| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cookies/cookie_monster.h" | 5 #include "net/cookies/cookie_monster.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <memory> | 8 #include <memory> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 3052 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3063 // secure cookie with the same name already exists, do not update the cookie. | 3063 // secure cookie with the same name already exists, do not update the cookie. |
| 3064 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); | 3064 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); |
| 3065 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C;")); | 3065 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C;")); |
| 3066 | 3066 |
| 3067 // If a non-secure cookie is created from a URL with an secure scheme, and a | 3067 // If a non-secure cookie is created from a URL with an secure scheme, and a |
| 3068 // secure cookie with the same name already exists, update the cookie. | 3068 // secure cookie with the same name already exists, update the cookie. |
| 3069 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); | 3069 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); |
| 3070 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=C;")); | 3070 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=C;")); |
| 3071 | 3071 |
| 3072 // If a non-secure cookie is created from a URL with an insecure scheme, and | 3072 // If a non-secure cookie is created from a URL with an insecure scheme, and |
| 3073 // a secure cookie with the same name already exists, no matter what the path | 3073 // a secure cookie with the same name already exists, do not update the cookie |
| 3074 // is, do not update the cookie. | 3074 // if the new cookie's path matches the existing cookie's path. |
| 3075 // |
| 3076 // With an existing cookie whose path is '/', a cookie with the same name |
| 3077 // cannot be set on the same domain, regardless of path: |
| 3075 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); | 3078 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); |
| 3076 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/")); | 3079 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/")); |
| 3077 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/my/path")); | 3080 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/my/path")); |
| 3078 | 3081 |
| 3079 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure; path=/my/path")); | 3082 // But if the existing cookie has a path somewhere under the root, cookies |
| 3080 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C")); | 3083 // with the same name may be set for paths which don't overlap the existing |
| 3081 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/")); | 3084 // cookie. |
| 3082 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; path=/my/path")); | 3085 EXPECT_TRUE( |
| 3086 SetCookie(cm.get(), https_url, "WITH_PATH=B; Secure; path=/my/path")); |
| 3087 EXPECT_TRUE(SetCookie(cm.get(), http_url, "WITH_PATH=C")); |
| 3088 EXPECT_TRUE(SetCookie(cm.get(), http_url, "WITH_PATH=C; path=/")); |
| 3089 EXPECT_TRUE(SetCookie(cm.get(), http_url, "WITH_PATH=C; path=/your/path")); |
| 3090 EXPECT_FALSE(SetCookie(cm.get(), http_url, "WITH_PATH=C; path=/my/path")); |
| 3091 EXPECT_FALSE(SetCookie(cm.get(), http_url, "WITH_PATH=C; path=/my/path/sub")); |
| 3083 | 3092 |
| 3084 // If a non-secure cookie is created from a URL with an insecure scheme, and | 3093 // If a non-secure cookie is created from a URL with an insecure scheme, and |
| 3085 // a secure cookie with the same name already exists, if the domain strings | 3094 // a secure cookie with the same name already exists, if the domain strings |
| 3086 // domain-match, do not update the cookie. | 3095 // domain-match, do not update the cookie. |
| 3087 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); | 3096 EXPECT_TRUE(SetCookie(cm.get(), https_url, "A=B; Secure")); |
| 3088 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; domain=google.com")); | 3097 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; domain=google.com")); |
| 3089 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; domain=www.google.com")); | 3098 EXPECT_FALSE(SetCookie(cm.get(), http_url, "A=C; domain=www.google.com")); |
| 3090 | 3099 |
| 3091 // Since A=B was set above with no domain string, set a different cookie here | 3100 // Since A=B was set above with no domain string, set a different cookie here |
| 3092 // so the insecure examples aren't trying to overwrite the one above. | 3101 // so the insecure examples aren't trying to overwrite the one above. |
| (...skipping 390 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3483 monster()->AddCallbackForCookie( | 3492 monster()->AddCallbackForCookie( |
| 3484 test_url_, "abc", | 3493 test_url_, "abc", |
| 3485 base::Bind(&RecordCookieChanges, &cookies1, nullptr))); | 3494 base::Bind(&RecordCookieChanges, &cookies1, nullptr))); |
| 3486 SetCookie(monster(), test_url_, "abc=def"); | 3495 SetCookie(monster(), test_url_, "abc=def"); |
| 3487 base::RunLoop().RunUntilIdle(); | 3496 base::RunLoop().RunUntilIdle(); |
| 3488 EXPECT_EQ(1U, cookies0.size()); | 3497 EXPECT_EQ(1U, cookies0.size()); |
| 3489 EXPECT_EQ(1U, cookies0.size()); | 3498 EXPECT_EQ(1U, cookies0.size()); |
| 3490 } | 3499 } |
| 3491 | 3500 |
| 3492 } // namespace net | 3501 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2306393002:
Loosen strict 'Secure' checks for non-overlapping paths. (Closed)
