diff options
Diffstat (limited to 'testing/web-platform/tests/cookie-store/httponly_cookies.https.window.js')
| -rw-r--r-- | testing/web-platform/tests/cookie-store/httponly_cookies.https.window.js | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/testing/web-platform/tests/cookie-store/httponly_cookies.https.window.js b/testing/web-platform/tests/cookie-store/httponly_cookies.https.window.js new file mode 100644 index 0000000000..8a10e358ef --- /dev/null +++ b/testing/web-platform/tests/cookie-store/httponly_cookies.https.window.js @@ -0,0 +1,69 @@ +// META: script=resources/cookie-test-helpers.js + +'use strict'; + +cookie_test(async t => { + let eventPromise = observeNextCookieChangeEvent(); + await setCookieStringHttp('HTTPONLY-cookie=value; path=/; httponly'); + assert_equals( + await getCookieString(), + undefined, + 'HttpOnly cookie we wrote using HTTP in cookie jar' + + ' is invisible to script'); + assert_equals( + await getCookieStringHttp(), + 'HTTPONLY-cookie=value', + 'HttpOnly cookie we wrote using HTTP in HTTP cookie jar'); + + await setCookieStringHttp('HTTPONLY-cookie=new-value; path=/; httponly'); + assert_equals( + await getCookieString(), + undefined, + 'HttpOnly cookie we overwrote using HTTP in cookie jar' + + ' is invisible to script'); + assert_equals( + await getCookieStringHttp(), + 'HTTPONLY-cookie=new-value', + 'HttpOnly cookie we overwrote using HTTP in HTTP cookie jar'); + + eventPromise = observeNextCookieChangeEvent(); + await setCookieStringHttp( + 'HTTPONLY-cookie=DELETED; path=/; max-age=0; httponly'); + assert_equals( + await getCookieString(), + undefined, + 'Empty cookie jar after HTTP cookie-clearing using max-age=0'); + assert_equals( + await getCookieStringHttp(), + undefined, + 'Empty HTTP cookie jar after HTTP cookie-clearing using max-age=0'); + + // HTTPONLY cookie changes should not have been observed; perform + // a dummy change to verify that nothing else was queued up. + await cookieStore.set('TEST', 'dummy'); + await verifyCookieChangeEvent( + eventPromise, {changed: [{name: 'TEST', value: 'dummy'}]}, + 'HttpOnly cookie deletion was not observed'); +}, 'HttpOnly cookies are not observed'); + + +cookie_test(async t => { + document.cookie = 'cookie1=value1; path=/'; + document.cookie = 'cookie2=value2; path=/; httponly'; + document.cookie = 'cookie3=value3; path=/'; + assert_equals( + await getCookieStringHttp(), 'cookie1=value1; cookie3=value3', + 'Trying to store an HttpOnly cookie with document.cookie fails'); +}, 'HttpOnly cookies can not be set by document.cookie'); + + +// Historical: Early iterations of the proposal included an httpOnly option. +cookie_test(async t => { + await cookieStore.set('cookie1', 'value1'); + await cookieStore.set('cookie2', 'value2', {httpOnly: true}); + await cookieStore.set('cookie3', 'value3'); + assert_equals( + await getCookieStringHttp(), + 'cookie1=value1; cookie2=value2; cookie3=value3', + 'httpOnly is not an option for CookieStore.set()'); +}, 'HttpOnly cookies can not be set by CookieStore'); |