net/cookies/canonical_cookie_unittest.cc - Issue 11308272: Add IncludeForRequestURL method to CanonicalCookie

Side by Side Diff: net/cookies/canonical_cookie_unittest.cc

Issue 11308272: Add IncludeForRequestURL method to CanonicalCookie (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: s/IncludeForRequest/IncludeForRequestURL/ Created 8 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cookies/canonical_cookie.h"	5 #include "net/cookies/canonical_cookie.h"

6	6

7 #include "base/memory/scoped_ptr.h"	7 #include "base/memory/scoped_ptr.h"

8 #include "googleurl/src/gurl.h"	8 #include "googleurl/src/gurl.h"

9 #include "net/cookies/cookie_options.h"	9 #include "net/cookies/cookie_options.h"

10 #include "testing/gtest/include/gtest/gtest.h"	10 #include "testing/gtest/include/gtest/gtest.h"

(...skipping 232 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
243	243

244 cookie.reset(	244 cookie.reset(

245 CanonicalCookie::Create(GURL("http://www.example.com/test/foo.html"),	245 CanonicalCookie::Create(GURL("http://www.example.com/test/foo.html"),

246 "A=2", creation_time, options));	246 "A=2", creation_time, options));

247 EXPECT_FALSE(cookie->IsOnPath("/"));	247 EXPECT_FALSE(cookie->IsOnPath("/"));

248 EXPECT_TRUE(cookie->IsOnPath("/test"));	248 EXPECT_TRUE(cookie->IsOnPath("/test"));

249 EXPECT_TRUE(cookie->IsOnPath("/test/bar.html"));	249 EXPECT_TRUE(cookie->IsOnPath("/test/bar.html"));

250 EXPECT_TRUE(cookie->IsOnPath("/test/sample/bar.html"));	250 EXPECT_TRUE(cookie->IsOnPath("/test/sample/bar.html"));

251 }	251 }

252	252

	253 TEST(CanonicalCookieTest, IncludeForRequestURL) {

	254 GURL url("http://www.example.com");

	255 base::Time creation_time = base::Time::Now();

	256 CookieOptions options;

	257

	258 scoped_ptr<CanonicalCookie> cookie(

	259 CanonicalCookie::Create(url, "A=2", creation_time, options));

	260 EXPECT_TRUE(cookie->IncludeForRequestURL(url, options));

	261 EXPECT_TRUE(cookie->IncludeForRequestURL(

	262 GURL("http://www.example.com/foo/bar"), options));

	263 EXPECT_TRUE(cookie->IncludeForRequestURL(

	264 GURL("https://www.example.com/foo/bar"), options));

	265 EXPECT_FALSE(cookie->IncludeForRequestURL(GURL("https://sub.example.com"),

	266 options));
	erikwright (departed) 2012/12/05 19:43:36 indent (also further in this method). indent (also further in this method). markusheintz_ 2012/12/06 10:10:43 Done Sorry, I renamed the Include.. method and fo Show quoted text On 2012/12/05 19:43:36, erikwright wrote: > indent (also further in this method). Done Sorry, I renamed the Include.. method and forgot to fix the formatting.
	267 EXPECT_FALSE(cookie->IncludeForRequestURL(GURL("https://sub.www.example.com"),

	268 options));

	269

	270 // Test that cookie with a cookie path that does not match the url path are

	271 // not included.

	272 cookie.reset(CanonicalCookie::Create(url, "A=2; Path=/foo/bar", creation_time,
	erikwright (departed) 2012/12/05 19:43:36 is it legal to set a path that is not equal to or is it legal to set a path that is not equal to or a child of the origin URL? If not, this test is misleading (even if the test for that is done elsewhere). Also, if not, is it more consistent to do that in CanonicalCookie::Create? markusheintz_ 2012/12/06 10:10:43 The path of the URL "http://www.example.com" is "/ Show quoted text On 2012/12/05 19:43:36, erikwright wrote: > is it legal to set a path that is not equal to or a child of the origin URL? The path of the URL "http://www.example.com" is "/". So "/foo/bar/" should be a child of "/". Maybe I confuse something here. Anyway. Currently Chrome happily accepts such cookies. I tried it with some test server I quickly put together. Chrome even accepts cookies set by http://www.example.com/test1 that have the cookie path "Path=/foo/bar/blablabla" Section 5.2.4 "The Path Attribute" of RCF 6265 says: "If the attribute-name case-insensitively matches the string 'Path', the user agent MUST process the cookie-av as follows. If the attribute-value is empty or if the first character of the attribute-value is not %x2F ("/"): Let cookie-path be the default-path. Otherwise: Let cookie-path be the attribute-value. Append an attribute to the cookie-attribute-list with an attribute-name of Path and an attribute-value of cookie-path." Section 5.3 "Storage Model" of RFC 6265 says: "7. If the cookie-attribute-list contains an attribute with an attribute-name of "Path", set the cookie's path to attribute- value of the last attribute in the cookie-attribute-list with an attribute-name of "Path". Otherwise, set the cookie's path to the default-path of the request-uri." Step seven of the algorithm used for storing cookies does not require that the cookie path and the URL path must be related in any way. Please double check the algorithm Section 5.3 "Storage Model" of RFC 6265 just in case I missed someting. But I think this is a totally valid case. I probably should add a test case to the "CanonicalCookieTest.Create" test to document this. Show quoted text > If > not, this test is misleading (even if the test for that is done elsewhere). > > Also, if not, is it more consistent to do that in CanonicalCookie::Create? erikwright (departed) 2012/12/11 14:09:21 No, I was confused, I meant not a parent, but your Show quoted text On 2012/12/06 10:10:43, markusheintz_ wrote: > On 2012/12/05 19:43:36, erikwright wrote: > > is it legal to set a path that is not equal to or a child of the origin URL? > > The path of the URL "http://www.example.com" is "/". So "/foo/bar/" should be a > child of "/". Maybe I confuse something here. No, I was confused, I meant not a parent, but your response answers my intended question. Show quoted text > > Anyway. Currently Chrome happily accepts such cookies. I tried it with some test > server I quickly put together. > Chrome even accepts cookies set by http://www.example.com/test1 > that have the cookie path "Path=/foo/bar/blablabla" > > Section 5.2.4 "The Path Attribute" of RCF 6265 says: > > "If the attribute-name case-insensitively matches the string 'Path', the user > agent MUST process the cookie-av as follows. If the attribute-value is empty or > if the first character of the attribute-value is not %x2F ("/"): > Let cookie-path be the default-path. > Otherwise: > Let cookie-path be the attribute-value. > Append an attribute to the cookie-attribute-list with an attribute-name of > Path and an attribute-value of cookie-path." > > > Section 5.3 "Storage Model" of RFC 6265 says: > > "7. If the cookie-attribute-list contains an attribute with an attribute-name of > "Path", set the cookie's path to attribute- value of the last attribute > in the cookie-attribute-list with an attribute-name of "Path". Otherwise, set > the cookie's path to the default-path of the request-uri." > > Step seven of the algorithm used for storing cookies does not require that the > cookie path and the URL path must be related in any way. > > Please double check the algorithm Section 5.3 "Storage Model" of RFC 6265 just > in case I missed someting. But I think this is a totally valid case. > > I probably should add a test case to the "CanonicalCookieTest.Create" test to > document this. > > > > > If > > not, this test is misleading (even if the test for that is done elsewhere). > > > > Also, if not, is it more consistent to do that in CanonicalCookie::Create? >
	273 options));

