| blob | 1eced597bf6e852660dd8a55e8b5bfa4d9314f31 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Brought to you by the letter D and the number 2.
7 #ifndef NET_COOKIES_COOKIE_MONSTER_H_
8 #define NET_COOKIES_COOKIE_MONSTER_H_
9 #pragma once
11 #include <deque>
12 #include <map>
13 #include <queue>
14 #include <set>
15 #include <string>
16 #include <utility>
17 #include <vector>
40 // The cookie monster is the system for storing and retrieving cookies. It has
41 // an in-memory list of all cookies, and synchronizes non-session cookies to an
42 // optional permanent storage that implements the PersistentCookieStore
43 // interface.
44 //
45 // This class IS thread-safe. Normally, it is only used on the I/O thread, but
46 // is also accessed directly through Automation for UI testing.
47 //
48 // All cookie tasks are handled asynchronously. Tasks may be deferred if
49 // all affected cookies are not yet loaded from the backing store. Otherwise,
50 // the callback may be invoked immediately (prior to return of the asynchronous
51 // function).
52 //
53 // A cookie task is either pending loading of the entire cookie store, or
54 // loading of cookies for a specfic domain key(eTLD+1). In the former case, the
55 // cookie task will be queued in queue_ while PersistentCookieStore chain loads
56 // the cookie store on DB thread. In the latter case, the cookie task will be
57 // queued in tasks_queued_ while PermanentCookieStore loads cookies for the
58 // specified domain key(eTLD+1) on DB thread.
59 //
60 // Callbacks are guaranteed to be invoked on the calling thread.
61 //
62 // TODO(deanm) Implement CookieMonster, the cookie database.
63 // - Verify that our domain enforcement and non-dotted handling is correct
71 // Terminology:
72 // * The 'top level domain' (TLD) of an internet domain name is
73 // the terminal "." free substring (e.g. "com" for google.com
74 // or world.std.com).
75 // * The 'effective top level domain' (eTLD) is the longest
76 // "." initiated terminal substring of an internet domain name
77 // that is controlled by a general domain registrar.
78 // (e.g. "co.uk" for news.bbc.co.uk).
79 // * The 'effective top level domain plus one' (eTLD+1) is the
80 // shortest "." delimited terminal substring of an internet
81 // domain name that is not controlled by a general domain
82 // registrar (e.g. "bbc.co.uk" for news.bbc.co.uk, or
83 // "google.com" for news.google.com). The general assumption
84 // is that all hosts and domains under an eTLD+1 share some
85 // administrative control.
87 // CookieMap is the central data structure of the CookieMonster. It
88 // is a map whose values are pointers to CanonicalCookie data
89 // structures (the data structures are owned by the CookieMonster
90 // and must be destroyed when removed from the map). The key is based on the
91 // effective domain of the cookies. If the domain of the cookie has an
92 // eTLD+1, that is the key for the map. If the domain of the cookie does not
93 // have an eTLD+1, the key of the map is the host the cookie applies to (it is
94 // not legal to have domain cookies without an eTLD+1). This rule
95 // excludes cookies for, e.g, ".com", ".co.uk", or ".internalnetwork".
96 // This behavior is the same as the behavior in Firefox v 3.6.10.
98 // NOTE(deanm):
99 // I benchmarked hash_multimap vs multimap. We're going to be query-heavy
100 // so it would seem like hashing would help. However they were very
101 // close, with multimap being a tiny bit faster. I think this is because
102 // our map is at max around 1000 entries, and the additional complexity
103 // for the hashing might not overcome the O(log(1000)) for querying
104 // a multimap. Also, multimap is standard, another reason to use it.
105 // TODO(rdsmith): This benchmark should be re-done now that we're allowing
106 // subtantially more entries in the map.
110 // The store passed in should not have had Init() called on it yet. This
111 // class will take care of initializing it. The backing store is NOT owned by
112 // this class, but it must remain valid for the duration of the cookie
113 // monster's existence. If |store| is NULL, then no backing store will be
114 // updated. If |delegate| is non-NULL, it will be notified on
115 // creation/deletion of cookies.
118 // Only used during unit testing.
123 // Parses the string with the cookie time (very forgivingly).
126 // Helper function that adds all cookies from |list| into this instance.
