1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
let { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
const urlPath = "/browser/netwerk/cookie/test/browser/file_empty.html";
const baseDomain = "example.com";
// eslint doesn't like http
/* eslint-disable */
const URL_INSECURE_COM = "http://" + baseDomain + urlPath;
/* eslint-enable */
const URL_SECURE_COM = "https://" + baseDomain + urlPath;
// common cookie strings
const COOKIE_BASIC = "foo=one";
const COOKIE_OTHER = "foo=two";
const COOKIE_THIRD = "foo=three";
const COOKIE_FORTH = "foo=four";
function securify(cookie) {
return cookie + "; Secure";
}
registerCleanupFunction(() => {
info("Cleaning up the test");
});
async function setup() {
Services.prefs.setIntPref("network.cookie.cookieBehavior", 0);
Services.prefs.setBoolPref(
"network.cookieJarSettings.unblocked_for_testing",
true
);
Services.prefs.setBoolPref("network.cookie.sameSite.laxByDefault", false);
Services.prefs.setBoolPref(
"network.cookie.sameSite.noneRequiresSecure",
false
);
Services.prefs.setBoolPref("network.cookie.sameSite.schemeful", true);
Services.cookies.removeAll();
}
add_task(setup);
// note:
// 1. The URL scheme will not matter for insecure cookies, since
// cookies are not "schemeful" in this sense.
// So an insecure cookie set anywhere will be visible on http and https sites
// Secure cookies are different, they will only be visible from https sites
// and will prevent cookie setting of the same name on insecure sites.
//
// 2. The different processes (tabs) shouldn't matter since
// cookie adds/changes are distributed to other processes on a need-to-know
// basis.
add_task(async function test_insecure_cant_overwrite_secure_via_doc() {
// insecure
const tab1 = BrowserTestUtils.addTab(gBrowser, URL_INSECURE_COM);
const browser = gBrowser.getBrowserForTab(tab1);
await BrowserTestUtils.browserLoaded(browser);
// secure
const tab2 = BrowserTestUtils.addTab(gBrowser, URL_SECURE_COM);
const browser2 = gBrowser.getBrowserForTab(tab2);
await BrowserTestUtils.browserLoaded(browser2);
// init with insecure cookie on insecure origin child process
await SpecialPowers.spawn(
browser,
[COOKIE_BASIC, COOKIE_BASIC],
(cookie, expected) => {
content.document.cookie = cookie;
is(content.document.cookie, expected);
}
);
// insecure cookie visible on secure origin process (sanity check)
await SpecialPowers.spawn(browser2, [COOKIE_BASIC], expected => {
is(content.document.cookie, expected);
});
// overwrite insecure cookie on secure origin with secure cookie (sanity check)
await SpecialPowers.spawn(
browser2,
[securify(COOKIE_OTHER), COOKIE_OTHER],
(cookie, expected) => {
content.document.cookie = cookie;
is(content.document.cookie, expected);
}
);
// insecure cookie will NOT overwrite the secure one on insecure origin
// and cookie.document appears blank
await SpecialPowers.spawn(browser, [COOKIE_THIRD, ""], (cookie, expected) => {
content.document.cookie = cookie; // quiet failure here
is(content.document.cookie, expected);
});
// insecure cookie will overwrite secure cookie on secure origin
// a bit weird, but this is normal
await SpecialPowers.spawn(
browser2,
[COOKIE_FORTH, COOKIE_FORTH],
(cookie, expected) => {
content.document.cookie = cookie;
is(content.document.cookie, expected);
}
);
BrowserTestUtils.removeTab(tab1);
BrowserTestUtils.removeTab(tab2);
Services.cookies.removeAll();
});
|