1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Test invalid attribute parsing</title>
<meta name=help href="https://tools.ietf.org/html/rfc6265#section-5.2">
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src="/cookies/resources/cookie-test.js"></script>
</head>
<body>
<div id=log></div>
<script>
// These tests ensure that invalid attributes don't affect
// cookie parsing. `Path` isn't important to the tests where it appears,
// but it's used to be able to place the invalid attribute in different
// locations.
const invalidAttributeTests = [
{
cookie: "test=1; lol; Path=/",
expected: "test=1",
name: "Set cookie with invalid attribute",
defaultPath: false
},
{
cookie: "test=2; Path=/; lol",
expected: "test=2",
name: "Set cookie ending with invalid attribute.",
defaultPath: false
},
{
cookie: "test=3; Path=/; 'lol'",
expected: "test=3",
name: "Set cookie ending with quoted invalid attribute.",
defaultPath: false
},
{
cookie: 'test=4; Path=/; "lol"',
expected: "test=4",
name: "Set cookie ending with double-quoted invalid attribute.",
defaultPath: false
},
{
cookie: "test=5; Path=/; lol=",
expected: "test=5",
name: "Set cookie ending with invalid attribute equals.",
defaultPath: false
},
{
cookie: 'test=6; lol="aaa;bbb"; Path=/',
expected: "test=6",
name: "Set cookie with two invalid attributes (lol=\"aaa and bbb).",
defaultPath: false
},
{
cookie: 'test=7; Path=/; lol="aaa;bbb"',
expected: "test=7",
name: "Set cookie ending with two invalid attributes (lol=\"aaa and bbb).",
defaultPath: false
},
{
cookie: 'test=8; "Secure"',
expected: "test=8",
// This gets parsed as an unrecognized \"Secure\" attribute, not a valid
// Secure attribute. That's why it gets set on an non-secure origin.
name: "Set cookie for quoted Secure attribute",
},
{
cookie: "test=9; Secure qux",
expected: "test=9",
// This should be parsed as an unrecognized "Secure qux" attribute
// and ignored. That is, the cookie will not be Secure.
name: "Set cookie for Secure qux",
},
{
cookie: "test=10; b,az=qux",
expected: "test=10",
name: "Ignore invalid attribute name with comma",
},
{
cookie: "test=11; baz=q,ux",
expected: "test=11",
name: "Ignore invalid attribute value with comma",
},
{
cookie: " test = 12 ;foo;;; bar",
expected: "test=12",
name: "Set cookie ignoring multiple invalid attributes, whitespace, and semicolons",
},
{
cookie: " test=== 13 ;foo;;; bar",
expected: "test=== 13",
name: "Set cookie with multiple '='s in its value, ignoring multiple invalid attributes, whitespace, and semicolons",
},
{
cookie: "test=14; version=1;",
expected: "test=14",
name: "Set cookie with (invalid) version=1 attribute",
},
{
cookie: "test=15; version=1000;",
expected: "test=15",
name: "Set cookie with (invalid) version=1000 attribute",
},
{
cookie: "test=16; customvalue='1000 or more';",
expected: "test=16",
name: "Set cookie ignoring anything after ; (which looks like an invalid attribute)",
},
{
cookie: "test=17; customvalue='1000 or more'",
expected: "test=17",
name: "Set cookie ignoring anything after ; (which looks like an invalid attribute, with no trailing semicolon)",
},
{
cookie: "test=18; foo=bar, a=b",
expected: "test=18",
name: "Ignore keys after semicolon",
},
{
cookie: "test=19;max-age=3600, c=d;path=/",
expected: "test=19",
name: "Ignore attributes after semicolon",
defaultPath: false,
},
{
cookie: ["testA=20", "=", "testb=20"],
expected: "testA=20; testb=20",
name: "Ignore `Set-Cookie: =`",
},
{
cookie: ["test=21", ""],
expected: "test=21",
name: "Ignore empty cookie string",
},
{
cookie: ["test22", "="],
expected: "test22",
name: "Ignore `Set-Cookie: =` with other `Set-Cookie` headers",
},
{
cookie: ["testA23", "; testB23"],
expected: "testA23",
name: "Ignore name- and value-less `Set-Cookie: ; bar`",
},
{
cookie: ["test24", " "],
expected: "test24",
name: "Ignore name- and value-less `Set-Cookie: `",
},
{
cookie: ["test25", "\t"],
expected: "test25",
name: "Ignore name- and value-less `Set-Cookie: \\t`",
},
{
cookie: "test=26; domain=.parser.test; ;; ;=; ,,, ===,abc,=; abracadabra! max-age=20;=;;",
expected: "",
name: "Ignore cookie with domain that won't domain match (along with other invalid noise)",
},
];
for (const test of invalidAttributeTests) {
httpCookieTest(test.cookie, test.expected, test.name, test.defaultPath);
}
</script>
</body>
</html>
|
