Implement $Secure- cookie prefix

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "build/build_config.h"
 
 #if defined(OS_WIN)
 #include <windows.h>
 #include <shlobj.h>
 #endif
@@ skipping 644 matching lines @@
   }
 
   const GURL& latest_report_uri() { return latest_report_uri_; }
   const std::string& latest_report() { return latest_report_; }
 
  private:
   GURL latest_report_uri_;
   std::string latest_report_;
 };
 
+class TestExperimentalFeaturesNetworkDelegate : public TestNetworkDelegate {
+ public:
+  bool OnExperimentalFeaturesEnabled() const override { return true; }
+};
+
+void CheckCookiePresence(const std::string& cookie_name,
+                         const base::Closure& callback,
+                         const CookieList& cookie_list) {
+  bool found = false;
+  for (const auto& cookie : cookie_list) {
+    if (cookie.Name() == cookie_name) {
+      found = true;
+      break;
+    }
+  }
+  EXPECT_TRUE(found);
+  callback.Run();
+}
+
 }  // namespace
 
 // Inherit PlatformTest since we require the autorelease pool on Mac OS X.
 class URLRequestTest : public PlatformTest {
  public:
   URLRequestTest() : default_context_(true) {
     default_context_.set_network_delegate(&default_network_delegate_);
     default_context_.set_net_log(&net_log_);
     job_factory_impl_ = new URLRequestJobFactoryImpl();
     job_factory_.reset(job_factory_impl_);
@@ skipping 8827 matching lines @@
   AddTestInterceptor()->set_main_intercept_job(job);
 
   req->Start();
   req->Cancel();
   job->DetachRequest();
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
   EXPECT_EQ(0, d.received_redirect_count());
 }
 
+TEST_F(URLRequestTest, SecureCookiePrefix) {
+  LocalHttpTestServer test_server;
+  ASSERT_TRUE(test_server.Start());
+
+  // Without experimental features, there should be no restrictions on
+  // $Secure- cookies.
+  {
+    TestNetworkDelegate network_delegate;
+    default_context_.set_network_delegate(&network_delegate);
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL("set-cookie?$Secure-not-experimental=1"),
+        DEFAULT_PRIORITY, &d));
+    req->Start();
+    base::RunLoop().Run();
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Verify that the cookie is set.
+  {
+    TestNetworkDelegate network_delegate;
+    default_context_.set_network_delegate(&network_delegate);
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL("echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->Start();
+    base::RunLoop().Run();
+
+    EXPECT_TRUE(d.data_received().find("$Secure-not-experimental=1") !=
+                std::string::npos);
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Try to set a non-Secure $Secure- cookie, with experimental features
+  // enabled.
+  {
+    TestExperimentalFeaturesNetworkDelegate network_delegate;

[Mike West, 2015/10/09 15:41:33]

This is better than what I did with the FPO cookie tests. Thanks!

+    default_context_.set_network_delegate(&network_delegate);
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL("set-cookie?$Secure-foo=1"), DEFAULT_PRIORITY, &d));
+    req->Start();
+    base::RunLoop().Run();
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Verify that the cookie is not set.
+  {
+    TestExperimentalFeaturesNetworkDelegate network_delegate;
+    default_context_.set_network_delegate(&network_delegate);
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL("echoheader?Cookie"), DEFAULT_PRIORITY, &d));
+    req->Start();
+    base::RunLoop().Run();
+
+    EXPECT_TRUE(d.data_received().find("$Secure-foo=1") == std::string::npos);
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+  }
+
+  // Try to set a Secure $Secure- cookie, with experimental features
+  // enabled.
+  {
+    TestExperimentalFeaturesNetworkDelegate network_delegate;
+    default_context_.set_network_delegate(&network_delegate);
+    TestDelegate d;
+    scoped_ptr<URLRequest> req(default_context_.CreateRequest(
+        test_server.GetURL("set-cookie?$Secure-bar=1;Secure"), DEFAULT_PRIORITY,
+        &d));
+    req->Start();
+    base::RunLoop().Run();
+    EXPECT_EQ(0, network_delegate.blocked_get_cookies_count());
+    EXPECT_EQ(0, network_delegate.blocked_set_cookie_count());
+
+    // Verify that the cookie is set. Cannot be done via a request
+    // because the request would not be secure and so the cookie would
+    // not be sent.

[Mike West, 2015/10/09 15:41:33]

You can spawn an HTTPS test server. Take a look at URLRequestTestReferrerPolicy
for an example. Or URLRequestTestHTTP tests.

[estark, 2015/10/10 05:04:02]

Done.

+    GURL http_url = test_server.GetURL("echoheader?Cookie");
+    GURL::Replacements replace_scheme;
+    replace_scheme.SetSchemeStr("https");
+    GURL https_url = http_url.ReplaceComponents(replace_scheme);
+    base::RunLoop run_loop;
+    default_context_.cookie_store()->GetAllCookiesForURLAsync(
+        https_url, base::Bind(&CheckCookiePresence, "$Secure-bar",
+                              run_loop.QuitClosure()));
+    run_loop.Run();
+  }
+}
+
 }  // namespace net