132 // Sets a cookie given explicit user-provided cookie attributes. The cookie
133 // name, value, domain, etc. are each provided as separate strings. This
134 // function expects each attribute to be well-formed. It will check for
135 // disallowed characters (e.g. the ';' character is disallowed within the
136 // cookie value attribute) and will return false without setting the cookie
137 // if such characters are found.
148 // Returns all the cookies, for use in management UI, etc. This does not mark
149 // the cookies as having been accessed.
150 // The returned cookies are ordered by longest path, then by earliest
151 // creation date.
154 // Returns all the cookies, for use in management UI, etc. Filters results
155 // using given url scheme, host / domain and path and options. This does not
156 // mark the cookies as having been accessed.
157 // The returned cookies are ordered by longest path, then earliest
158 // creation date.
164 // Invokes GetAllCookiesForURLWithOptions with options set to include HTTP
165 // only cookies.
169 // Deletes all of the cookies.
172 // Deletes all cookies that match the host of the given URL
173 // regardless of path. This includes all http_only and secure cookies,
174 // but does not include any domain cookies that may apply to this host.
175 // Returns the number of cookies deleted.
179 // Deletes one specific cookie.
183 // Override the default list of schemes that are allowed to be set in
184 // this cookie store. Calling his overrides the value of
185 // "enable_file_scheme_".
186 // If this this method is called, it must be called before first use of
187 // the instance (i.e. as part of the instance initialization process).
190 // Instructs the cookie monster to not delete expired cookies. This is used
191 // in cases where the cookie monster is used as a data structure to keep
192 // arbitrary cookies.
195 // Delegates the call to set the |clear_local_store_on_exit_| flag of the
196 // PersistentStore if it exists.
199 // There are some unknowns about how to correctly handle file:// cookies,
200 // and our implementation for this is not robust enough. This allows you
201 // to enable support, but it should only be used for testing. Bug 1157243.
202 // Must be called before creating a CookieMonster instance.
205 // Flush the backing store (if any) to disk and post the given callback when
206 // done.
207 // WARNING: THE CALLBACK WILL RUN ON A RANDOM THREAD. IT MUST BE THREAD SAFE.
208 // It may be posted to the current thread, or it may run on the thread that
209 // actually does the flushing. Your Task should generally post a notification
210 // to the thread you actually want to be notified on.
213 // CookieStore implementation.
215 // Sets the cookies specified by |cookie_list| returned from |url|
216 // with options |options| in effect.
223 // Gets all cookies that apply to |url| given |options|.
224 // The returned cookies are ordered by longest path, then earliest
225 // creation date.
236 // Deletes all cookies with that might apply to |url| that has |cookie_name|.
241 // Deletes all of the cookies that have a creation_date greater than or equal
242 // to |delete_begin| and less than |delete_end|
243 // Returns the number of cookies that have been deleted.
253 // Enables writing session cookies into the cookie database. If this this
254 // method is called, it must be called before first use of the instance
255 // (i.e. as part of the instance initialization process).
258 // Protects session cookies from deletion on shutdown.
261 // Debugging method to perform various validation checks on the map.
262 // Currently just checking that there are no null CanonicalCookie pointers
263 // in the map.
264 // Argument |arg| is to allow retaining of arbitrary data if the CHECKs
265 // in the function trip. TODO(rdsmith):Remove hack.
268 // The default list of schemes the cookie monster can handle.
273 // For queueing the cookie monster calls.
288 // Testing support.
289 // For SetCookieWithCreationTime.
291 TestCookieDeleteAllCreatedBetweenTimestamps);
293 // For gargage collection constants.
299 // For validation of key values.
305 // For FindCookiesForKey.
308 // Internal reasons for deletion, used to populate informative histograms
309 // and to provide a public cause for onCookieChange notifications.
310 //
311 // If you add or remove causes from this list, please be sure to also update
312 // the Delegate::ChangeCause mapping inside ChangeCauseMapping. Moreover,
313 // these are used as array indexes, so avoid reordering to keep the
314 // histogram buckets consistent. New items (if necessary) should be added
315 // at the end of the list, just before DELETE_COOKIE_LAST_ENTRY.
