Update cookie value and attribute setting behavior to match other UAs

net/cookies/cookie_store_unittest.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_COOKIES_COOKIE_STORE_UNITTEST_H_
 #define NET_COOKIES_COOKIE_STORE_UNITTEST_H_
 
 #include <set>
 #include <string>
 #include <vector>
@@ skipping 447 matching lines @@
   EXPECT_FALSE(it->IsPersistent());
   // Some CookieStores don't store last access date.
   if (!it->LastAccessDate().is_null())
     EXPECT_EQ(it->CreationDate(), it->LastAccessDate());
   EXPECT_TRUE(it->IsSecure());
   EXPECT_FALSE(it->IsHttpOnly());
 
   EXPECT_TRUE(++it == cookies.end());
 }
 
+TYPED_TEST_P(CookieStoreTest, EmptyKeyTest) {
+  CookieStore* cs = this->GetCookieStore();
+
+  GURL url1("http://foo1.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url1, "foo"));
+  EXPECT_EQ("foo", this->GetCookies(cs, url1));
+
+  // Regression tests for https://crbug.com/601786
+  GURL url2("http://foo2.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url2, "foo"));
+  EXPECT_TRUE(this->SetCookie(cs, url2, "\t"));
+  EXPECT_EQ("", this->GetCookies(cs, url2));
+
+  GURL url3("http://foo3.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url3, "foo"));
+  EXPECT_TRUE(this->SetCookie(cs, url3, "="));
+  EXPECT_EQ("", this->GetCookies(cs, url3));
+
+  GURL url4("http://foo4.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url4, "foo"));
+  EXPECT_TRUE(this->SetCookie(cs, url4, ""));
+  EXPECT_EQ("", this->GetCookies(cs, url4));
+
+  GURL url5("http://foo5.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url5, "foo"));
+  EXPECT_TRUE(this->SetCookie(cs, url5, "; bar"));
+  EXPECT_EQ("", this->GetCookies(cs, url5));
+
+  GURL url6("http://foo6.bar.com");
+  EXPECT_TRUE(this->SetCookie(cs, url6, "foo"));
+  EXPECT_TRUE(this->SetCookie(cs, url6, " "));
+  EXPECT_EQ("", this->GetCookies(cs, url6));
+}
+
 TYPED_TEST_P(CookieStoreTest, DomainTest) {
   CookieStore* cs = this->GetCookieStore();
   EXPECT_TRUE(this->SetCookie(cs, this->http_www_google_.url(), "A=B"));
   this->MatchCookieLines("A=B",
                          this->GetCookies(cs, this->http_www_google_.url()));
   EXPECT_TRUE(
       this->SetCookie(cs, this->http_www_google_.url(),
                       this->http_www_google_.Format("C=D; domain=.%D")));
   this->MatchCookieLines("A=B; C=D",
                          this->GetCookies(cs, this->http_www_google_.url()));
@@ skipping 77 matching lines @@
 
 // Test that setting a cookie which specifies an invalid domain has
 // no side-effect. An invalid domain in this context is one which does
 // not match the originating domain.
 TYPED_TEST_P(CookieStoreTest, InvalidDomainTest) {
   CookieStore* cs = this->GetCookieStore();
   GURL url_foobar("http://foo.bar.com");
 
   // More specific sub-domain than allowed.
   EXPECT_FALSE(this->SetCookie(cs, url_foobar, "a=1; domain=.yo.foo.bar.com"));
+  // Regression test for https://crbug.com/601786
+  EXPECT_FALSE(
+      this->SetCookie(cs, url_foobar, "a=1; domain=.yo.foo.bar.com; domain="));

[mmenke, 2016/08/15 21:11:03]

Why does this fail?  Aren't we ignoring the "domain=" at the end?

[jww, 2016/08/16 02:24:23]

No, that's part of the issue and difference in behavior that we're changing. We
had been treating this as setting the domain attribute to an empty value, so it
used to succeed. Now, with my changes, the empty domain attribute will be
ignored, so the first one will take precedence, and has an invalid value.

[mmenke, 2016/08/16 15:06:46]

Oh, I missed that the previous line was also EXPECT_FALSE (I had thought it was
EXPECT_TRUE, which was confusing me).

 
   EXPECT_FALSE(this->SetCookie(cs, url_foobar, "b=2; domain=.foo.com"));
   EXPECT_FALSE(this->SetCookie(cs, url_foobar, "c=3; domain=.bar.foo.com"));
 
   // Different TLD, but the rest is a substring.
   EXPECT_FALSE(this->SetCookie(cs, url_foobar, "d=4; domain=.foo.bar.com.net"));
 
   // A substring that isn't really a parent domain.
   EXPECT_FALSE(this->SetCookie(cs, url_foobar, "e=5; domain=ar.com"));
 
@@ skipping 792 matching lines @@
   this->MatchCookieLines("A=B; C=D",
                          this->GetCookies(cs, this->http_www_google_.url()));
   // Delete the session cookie.
   this->DeleteSessionCookies(cs);
   // Check that the session cookie has been deleted but not the persistent one.
   EXPECT_EQ("C=D", this->GetCookies(cs, this->http_www_google_.url()));
 }
 
 REGISTER_TYPED_TEST_CASE_P(CookieStoreTest,
                            SetCookieWithDetailsAsync,
+                           EmptyKeyTest,
                            DomainTest,
                            DomainWithTrailingDotTest,
                            ValidSubdomainTest,
                            InvalidDomainTest,
                            InvalidDomainSameDomainAndRegistry,
                            DomainWithoutLeadingDotParentDomain,
                            DomainWithoutLeadingDotSameDomain,
                            CaseInsensitiveDomainTest,
                            TestIpAddress,
                            TestIpAddressNoDomainCookies,
@@ skipping 19 matching lines @@
                            OverwritePersistentCookie,
                            CookieOrdering,
                            GetAllCookiesAsync,
                            DeleteCookieAsync,
                            DeleteCanonicalCookieAsync,
                            DeleteSessionCookie);
 
 }  // namespace net
 
 #endif  // NET_COOKIES_COOKIE_STORE_UNITTEST_H_