[Android] Implement cookies

[nucleartux]

No description provided.

[facebook-github-bot]

By analyzing the blame information on this pull request, we identified @mkonicek to be a potential reviewer.

[mkonicek]

How have you tested this? Can you extend an example in the UI Explorer showing how this works?

[nucleartux]

Do you have ideas how I can show how it works? In my project I tested this on authentication on internal site using fetch API.

[mkonicek]

Ideally you should come up with an exhaustive set of examples showing this implements the Same origin policy: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

There should be an example in the UI Explorer demonstrating this, here are instructions on how to run it:
https://github.com/facebook/react-native/tree/master/Examples/UIExplorer

[ide]

Does SOP make sense here? What is the value of the origin?

[mkonicek]

I believe this is to fix #2792

Based the discussion there it looks like we should honor credentials: 'same-origin' in the fetch / XHR API like we do on iOS.

[nucleartux]

@mkonicek I added example, please review

[facebook-github-bot]

@nucleartux updated the pull request.

[mkonicek]

@ide I'm not sure I understand - in the browser, XHR respects the same origin policy, correct?
From https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy:

The same-origin policy controls interactions between two different origins, such as when you use XMLHttpRequest

@nucleartux Thanks for the example. I think we really need to demonstrate here that the implementation respects the same origin policy. I'm not sure CookiePolicy.ACCEPT_ALL does that. What does ACCEPT_ORIGINAL_SERVER do? http://docs.oracle.com/javase/7/docs/api/java/net/CookiePolicy.html

I think you'd need to send a request and get back cookies, then send another request to the same domain and demonstrate those cookies were sent as part of the second request.

Then you'd send a third request to a different domain (and ideally to a multiple of them) and demonstrate the cookies were not sent.

This should really be an integration test and we'll work on open sourcing those so you can add them, but an example would be a good start.

Note I'll be away for a week and will continue reviewing when I'm back.

[ide]

@mkonicek the same-origin policy compares the current page's origin with the origin of the request endpoint. If google.com does a fetch request to google.com, then credentials: 'same-origin' will include the google.com cookies. Also if google.com sends a fetch request to facebook.com, it will not send the facebook.com cookies unless credentials: 'include' is set. The other part of the SOP is that google.com cannot read the response from facebook.com unless special CORS headers are set.

Anyway, with RN the app doesn't have an origin, so I don't know what it means to enforce the SOP. There are just two settings: either send the cookies or don't. (maybe there's a third option of whether to send cookies if there's a 3xx redirect?)

[ide]

I think there may be some confusion -- when an XHR makes a request to facebook.com, it never should send the google.com cookies under any circumstance (this is separate from the SOP).

[facebook-github-bot]

@nucleartux updated the pull request.

[facebook-github-bot]

@nucleartux updated the pull request.

[nucleartux]

I have read RFCs and I think @mkonicek is right. Changed policy to more secure ACCEPT_ORIGINAL_SERVER.

[sooth-sayer]

+1

[facebook-github-bot]

@nucleartux updated the pull request.

[facebook-github-bot]

@nucleartux updated the pull request.

[mkonicek]

when an XHR makes a request to facebook.com, it never should send the google.com cookies under any circumstance (this is separate from the SOP).

Yes this is what I meant by "SOP", sorry about the confusion.

@nucleartux Can you verify this is the case? You mentioned:

Changed policy to more secure ACCEPT_ORIGINAL_SERVER.

But don't see this change.

[ide]

ACCEPT_ORIGINAL_SERVER sounds like it prevents Facebook.com from setting cookies for Google.com (also important!!).

I'm not sure if there is an explicit setting to tell the client to send only the Facebook.com cookies to Facebook.com. We should verify but the http client might always do that by default.

[nucleartux]

@mkonicek this is default policy

[lexs]

I've been working on this internally but I think we want to merge this just to have some support. As long as the policy is ACCEPT_ORIGINAL_SERVER CookieManager will behave as expected. The policy refers to that it accepts cookies where the domain in the cookie matches that of the request uri.

[lexs]

You can skip this field and just construct in inline. mClient.setCookieHandler(new CookieManager());

[facebook-github-bot]

@nucleartux updated the pull request.

[sooth-sayer]

Is there any chance that this PR would be in 0.15 release?

[ide]

@sooth-sayer it will likely go out with 0.16.

[mkonicek]

this is default policy

IMHO it's always better to be explicit, you clearly state the intention and defaults can change.

[mkonicek]

@lexs Thanks for reviewing this PR!

[facebook-github-bot]

@nucleartux updated the pull request.

[facebook-github-bot]

@nucleartux updated the pull request.

[CCoffie]

+1 - Any updates on the progress of this? I'm working on a project that requires the use of session to use the api. I would love to use react-native but without this feature it can't really be done.

[nicklockwood]

ping @mkonicek

[marcusroberts]

👍 another vote for this, as it's an instant show stopper when trying to run my iOS apps on Android as all are based on Rails API servers with cookie sessions.

[mkonicek]

Sorry for the delay - I have an update: @lexs started working on a different approach in the meantime - one that shares the cookies between okhttp and the Android WebView.

[lexs]

Closing this out as 274c5c7 just landed. Thanks for you effort @nucleartux. Hopefully this fixes your issue otherwise feel free to open another issue.

[ramilushev]

Will applying this fix mean that fetch will set cookies automatically?

[lexs]

@6i6arka For 274c5c7 yes. With this PR yes, but only in-memory.

[wdyfantasy]

is cookies can be used in android?