toolkit/components/extensions/test/mochitest/test_ext_cookies.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367

<!DOCTYPE HTML>
<html>
<head>
  <title>WebExtension test</title>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <script src="/tests/SimpleTest/ExtensionTestUtils.js"></script>
  <script type="text/javascript" src="head.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>

<script type="text/javascript">
"use strict";

add_task(async function test_cookies() {
  await SpecialPowers.pushPrefEnv({set: [
    ["dom.security.https_first_pbm", false],
    ["dom.security.https_first", false],
  ]});

  async function background() {
    function assertExpected(expected, cookie) {
      for (let key of Object.keys(cookie)) {
        browser.test.assertTrue(key in expected, `found property ${key}`);
        browser.test.assertEq(expected[key], cookie[key], `property value for ${key} is correct`);
      }
      browser.test.assertEq(Object.keys(expected).length, Object.keys(cookie).length, "all expected properties found");
    }

    async function getDocumentCookie(tabId) {
      let results = await browser.tabs.executeScript(tabId, {
        code: "document.cookie",
      });
      browser.test.assertEq(1, results.length, "executeScript returns one result");
      return results[0];
    }

    async function testIpCookie(ipAddress, setHostOnly) {
      const IP_TEST_HOST = ipAddress;
      const IP_TEST_URL = `http://${IP_TEST_HOST}/`;
      const IP_THE_FUTURE = Date.now() + 5 * 60;
      const IP_STORE_ID = "firefox-default";

      let expectedCookie = {
        name: "name1",
        value: "value1",
        domain: IP_TEST_HOST,
        hostOnly: true,
        path: "/",
        secure: false,
        httpOnly: false,
        sameSite: "no_restriction",
        session: false,
        expirationDate: IP_THE_FUTURE,
        storeId: IP_STORE_ID,
        firstPartyDomain: "",
        partitionKey: null,
      };

      await browser.browsingData.removeCookies({});
      let ip_cookie = await browser.cookies.set({
        url: IP_TEST_URL,
        domain: setHostOnly ? ipAddress : undefined,
        name: "name1",
        value: "value1",
        expirationDate: IP_THE_FUTURE,
      });
      assertExpected(expectedCookie, ip_cookie);

      let ip_cookies = await browser.cookies.getAll({name: "name1"});
      browser.test.assertEq(1, ip_cookies.length, "ip cookie can be added");
      assertExpected(expectedCookie, ip_cookies[0]);

      ip_cookies = await browser.cookies.getAll({domain: IP_TEST_HOST, name: "name1"});
      browser.test.assertEq(1, ip_cookies.length, "can get ip cookie by host");
      assertExpected(expectedCookie, ip_cookies[0]);

      let ip_details = await browser.cookies.remove({url: IP_TEST_URL, name: "name1"});
      assertExpected({url: IP_TEST_URL, name: "name1", storeId: IP_STORE_ID, firstPartyDomain: "", partitionKey: null}, ip_details);

      ip_cookies = await browser.cookies.getAll({name: "name1"});
      browser.test.assertEq(0, ip_cookies.length, "ip cookie can be removed");
    }

    async function openPrivateWindowAndTab(TEST_URL) {
      // Add some random suffix to make sure that we select the right tab.
      const PRIVATE_TEST_URL = TEST_URL + "?random" + Math.random();

      let tabReadyPromise = new Promise((resolve) => {
        browser.webNavigation.onDOMContentLoaded.addListener(function listener({tabId}) {
          browser.webNavigation.onDOMContentLoaded.removeListener(listener);
          resolve(tabId);
        }, {
          url: [{
            urlPrefix: PRIVATE_TEST_URL,
          }],
        });
      });
      // This tab is opened for two purposes:
      // 1. To allow tests to run content scripts in the context of a tab,
      //    for fetching the value of document.cookie.
      // 2. TODO Bug 1309637 To work around cookies in incognito windows,
      //    based on the analysis in comment 8.
      let {id: windowId} = await browser.windows.create({
        incognito: true,
        url: PRIVATE_TEST_URL,
      });
      let tabId = await tabReadyPromise;
      return {windowId, tabId};
    }

    function changePort(href, port) {
      let url = new URL(href);
      url.port = port;
      return url.href;
    }

