Loosen strict 'Secure' checks for non-overlapping paths.

net/cookies/canonical_cookie_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cookies/canonical_cookie.h"
 
 #include <memory>
 
 #include "base/test/histogram_tester.h"
 #include "net/cookies/cookie_constants.h"
@@ skipping 153 matching lines @@
   EXPECT_FALSE(cookie->IsPersistent());
   EXPECT_FALSE(cookie->IsExpired(creation_time));
   EXPECT_EQ(base::Time(), cookie->ExpiryDate());
 }
 
 TEST(CanonicalCookieTest, IsEquivalent) {
   GURL url("http://www.example.com/");
   std::string cookie_name = "A";
   std::string cookie_value = "2EDA-EF";
   std::string cookie_domain = ".www.example.com";
-  std::string cookie_path = "/";
+  std::string cookie_path = "/path";
   base::Time creation_time = base::Time::Now();
   base::Time expiration_time = creation_time + base::TimeDelta::FromDays(2);
   bool secure(false);
   bool httponly(false);
   CookieSameSite same_site(CookieSameSite::NO_RESTRICTION);
 
   // Test that a cookie is equivalent to itself.
   std::unique_ptr<CanonicalCookie> cookie(CanonicalCookie::Create(
       url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM));
   EXPECT_TRUE(cookie->IsEquivalent(*cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*cookie));
 
   // Test that two identical cookies are equivalent.
   std::unique_ptr<CanonicalCookie> other_cookie(CanonicalCookie::Create(
       url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM));
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
   // Tests that use different variations of attribute values that
   // DON'T affect cookie equivalence.
   other_cookie =
       CanonicalCookie::Create(url, cookie_name, "2", cookie_domain, cookie_path,
                               creation_time, expiration_time, secure, httponly,
                               same_site, false, COOKIE_PRIORITY_HIGH);
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
   base::Time other_creation_time =
       creation_time + base::TimeDelta::FromMinutes(2);
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, "2", cookie_domain, cookie_path, other_creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
       expiration_time, true, httponly, same_site, false, COOKIE_PRIORITY_LOW);
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
       expiration_time, secure, true, same_site, false, COOKIE_PRIORITY_LOW);
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
       expiration_time, secure, httponly, CookieSameSite::STRICT_MODE, false,
       COOKIE_PRIORITY_LOW);
   EXPECT_TRUE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
-  // Tests that use different variations of attribute values that
-  // DO affect cookie equivalence.
+  // Cookies whose names mismatch are not equivalent.
   other_cookie = CanonicalCookie::Create(
       url, "B", cookie_value, cookie_domain, cookie_path, creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
   EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
+  // A domain cookie at 'www.example.com' is not equivalent to a host cookie
+  // at the same domain. These are, however, equivalent according to the laxer
+  // rules of 'IsEquivalentForSecureCookieMatching'.
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, cookie_value, std::string(), cookie_path, creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
   EXPECT_TRUE(cookie->IsDomainCookie());
   EXPECT_FALSE(other_cookie->IsDomainCookie());
   EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));

[jww, 2016/09/06 22:45:10]

nit: In a few of these cases, it's probably worth doing the inverse comparison
as well, to validate the asymmetry of the function, i.e.:
EXPECT_FALSE(other_cookie->IsEquivalentForSecureCookieMatching(cookie));

