Chromium Code Reviews Chromium Code Reviews
Issue 2306393002:
Loosen strict 'Secure' checks for non-overlapping paths. (Closed)
| Index: net/cookies/canonical_cookie_unittest.cc |
| diff --git a/net/cookies/canonical_cookie_unittest.cc b/net/cookies/canonical_cookie_unittest.cc |
| index b6bff7f07892b654a7d0349b7a81ba9e4cc63c06..d79d3fe2c6c3372b40c4b8f792a6913980ef00ee 100644 |
| --- a/net/cookies/canonical_cookie_unittest.cc |
| +++ b/net/cookies/canonical_cookie_unittest.cc |
| @@ -171,7 +171,7 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| std::string cookie_name = "A"; |
| std::string cookie_value = "2EDA-EF"; |
| std::string cookie_domain = ".www.example.com"; |
| - std::string cookie_path = "/"; |
| + std::string cookie_path = "/path"; |
| base::Time creation_time = base::Time::Now(); |
| base::Time expiration_time = creation_time + base::TimeDelta::FromDays(2); |
| bool secure(false); |
| @@ -184,6 +184,7 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM)); |
| EXPECT_TRUE(cookie->IsEquivalent(*cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*cookie)); |
| // Test that two identical cookies are equivalent. |
| std::unique_ptr<CanonicalCookie> other_cookie(CanonicalCookie::Create( |
| @@ -191,6 +192,7 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM)); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| // Tests that use different variations of attribute values that |
| // DON'T affect cookie equivalence. |
| @@ -199,6 +201,7 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| creation_time, expiration_time, secure, httponly, |
| same_site, false, COOKIE_PRIORITY_HIGH); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| base::Time other_creation_time = |
| creation_time + base::TimeDelta::FromMinutes(2); |
| @@ -207,31 +210,38 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| other_cookie = CanonicalCookie::Create( |
| url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| expiration_time, true, httponly, same_site, false, COOKIE_PRIORITY_LOW); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| other_cookie = CanonicalCookie::Create( |
| url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| expiration_time, secure, true, same_site, false, COOKIE_PRIORITY_LOW); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| other_cookie = CanonicalCookie::Create( |
| url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| expiration_time, secure, httponly, CookieSameSite::STRICT_MODE, false, |
| COOKIE_PRIORITY_LOW); |
| EXPECT_TRUE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - // Tests that use different variations of attribute values that |
| - // DO affect cookie equivalence. |
| + // Cookies whose names mismatch are not equivalent. |
| other_cookie = CanonicalCookie::Create( |
| url, "B", cookie_value, cookie_domain, cookie_path, creation_time, |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| + // A domain cookie at 'www.example.com' is not equivalent to a host cookie |
| + // at the same domain. These are, however, equivalent according to the laxer |
| + // rules of 'IsEquivalentForSecureCookieMatching'. |
| other_cookie = CanonicalCookie::Create( |
| url, cookie_name, cookie_value, std::string(), cookie_path, creation_time, |
| expiration_time, secure, httponly, same_site, false, |
| @@ -239,113 +249,42 @@ TEST(CanonicalCookieTest, IsEquivalent) { |
| EXPECT_TRUE(cookie->IsDomainCookie()); |
| EXPECT_FALSE(other_cookie->IsDomainCookie()); |
| EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
|
jww
2016/09/06 22:45:10
nit: In a few of these cases, it's probably worth
|
| + // Likewise, a cookie on 'example.com' is not equivalent to a cookie on |
| + // 'www.example.com', but they are equivalent for secure cookie matching. |
| other_cookie = CanonicalCookie::Create( |
| url, cookie_name, cookie_value, ".example.com", cookie_path, |
| creation_time, expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| - |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, cookie_domain, "/test/0", creation_time, |
| - expiration_time, secure, httponly, same_site, false, |
| - COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| -} |
| - |
| -TEST(CanonicalCookieTest, IsEquivalentForSecureCookieMatching) { |
| - GURL url("http://www.example.com/"); |
| - std::string cookie_name = "A"; |
| - std::string cookie_value = "2EDA-EF"; |
| - std::string cookie_domain = ".www.example.com"; |
| - std::string cookie_path = "/"; |