    await testIpCookie("[2a03:4000:6:310e:216:3eff:fe53:99b]", false);
    await testIpCookie("[2a03:4000:6:310e:216:3eff:fe53:99b]", true);
    await testIpCookie("192.168.1.1", false);
    await testIpCookie("192.168.1.1", true);

    const TEST_URL = "http://example.org/";
    const TEST_SECURE_URL = "https://example.org/";
    const THE_FUTURE = Date.now() + 5 * 60;
    const TEST_PATH = "set_path";
    const TEST_URL_WITH_PATH = TEST_URL + TEST_PATH;
    const TEST_COOKIE_PATH = `/${TEST_PATH}`;
    const STORE_ID = "firefox-default";
    const PRIVATE_STORE_ID = "firefox-private";

    let expected = {
      name: "name1",
      value: "value1",
      domain: "example.org",
      hostOnly: true,
      path: "/",
      secure: false,
      httpOnly: false,
      sameSite: "no_restriction",
      session: false,
      expirationDate: THE_FUTURE,
      storeId: STORE_ID,
      firstPartyDomain: "",
      partitionKey: null,
    };

    // Remove all cookies before starting the test.
    await browser.browsingData.removeCookies({});

    let cookie = await browser.cookies.set({url: TEST_URL, name: "name1", value: "value1", expirationDate: THE_FUTURE});
    assertExpected(expected, cookie);

    cookie = await browser.cookies.get({url: TEST_URL, name: "name1"});
    assertExpected(expected, cookie);

    let cookies = await browser.cookies.getAll({name: "name1"});
    browser.test.assertEq(1, cookies.length, "one cookie found for matching name");
    assertExpected(expected, cookies[0]);

    cookies = await browser.cookies.getAll({domain: "example.org"});
    browser.test.assertEq(1, cookies.length, "one cookie found for matching domain");
    assertExpected(expected, cookies[0]);

    cookies = await browser.cookies.getAll({domain: "example.net"});
    browser.test.assertEq(0, cookies.length, "no cookies found for non-matching domain");

    cookies = await browser.cookies.getAll({secure: false});
    browser.test.assertEq(1, cookies.length, "one non-secure cookie found");
    assertExpected(expected, cookies[0]);

    cookies = await browser.cookies.getAll({secure: true});
    browser.test.assertEq(0, cookies.length, "no secure cookies found");

    cookies = await browser.cookies.getAll({storeId: STORE_ID});
    browser.test.assertEq(1, cookies.length, "one cookie found for valid storeId");
    assertExpected(expected, cookies[0]);

    cookies = await browser.cookies.getAll({storeId: "invalid_id"});
    browser.test.assertEq(0, cookies.length, "no cookies found for invalid storeId");

    let details = await browser.cookies.remove({url: TEST_URL, name: "name1"});
    assertExpected({url: TEST_URL, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.get({url: TEST_URL, name: "name1"});
    browser.test.assertEq(null, cookie, "removed cookie not found");

    // Ports in cookie URLs should be ignored. Every API call uses a different port number for better coverage.
    cookie = await browser.cookies.set({url: changePort(TEST_URL, 1234), name: "name1", value: "value1", expirationDate: THE_FUTURE});
    assertExpected(expected, cookie);

    cookie = await browser.cookies.get({url: changePort(TEST_URL, 65535), name: "name1"});
    assertExpected(expected, cookie);

    cookies = await browser.cookies.getAll({url: TEST_URL});
    browser.test.assertEq(cookies.length, 1, "Found cookie using getAll without port");
    assertExpected(expected, cookies[0]);

    cookies = await browser.cookies.getAll({url: changePort(TEST_URL, 1)});
    browser.test.assertEq(cookies.length, 1, "Found cookie using getAll with port");
    assertExpected(expected, cookies[0]);