318 DELETE_COOKIE_OVERWRITE,
319 DELETE_COOKIE_EXPIRED,
320 DELETE_COOKIE_EVICTED,
321 DELETE_COOKIE_DUPLICATE_IN_BACKING_STORE,
323 DELETE_COOKIE_EVICTED_DOMAIN,
324 DELETE_COOKIE_EVICTED_GLOBAL,
326 // Cookies evicted during domain level garbage collection that
327 // were accessed longer ago than kSafeFromGlobalPurgeDays
328 DELETE_COOKIE_EVICTED_DOMAIN_PRE_SAFE,
330 // Cookies evicted during domain level garbage collection that
331 // were accessed more recently than kSafeFromGlobalPurgeDays
332 // (and thus would have been preserved by global garbage collection).
333 DELETE_COOKIE_EVICTED_DOMAIN_POST_SAFE,
335 // A common idiom is to remove a cookie by overwriting it with an
336 // already-expired expiration date. This captures that case.
337 DELETE_COOKIE_EXPIRED_OVERWRITE,
339 DELETE_COOKIE_LAST_ENTRY
340 };
342 // Cookie garbage collection thresholds. Based off of the Mozilla defaults.
343 // When the number of cookies gets to k{Domain,}MaxCookies
344 // purge down to k{Domain,}MaxCookies - k{Domain,}PurgeCookies.
345 // It might seem scary to have a high purge value, but really it's not.
346 // You just make sure that you increase the max to cover the increase
347 // in purge, and we would have been purging the same amount of cookies.
348 // We're just going through the garbage collection process less often.
349 // Note that the DOMAIN values are per eTLD+1; see comment for the
350 // CookieMap typedef. So, e.g., the maximum number of cookies allowed for
351 // google.com and all of its subdomains will be 150-180.
352 //
353 // Any cookies accessed more recently than kSafeFromGlobalPurgeDays will not
354 // be evicted by global garbage collection, even if we have more than
355 // kMaxCookies. This does not affect domain garbage collection.
356 //
357 // Present in .h file to make accessible to tests through FRIEND_TEST.
358 // Actual definitions are in cookie_monster.cc.
364 // The number of days since last access that cookies will not be subject
365 // to global garbage collection.
368 // Record statistics every kRecordStatisticsIntervalSeconds of uptime.
373 // The following are synchronous calls to which the asynchronous methods
374 // delegate either immediately (if the store is loaded) or through a deferred
375 // task (if the store is not yet loaded).
420 // Called by all non-static functions to ensure that the cookies store has
421 // been initialized. This is not done during creating so it doesn't block
422 // the window showing.
423 // Note: this method should always be called with lock_ held.
430 }
432 }
433 }
435 // Initializes the backing store and reads existing cookies from it.
436 // Should only be called by InitIfNecessary().
439 // Stores cookies loaded from the backing store and invokes any deferred
440 // calls. |beginning_time| should be the moment PersistentCookieStore::Load
441 // was invoked and is used for reporting histogram_time_blocked_on_load_.
442 // See PersistentCookieStore::Load for details on the contents of cookies.
446 // Stores cookies loaded from the backing store and invokes the deferred
447 // task(s) pending loading of cookies associated with the domain key
448 // (eTLD+1). Called when all cookies for the domain key(eTLD+1) have been
449 // loaded from DB. See PersistentCookieStore::Load for details on the contents
450 // of cookies.
455 // Stores the loaded cookies.
458 // Invokes deferred calls.
461 // Checks that |cookies_| matches our invariants, and tries to repair any
462 // inconsistencies. (In other words, it does not have duplicate cookies).
465 // Checks for any duplicate cookies for CookieMap key |key| which lie between
466 // |begin| and |end|. If any are found, all but the most recent are deleted.
467 // Returns the number of duplicate cookies that were deleted.
486 // Delete any cookies that are equivalent to |ecc| (same path, domain, etc).
487 // If |skip_httponly| is true, httponly cookies will not be deleted. The
488 // return value with be true if |skip_httponly| skipped an httponly cookie.
489 // |key| is the key to find the cookie in cookies_; see the comment before
490 // the CookieMap typedef for details.
491 // NOTE: There should never be more than a single matching equivalent cookie.
497 // Takes ownership of *cc.
502 // Helper function that sets cookies with more control.
503 // Not exposed as we don't want callers to have the ability
504 // to specify (potentially duplicate) creation times.
510 // Helper function that sets a canonical cookie, deleting equivalents and
511 // performing garbage collection.