	274 EXPECT_FALSE(cookie->IncludeForRequestURL(url, options));

	275 EXPECT_TRUE(cookie->IncludeForRequestURL(

	276 GURL("http://www.example.com/foo/bar/index.html"), options));

	277

	278 // Test that a secure cookie is not included for a non secure URL.

	279 GURL secure_url("https://www.example.com");

	280 cookie.reset(CanonicalCookie::Create(secure_url, "A=2; Secure", creation_time,
	erikwright (departed) 2012/12/05 19:43:36 Same question. Presumably insecure URLs can't set Same question. Presumably insecure URLs can't set secure cookies - if that's right, can you confirm where the logic for that currently lives and whether it's consistent with your changes? markusheintz_ 2012/12/06 10:10:43 The way I read the spec is: It is possible to set Show quoted text On 2012/12/05 19:43:36, erikwright wrote: > Same question. Presumably insecure URLs can't set secure cookies - if that's > right, can you confirm where the logic for that currently lives and whether it's > consistent with your changes? The way I read the spec is: It is possible to set secure cookies by insecure URLs (See 8. of Section 5.3 of RFC 2656 ). I also verified that Chrome currently allows that. I should actually add a test case for this if I already haven't.
	281 options));

	282 EXPECT_TRUE(cookie->IsSecure());

	283 EXPECT_TRUE(cookie->IncludeForRequestURL(secure_url, options));

	284 EXPECT_FALSE(cookie->IncludeForRequestURL(url, options));

	285

	286 // Test that http only cookies are only inlucded if the include httponly flag
	erikwright (departed) 2012/12/05 19:43:36 inlucded (typo) inlucded (typo) markusheintz_ 2012/12/06 10:10:43 Done. Show quoted text On 2012/12/05 19:43:36, erikwright wrote: > inlucded (typo) Done.
	287 // is set on the cookie options.

	288 options.set_include_httponly();

	289 cookie.reset(

	290 CanonicalCookie::Create(url, "A=2; HttpOnly", creation_time, options));
	erikwright (departed) 2012/12/05 19:43:36 Same question about the options - do we use the op Same question about the options - do we use the options to prevent an HttpOnly cookie from being set by Javascript, and if so, is that prevention occurring in the correct place? markusheintz_ 2012/12/06 10:10:43 Yes we use the options to prevent an HttpOnly cook Show quoted text On 2012/12/05 19:43:36, erikwright wrote: > Same question about the options - do we use the options to prevent an HttpOnly > cookie from being set by Javascript, and if so, is that prevention occurring in > the correct place? Yes we use the options to prevent an HttpOnly cookie from being set or read by JavaScript. By default http only cookies are not included (see net/cookies/cookie_option.*). For Cookies set by JavaScript the code path goes through src/content/browser/render_host/render_message_filter.cc:515. In src/net/url_request/url_request_http_job.cc:627-629 we set cookies received via http requests and user a CookieOptions object with the include httponly flag set to true (see line 611). So I think this check is happening in the right place because otherwise we have no way to check inside the CookieStore or CanonicalCookie through which code path a cookie was set.
	291 EXPECT_TRUE(cookie->IsHttpOnly());

	292 EXPECT_TRUE(cookie->IncludeForRequestURL(url, options));

	293 options.set_exclude_httponly();

	294 EXPECT_FALSE(cookie->IncludeForRequestURL(url, options));

	295 }

	296

253 } // namespace net	297 } // namespace net

OLD	NEW

« net/cookies/canonical_cookie.cc ('K') | « net/cookies/canonical_cookie.cc ('k') | net/cookies/cookie_monster.cc » ('j') | no next file with comments »