    // .remove should return the URL of the API call, so the port is included in the return value.
    const TEST_URL_TO_REMOVE = changePort(TEST_URL, 1023);
    details = await browser.cookies.remove({url: TEST_URL_TO_REMOVE, name: "name1"});
    assertExpected({url: TEST_URL_TO_REMOVE, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.get({url: TEST_URL, name: "name1"});
    browser.test.assertEq(null, cookie, "removed cookie not found");

    let stores = await browser.cookies.getAllCookieStores();
    browser.test.assertEq(1, stores.length, "expected number of stores returned");
    browser.test.assertEq(STORE_ID, stores[0].id, "expected store id returned");
    browser.test.assertEq(1, stores[0].tabIds.length, "one tabId returned for store");
    browser.test.assertEq("number", typeof stores[0].tabIds[0], "tabId is a number");

    // TODO bug 1372178: Opening private windows/tabs is not supported on Android
    if (browser.windows) {
      let {windowId} = await openPrivateWindowAndTab(TEST_URL);
      let stores = await browser.cookies.getAllCookieStores();

      browser.test.assertEq(2, stores.length, "expected number of stores returned");
      browser.test.assertEq(STORE_ID, stores[0].id, "expected store id returned");
      browser.test.assertEq(1, stores[0].tabIds.length, "one tab returned for store");
      browser.test.assertEq(PRIVATE_STORE_ID, stores[1].id, "expected private store id returned");
      browser.test.assertEq(1, stores[0].tabIds.length, "one tab returned for private store");

      await browser.windows.remove(windowId);
    }

    cookie = await browser.cookies.set({url: TEST_URL, name: "name2", domain: ".example.org", expirationDate: THE_FUTURE});
    browser.test.assertEq(false, cookie.hostOnly, "cookie is not a hostOnly cookie");

    details = await browser.cookies.remove({url: TEST_URL, name: "name2"});
    assertExpected({url: TEST_URL, name: "name2", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    // Create a session cookie.
    cookie = await browser.cookies.set({url: TEST_URL, name: "name1", value: "value1"});
    browser.test.assertEq(true, cookie.session, "session cookie set");

    cookie = await browser.cookies.get({url: TEST_URL, name: "name1"});
    browser.test.assertEq(true, cookie.session, "got session cookie");

    cookies = await browser.cookies.getAll({session: true});
    browser.test.assertEq(1, cookies.length, "one session cookie found");
    browser.test.assertEq(true, cookies[0].session, "found session cookie");

    cookies = await browser.cookies.getAll({session: false});
    browser.test.assertEq(0, cookies.length, "no non-session cookies found");

    details = await browser.cookies.remove({url: TEST_URL, name: "name1"});
    assertExpected({url: TEST_URL, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.get({url: TEST_URL, name: "name1"});
    browser.test.assertEq(null, cookie, "removed cookie not found");

    cookie = await browser.cookies.set({url: TEST_SECURE_URL, name: "name1", value: "value1", secure: true});
    browser.test.assertEq(true, cookie.secure, "secure cookie set");

    cookie = await browser.cookies.get({url: TEST_SECURE_URL, name: "name1"});
    browser.test.assertEq(true, cookie.session, "got secure cookie");

    cookies = await browser.cookies.getAll({secure: true});
    browser.test.assertEq(1, cookies.length, "one secure cookie found");
    browser.test.assertEq(true, cookies[0].secure, "found secure cookie");

    cookies = await browser.cookies.getAll({secure: false});
    browser.test.assertEq(0, cookies.length, "no non-secure cookies found");

    details = await browser.cookies.remove({url: TEST_SECURE_URL, name: "name1"});
    assertExpected({url: TEST_SECURE_URL, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.get({url: TEST_SECURE_URL, name: "name1"});
    browser.test.assertEq(null, cookie, "removed cookie not found");

    cookie = await browser.cookies.set({url: TEST_URL_WITH_PATH, path: TEST_COOKIE_PATH, name: "name1", value: "value1", expirationDate: THE_FUTURE});
    browser.test.assertEq(TEST_COOKIE_PATH, cookie.path, "created cookie with path");

    cookie = await browser.cookies.get({url: TEST_URL_WITH_PATH, name: "name1"});
    browser.test.assertEq(TEST_COOKIE_PATH, cookie.path, "got cookie with path");

    cookies = await browser.cookies.getAll({path: TEST_COOKIE_PATH});
    browser.test.assertEq(1, cookies.length, "one cookie with path found");
    browser.test.assertEq(TEST_COOKIE_PATH, cookies[0].path, "found cookie with path");

