diff options
| author | deanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-19 19:46:27 +0000 |
|---|---|---|
| committer | deanm@chromium.org <deanm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-19 19:46:27 +0000 |
| commit | 3a96c74353aae5bcc15867400927e52f05d9b7e6 (patch) | |
| tree | 8e88a4c722f67c282a095ba5363c95d938a596f3 /net/base/cookie_monster_unittest.cc | |
| parent | ad4996c5bae5ebb89eb893d49a5802f7e8a9e543 (diff) | |
| download | chromium_src-3a96c74353aae5bcc15867400927e52f05d9b7e6.zip chromium_src-3a96c74353aae5bcc15867400927e52f05d9b7e6.tar.gz chromium_src-3a96c74353aae5bcc15867400927e52f05d9b7e6.tar.bz2 | |
Enforce httponly on cookies coming from the renderer. This prevents javascript from setting a new httponly cookie, and more importantly from overwriting httponly cookies.
Patch from Marius Schilder.
Review URL: http://codereview.chromium.org/11275
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@5700 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/cookie_monster_unittest.cc')
| -rw-r--r-- | net/base/cookie_monster_unittest.cc | 33 |
1 files changed, 27 insertions, 6 deletions
diff --git a/net/base/cookie_monster_unittest.cc b/net/base/cookie_monster_unittest.cc index c3c64f3..fcf8dbc 100644 --- a/net/base/cookie_monster_unittest.cc +++ b/net/base/cookie_monster_unittest.cc @@ -468,10 +468,29 @@ TEST(CookieMonsterTest, PathTest) { TEST(CookieMonsterTest, HttpOnlyTest) { GURL url_google(kUrlGoogle); net::CookieMonster cm; - EXPECT_TRUE(cm.SetCookie(url_google, "A=B; httponly")); + net::CookieMonster::CookieOptions options; + options.set_include_httponly(); + + // Create a httponly cookie. + EXPECT_TRUE(cm.SetCookieWithOptions(url_google, "A=B; httponly", options)); + + // Check httponly read protection. + EXPECT_EQ("", cm.GetCookies(url_google)); + EXPECT_EQ("A=B", cm.GetCookiesWithOptions(url_google, options)); + + // Check httponly overwrite protection. + EXPECT_FALSE(cm.SetCookie(url_google, "A=C")); EXPECT_EQ("", cm.GetCookies(url_google)); - EXPECT_EQ("A=B", cm.GetCookiesWithOptions(url_google, - net::CookieMonster::INCLUDE_HTTPONLY)); + EXPECT_EQ("A=B", cm.GetCookiesWithOptions(url_google, options)); + EXPECT_TRUE(cm.SetCookieWithOptions(url_google, "A=C", options)); + EXPECT_EQ("A=C", cm.GetCookies(url_google)); + + // Check httponly create protection. + EXPECT_FALSE(cm.SetCookie(url_google, "B=A; httponly")); + EXPECT_EQ("A=C", cm.GetCookiesWithOptions(url_google, options)); + EXPECT_TRUE(cm.SetCookieWithOptions(url_google, "B=A; httponly", options)); + EXPECT_EQ("A=C; B=A", cm.GetCookiesWithOptions(url_google, options)); + EXPECT_EQ("A=C", cm.GetCookies(url_google)); } namespace { @@ -614,15 +633,17 @@ TEST(CookieMonsterTest, TestCookieDeletion) { TEST(CookieMonsterTest, TestCookieDeleteAll) { GURL url_google(kUrlGoogle); net::CookieMonster cm; + net::CookieMonster::CookieOptions options; + options.set_include_httponly(); EXPECT_TRUE(cm.SetCookie(url_google, kValidCookieLine)); EXPECT_EQ("A=B", cm.GetCookies(url_google)); - EXPECT_TRUE(cm.SetCookie(url_google, "C=D")); - EXPECT_EQ("A=B; C=D", cm.GetCookies(url_google)); + EXPECT_TRUE(cm.SetCookieWithOptions(url_google, "C=D; httponly", options)); + EXPECT_EQ("A=B; C=D", cm.GetCookiesWithOptions(url_google, options)); EXPECT_EQ(2, cm.DeleteAll(false)); - EXPECT_EQ("", cm.GetCookies(url_google)); + EXPECT_EQ("", cm.GetCookiesWithOptions(url_google, options)); } TEST(CookieMonsterTest, TestCookieDeleteAllCreatedAfterTimestamp) { |