 
+  // Likewise, a cookie on 'example.com' is not equivalent to a cookie on
+  // 'www.example.com', but they are equivalent for secure cookie matching.
   other_cookie = CanonicalCookie::Create(
       url, cookie_name, cookie_value, ".example.com", cookie_path,
       creation_time, expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
   EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
+  // Paths are a bit more complicated. 'IsEquivalent' requires an exact path
+  // match, while secure cookie matching uses a more relaxed 'IsOnPath' check.
+  // That is, |cookie| set on '/path' is not equivalent in either way to
+  // |other_cookie| set on '/test' or '/path/subpath'. It is, however,
+  // equivalent for secure cookie matching to |other_cookie| set on '/'.
   other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_value, cookie_domain, "/test/0", creation_time,
+      url, cookie_name, cookie_value, cookie_domain, "/test", creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
   EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
-}
+  EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
-TEST(CanonicalCookieTest, IsEquivalentForSecureCookieMatching) {
-  GURL url("http://www.example.com/");
-  std::string cookie_name = "A";
-  std::string cookie_value = "2EDA-EF";
-  std::string cookie_domain = ".www.example.com";
-  std::string cookie_path = "/";
-  base::Time creation_time = base::Time::Now();
-  base::Time expiration_time = creation_time + base::TimeDelta::FromDays(2);
-  bool secure(false);
-  bool httponly(false);
-  CookieSameSite same_site(CookieSameSite::NO_RESTRICTION);
+  other_cookie = CanonicalCookie::Create(
+      url, cookie_name, cookie_value, cookie_domain, cookie_path + "/subpath",
+      creation_time, expiration_time, secure, httponly, same_site, false,
+      COOKIE_PRIORITY_MEDIUM);
+  EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
+  EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 
-  // Test that a cookie is equivalent to itself.
-  std::unique_ptr<CanonicalCookie> cookie(CanonicalCookie::Create(
-      url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time,
-      expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM));
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*cookie));
-
-  // Test that two identical cookies are equivalent.
-  std::unique_ptr<CanonicalCookie> other_cookie(CanonicalCookie::Create(
-      url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time,
-      expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM));
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  // Tests that use different variations of attribute values that
-  // DON'T affect cookie equivalence. Differs from the IsEquivalent tests above
-  // as follows:
-  //    * Should return true even if paths differ.
-  //    * Should return true if the domains "domain-match" (but are not
-  //      identical).
-  other_cookie =
-      CanonicalCookie::Create(url, cookie_name, "2", cookie_domain, cookie_path,
-                              creation_time, expiration_time, secure, httponly,
-                              same_site, false, COOKIE_PRIORITY_HIGH);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  base::Time other_creation_time =
-      creation_time + base::TimeDelta::FromMinutes(2);
   other_cookie = CanonicalCookie::Create(
-      url, cookie_name, "2", cookie_domain, cookie_path, other_creation_time,
+      url, cookie_name, cookie_value, cookie_domain, "/", creation_time,
       expiration_time, secure, httponly, same_site, false,
       COOKIE_PRIORITY_MEDIUM);
+  EXPECT_FALSE(cookie->IsEquivalent(*other_cookie));
   EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
-      expiration_time, true, httponly, same_site, false, COOKIE_PRIORITY_LOW);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
-      expiration_time, secure, true, same_site, false, COOKIE_PRIORITY_LOW);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time,
-      expiration_time, secure, httponly, CookieSameSite::STRICT_MODE, false,
-      COOKIE_PRIORITY_LOW);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  // The following 3 tests' expected results differ from their IsEquivalent
-  // counterparts above.
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_value, cookie_domain, "/test/0", creation_time,
-      expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_value, std::string(), cookie_path, creation_time,
-      expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM);
-  EXPECT_TRUE(cookie->IsDomainCookie());
-  EXPECT_FALSE(other_cookie->IsDomainCookie());
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  other_cookie = CanonicalCookie::Create(
-      url, cookie_name, cookie_value, ".example.com", cookie_path,
-      creation_time, expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM);
-  EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
-
-  // Tests that use different variations of attribute values that
-  // DO affect cookie equivalence. Note that unlike the IsEquivalent tests
-  // above, this does *not* include tests for differing paths or domains that
-  // "domain-match".
-  other_cookie = CanonicalCookie::Create(
-      url, "B", cookie_value, cookie_domain, cookie_path, creation_time,
-      expiration_time, secure, httponly, same_site, false,
-      COOKIE_PRIORITY_MEDIUM);
-  EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie));
 }
 
 TEST(CanonicalCookieTest, IsDomainMatch) {
   GURL url("http://www.example.com/test/foo.html");
   base::Time creation_time = base::Time::Now();
   CookieOptions options;
 
   std::unique_ptr<CanonicalCookie> cookie(
       CanonicalCookie::Create(url, "A=2", creation_time, options));
   EXPECT_TRUE(cookie->IsHostCookie());
@@ skipping 349 matching lines @@
                                CanonicalCookie::COOKIE_PREFIX_SECURE, 1);
   EXPECT_TRUE(CanonicalCookie::Create(https_url, "__SecureA=B; Path=/; Secure",
                                       creation_time, options));
   histograms.ExpectBucketCount(kCookiePrefixHistogram,
                                CanonicalCookie::COOKIE_PREFIX_SECURE, 2);
   histograms.ExpectBucketCount(kCookiePrefixBlockedHistogram,
                                CanonicalCookie::COOKIE_PREFIX_SECURE, 1);
 }
 
 }  // namespace net