    cookie = await browser.cookies.get({url: TEST_URL + "invalid_path", name: "name1"});
    browser.test.assertEq(null, cookie, "get with invalid path returns null");

    cookies = await browser.cookies.getAll({path: "/invalid_path"});
    browser.test.assertEq(0, cookies.length, "getAll with invalid path returns 0 cookies");

    details = await browser.cookies.remove({url: TEST_URL_WITH_PATH, name: "name1"});
    assertExpected({url: TEST_URL_WITH_PATH, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.set({url: TEST_URL, name: "name1", value: "value1", httpOnly: true});
    browser.test.assertEq(true, cookie.httpOnly, "httpOnly cookie set");

    cookie = await browser.cookies.set({url: TEST_URL, name: "name1", value: "value1", httpOnly: false});
    browser.test.assertEq(false, cookie.httpOnly, "non-httpOnly cookie set");

    details = await browser.cookies.remove({url: TEST_URL, name: "name1"});
    assertExpected({url: TEST_URL, name: "name1", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

    cookie = await browser.cookies.set({url: TEST_URL});
    browser.test.assertEq("", cookie.name, "default name set");
    browser.test.assertEq("", cookie.value, "default value set");
    browser.test.assertEq(true, cookie.session, "no expiry date created session cookie");

    // TODO bug 1372178: Opening private windows/tabs is not supported on Android
    if (browser.windows) {
      let {tabId, windowId} = await openPrivateWindowAndTab(TEST_URL);

      browser.test.assertEq("", await getDocumentCookie(tabId), "initially no cookie");

      let cookie = await browser.cookies.set({url: TEST_URL, name: "store", value: "private", expirationDate: THE_FUTURE, storeId: PRIVATE_STORE_ID});
      browser.test.assertEq("private", cookie.value, "set the private cookie");

      cookie = await browser.cookies.set({url: TEST_URL, name: "store", value: "default", expirationDate: THE_FUTURE, storeId: STORE_ID});
      browser.test.assertEq("default", cookie.value, "set the default cookie");

      cookie = await browser.cookies.get({url: TEST_URL, name: "store", storeId: PRIVATE_STORE_ID});
      browser.test.assertEq("private", cookie.value, "get the private cookie");
      browser.test.assertEq(PRIVATE_STORE_ID, cookie.storeId, "get the private cookie storeId");

      cookie = await browser.cookies.get({url: TEST_URL, name: "store", storeId: STORE_ID});
      browser.test.assertEq("default", cookie.value, "get the default cookie");
      browser.test.assertEq(STORE_ID, cookie.storeId, "get the default cookie storeId");

      browser.test.assertEq("store=private", await getDocumentCookie(tabId), "private document.cookie should be set");

      let details = await browser.cookies.remove({url: TEST_URL, name: "store", storeId: STORE_ID});
      assertExpected({url: TEST_URL, name: "store", storeId: STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

      cookie = await browser.cookies.get({url: TEST_URL, name: "store", storeId: STORE_ID});
      browser.test.assertEq(null, cookie, "deleted the default cookie");

      details = await browser.cookies.remove({url: TEST_URL, name: "store", storeId: PRIVATE_STORE_ID});
      assertExpected({url: TEST_URL, name: "store", storeId: PRIVATE_STORE_ID, firstPartyDomain: "", partitionKey: null}, details);

      cookie = await browser.cookies.get({url: TEST_URL, name: "store", storeId: PRIVATE_STORE_ID});
      browser.test.assertEq(null, cookie, "deleted the private cookie");

      browser.test.assertEq("", await getDocumentCookie(tabId), "private document.cookie should be removed");

      await browser.windows.remove(windowId);
    }

    browser.test.notifyPass("cookies");
  }

  let extension = ExtensionTestUtils.loadExtension({
    incognitoOverride: "spanning",
    background,
    manifest: {
      permissions: ["cookies", "*://example.org/", "*://[2a03:4000:6:310e:216:3eff:fe53:99b]/", "*://192.168.1.1/", "webNavigation", "browsingData"],
    },
  });

  await extension.startup();
  await extension.awaitFinish("cookies");
  await extension.unload();
});

</script>

</body>
</html>