519 // |deletion_cause| argument is used for collecting statistics and choosing
520 // the correct Delegate::ChangeCause for OnCookieChanged notifications.
522 DeletionCause deletion_cause);
524 // If the number of cookies for CookieMap key |key|, or globally, are
525 // over the preset maximums above, garbage collect, first for the host and
526 // then globally. See comments above garbage collection threshold
527 // constants for details.
528 //
529 // Returns the number of cookies deleted (useful for debugging).
532 // Helper for GarbageCollect(); can be called directly as well. Deletes
533 // all expired cookies in |itpair|. If |cookie_its| is non-NULL, it is
534 // populated with all the non-expired cookies from |itpair|.
535 //
536 // Returns the number of cookies deleted.
541 // Helper for GarbageCollect(). Deletes all cookies in the list
542 // that were accessed before |keep_accessed_after|, using DeletionCause
543 // |cause|. If |keep_accessed_after| is null, deletes all cookies in the
544 // list. Returns the number of cookies deleted.
547 DeletionCause cause,
550 // Find the key (for lookup in cookies_) based on the given domain.
551 // See comment on keys before the CookieMap typedef.
556 // Statistics support
558 // This function should be called repeatedly, and will record
559 // statistics if a sufficient time period has passed.
562 // Initialize the above variables; should only be called from
563 // the constructor.
566 // The resolution of our time isn't enough, so we do something
567 // ugly and increment when we've seen the same time twice.
570 // Runs the task if, or defers the task until, the full cookie database is
571 // loaded.
574 // Runs the task if, or defers the task until, the cookies for the given URL
575 // are loaded.
579 // Histogram variables; see CookieMonster::InitializeHistograms() in
580 // cookie_monster.cc for details.
594 CookieMap cookies_;
596 // Indicates whether the cookie store has been initialized. This happens
597 // lazily in InitStoreIfNecessary().
600 // Indicates whether loading from the backend store is completed and
601 // calls may be immediately processed.
604 // List of domain keys that have been loaded from the DB.
607 // Map of domain keys to their associated task queues. These tasks are blocked
608 // until all cookies for the associated domain key eTLD+1 are loaded from the
609 // backend store.
611 tasks_queued_;
613 // Queues tasks that are blocked until all cookies are loaded from the backend
614 // store.
621 // Minimum delay after updating a cookie's LastAccessDate before we will
622 // update it again.
625 // Approximate date of access time of least recently accessed cookie
626 // in |cookies_|. Note that this is not guaranteed to be accurate, only a)
627 // to be before or equal to the actual time, and b) to be accurate
628 // immediately after a garbage collection that scans through all the cookies.
629 // This value is used to determine whether global garbage collection might
630 // find cookies to purge.
631 // Note: The default Time() constructor will create a value that compares
632 // earlier than any other time value, which is wanted. Thus this
633 // value is not initialized.
636 // During loading, holds the set of all loaded cookie creation times. Used to
637 // avoid ever letting cookies with duplicate creation times into the store;
638 // that way we don't have to worry about what sections of code are safe
639 // to call while it's in that state.
646 // Lock for thread-safety
657 };
662 // These constructors do no validation or canonicalization of their inputs;
663 // the resulting CanonicalCookies should not be relied on to be canonical
664 // unless the caller has done appropriate validation and canonicalization
665 // themselves.
682 // This constructor does canonicalization but not validation.
683 // The result of this constructor should not be relied on in contexts
684 // in which pre-validation of the ParsedCookie has not been done.
689 // Supports the default copy constructor.
691 // Creates a canonical cookie from parsed cookie.
692 // Canonicalizes and validates inputs. May return NULL if an attribute
693 // value is invalid.
697 // Creates a canonical cookie from unparsed attribute values.
698 // Canonicalizes and validates inputs. May return NULL if an attribute
699 // value is invalid.
733 }
735 // Are the cookies considered equivalent in the eyes of RFC 2965.
736 // The RFC says that name must match (case-sensitive), domain must
737 // match (case insensitive), and path must match (case sensitive).
738 // For the case insensitive domain compare, we rely on the domain
739 // having been canonicalized (in
740 // GetCookieDomainWithString->CanonicalizeHost).
742 // It seems like it would make sense to take secure and httponly into
743 // account, but the RFC doesn't specify this.
