieWhitelist that takes a ControlType. It seems to me that this is just an overloaded SetCookieControlType with a string pattern instead of a GURL, correct?

[iefremov]

I'd say SetCookieControlTypeForPattern? Overloads are often confusing and also not encouraged by CC.

[bridiver]

why does this method care whether it's social media or not?

[bridiver]

why is this always ALLOW if we're passing a ControlType?

[bridiver]

I think it's problematic to set this as a brave cookie plugin type because it will always end up with an override one direction or the other which could potentially conflict with user overrides. It seems better to convert this directly to cookie settings in BravePrefProvider so we only add an override when it's enabled

[bridiver]

it's especially problematic because of this https://github.com/brave/brave-core/pull/3784/files#diff-6c160ccdf43d9f23e468a95ec08b4d12R219 which adds an allow override no matter what the setting is

[bridiver]

as per comment we should not be adding any content settings when kGoogleLoginControlType is disabled and the current code just changes what the override is. We should convert it to non-persistent chrome cookie settings instead when we convert everything else in BravePrefProvider

[bridiver]

this method makes more sense as SetCookieWhitelist because it will potentially add other pref based overrides, but ForSocialMedia seems irrelevant to the method and google auth isn't social media anyway. This is just setting a whitelist based on prefs

[bridiver]

please add tests for this including a test to ensure that no overrides are added when the pref is false

[iefremov]

const std::string& or base::StringPiece

[iefremov]

pls correct spaces everywhere (or use clang-format)

[iefremov]

is it used anywhere?

[iefremov]

unused?

[iefremov]

we need a test, showing that the new preference doesn't override user choice in per-site shields settings

[bridiver]

I actually requested this in the last review and should verify your comment below

[jumde]

Added here: https://github.com/brave/brave-core/pull/3784/files#diff-a3b1f2bffde11cef192a185a65955508R350

[iefremov]

not sure if this overrides user shields settings or not.
Anyway, this method becomes too fat, so i'd prefer to put it into a separate method (or at least add a comment).

[bridiver]

it shouldn't override shields settings as long as it comes last, but it should have a test to verify

[jumde]

Test added here: https://github.com/brave/brave-core/pull/3784/files#diff-a3b1f2bffde11cef192a185a65955508R350

[bridiver]

although actually we want it to override site shield settings because it should work the same whether the default is block 3p cookies or whether the default is something else and site shield settings are block 3p cookies. In the case where site settings are block all you won't be able to login to anything anyway

[bridiver]

lint - 2 spaces

[jumde]

Renamed so that it's consistent with other helper functions like DefaultBlockAllCookies

[iefremov]

I desperately desire a comment here, describing the whole situation. So an occasional stranger could have a little chance to understand why and what happens here :)

[bridiver]

I think this method name is confusing because it's not obvious in the tests that this is a site override and not the default. I think it's better to pass in the URL instead of the server

[bridiver]

same as below

[bridiver]

same ^^

[bridiver]

BlockAllThirdPartyCookies doesn't mean anything different to me than BlockThirdPartyCookies. DefaultBlockThirdPartyCookies maybe?

[bridiver]

should these maybe be ThirdPartyGoogleAccountsCookiesAllowed? Instead of Iframe? I know it's basically equivalent, but I think ThirdParty is a better description

[bsclifton]

🎉 !!