| - base::Time creation_time = base::Time::Now(); |
| - base::Time expiration_time = creation_time + base::TimeDelta::FromDays(2); |
| - bool secure(false); |
| - bool httponly(false); |
| - CookieSameSite same_site(CookieSameSite::NO_RESTRICTION); |
| - |
| - // Test that a cookie is equivalent to itself. |
| - std::unique_ptr<CanonicalCookie> cookie(CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time, |
| - expiration_time, secure, httponly, same_site, false, |
| - COOKIE_PRIORITY_MEDIUM)); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*cookie)); |
| - |
| - // Test that two identical cookies are equivalent. |
| - std::unique_ptr<CanonicalCookie> other_cookie(CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, cookie_domain, cookie_path, creation_time, |
| - expiration_time, secure, httponly, same_site, false, |
| - COOKIE_PRIORITY_MEDIUM)); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - // Tests that use different variations of attribute values that |
| - // DON'T affect cookie equivalence. Differs from the IsEquivalent tests above |
| - // as follows: |
| - // * Should return true even if paths differ. |
| - // * Should return true if the domains "domain-match" (but are not |
| - // identical). |
| - other_cookie = |
| - CanonicalCookie::Create(url, cookie_name, "2", cookie_domain, cookie_path, |
| - creation_time, expiration_time, secure, httponly, |
| - same_site, false, COOKIE_PRIORITY_HIGH); |
| EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - base::Time other_creation_time = |
| - creation_time + base::TimeDelta::FromMinutes(2); |
| + // Paths are a bit more complicated. 'IsEquivalent' requires an exact path |
| + // match, while secure cookie matching uses a more relaxed 'IsOnPath' check. |
| + // That is, |cookie| set on '/path' is not equivalent in either way to |
| + // |other_cookie| set on '/test' or '/path/subpath'. It is, however, |
| + // equivalent for secure cookie matching to |other_cookie| set on '/'. |
| other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, "2", cookie_domain, cookie_path, other_creation_time, |
| + url, cookie_name, cookie_value, cookie_domain, "/test", creation_time, |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| - expiration_time, true, httponly, same_site, false, COOKIE_PRIORITY_LOW); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| - expiration_time, secure, true, same_site, false, COOKIE_PRIORITY_LOW); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_name, cookie_domain, cookie_path, creation_time, |
| - expiration_time, secure, httponly, CookieSameSite::STRICT_MODE, false, |
| - COOKIE_PRIORITY_LOW); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - // The following 3 tests' expected results differ from their IsEquivalent |
| - // counterparts above. |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, cookie_domain, "/test/0", creation_time, |
| - expiration_time, secure, httponly, same_site, false, |
| - COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - |
| - other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, std::string(), cookie_path, creation_time, |
| - expiration_time, secure, httponly, same_site, false, |
| - COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_TRUE(cookie->IsDomainCookie()); |
| - EXPECT_FALSE(other_cookie->IsDomainCookie()); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| other_cookie = CanonicalCookie::Create( |
| - url, cookie_name, cookie_value, ".example.com", cookie_path, |
| + url, cookie_name, cookie_value, cookie_domain, cookie_path + "/subpath", |
| creation_time, expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| - // Tests that use different variations of attribute values that |
| - // DO affect cookie equivalence. Note that unlike the IsEquivalent tests |
| - // above, this does *not* include tests for differing paths or domains that |
| - // "domain-match". |
| other_cookie = CanonicalCookie::Create( |
| - url, "B", cookie_value, cookie_domain, cookie_path, creation_time, |
| + url, cookie_name, cookie_value, cookie_domain, "/", creation_time, |
| expiration_time, secure, httponly, same_site, false, |
| COOKIE_PRIORITY_MEDIUM); |
| - EXPECT_FALSE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| + EXPECT_FALSE(cookie->IsEquivalent(*other_cookie)); |
| + EXPECT_TRUE(cookie->IsEquivalentForSecureCookieMatching(*other_cookie)); |
| } |
| TEST(CanonicalCookieTest, IsDomainMatch) { |