744 // NOTE: Keep this logic in-sync with TrimDuplicateCookiesForHost().
747 }
751 }
758 // Returns the cookie source when cookies are set for |url|. This function
759 // is public for unit test purposes only.
763 // Gives the session cookie an expiration time if needed
766 // The source member of a canonical cookie is the origin of the URL that tried
767 // to set this cookie, minus the port number if any. This field is not
768 // persistent though; its only used in the in-tab cookies dialog to show the
769 // user the source URL. This is used for both allowed and blocked cookies.
770 // When a CanonicalCookie is constructed from the backing store (common case)
771 // this field will be null. CanonicalCookie consumers should not rely on
772 // this field unless they guarantee that the creator of those
773 // CanonicalCookies properly initialized the field.
774 // TODO(abarth): We might need to make this field persistent for MAC cookies.
789 };
794 // The publicly relevant reasons a cookie might be changed.
796 // The cookie was changed directly by a consumer's action.
797 CHANGE_COOKIE_EXPLICIT,
798 // The cookie was automatically removed due to an insert operation that
799 // overwrote it.
800 CHANGE_COOKIE_OVERWRITE,
801 // The cookie was automatically removed as it expired.
802 CHANGE_COOKIE_EXPIRED,
803 // The cookie was automatically evicted during garbage collection.
804 CHANGE_COOKIE_EVICTED,
805 // The cookie was overwritten with an already-expired expiration date.
806 CHANGE_COOKIE_EXPIRED_OVERWRITE
807 };
809 // Will be called when a cookie is added or removed. The function is passed
810 // the respective |cookie| which was added to or removed from the cookies.
811 // If |removed| is true, the cookie was deleted, and |cause| will be set
812 // to the reason for its removal. If |removed| is false, the cookie was
813 // added, and |cause| will be set to CHANGE_COOKIE_EXPLICIT.
814 //
815 // As a special case, note that updating a cookie's properties is implemented
816 // as a two step process: the cookie to be updated is first removed entirely,
817 // generating a notification with cause CHANGE_COOKIE_OVERWRITE. Afterwards,
818 // a new cookie is written with the updated values, generating a notification
819 // with cause CHANGE_COOKIE_EXPLICIT.
826 };
833 // The maximum length of a cookie string we will try to parse
835 // The maximum number of Token/Value pairs. Shouldn't have more than 8.
838 // Construct from a cookie string like "BLAH=1; path=/; domain=.google.com"
842 // You should not call any other methods on the class if !IsValid
858 }
866 // Returns the number of attributes, for example, returning 2 for:
867 // "BLAH=hah; path=/; domain=.google.com"
870 // For debugging only!
873 // Returns an iterator pointing to the first terminator character found in
874 // the given string.
877 // Given iterators pointing to the beginning and end of a string segment,
878 // returns as output arguments token_start and token_end to the start and end
879 // positions of a cookie attribute token name parsed from the segment, and
880 // updates the segment iterator to point to the next segment to be parsed.
881 // If no token is found, the function returns false.
887 // Given iterators pointing to the beginning and end of a string segment,
888 // returns as output arguments value_start and value_end to the start and end
889 // positions of a cookie attribute value parsed from the segment, and updates
890 // the segment iterator to point to the next segment to be parsed.
896 // Same as the above functions, except the input is assumed to contain the
897 // desired token/value and nothing else.
911 PairList pairs_;
913 // These will default to 0, but that should never be valid since the
914 // 0th index is the user supplied token/value, not an attribute.
915 // We're really never going to have more than like 8 attributes, so we
916 // could fit these into 3 bits each if we're worried about size...
927 };
930 RefcountedPersistentCookieStore;
940 // Initializes the store and retrieves the existing cookies. This will be
941 // called only once at startup. The callback will return all the cookies
942 // that are not yet returned to CookieMonster by previous priority loads.
945 // Does a priority load of all cookies for the domain key (eTLD+1). The
946 // callback will return all the cookies that are not yet returned by previous
947 // loads, which includes cookies for the requested domain key if they are not
948 // already returned, plus all cookies that are chain-loaded and not yet
949 // returned to CookieMonster.
957 // Sets the value of the user preference whether the persistent storage
958 // must be deleted upon destruction.
961 // Flushes the store and posts |callback| when complete.
969 };
972 };