1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Test cookie attribute size restrictions</title>
<meta name=help href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4">
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src="/cookies/resources/cookie-test.js"></script>
</head>
<body>
<div id=log></div>
<script>
const host = "{{host}}";
const attrSizeTests = [
{
cookie: `test=1; path=/cookies/size; path=/cookies/siz${"e".repeat(1024)}`,
expected: "test=1",
name: "Too long path attribute (>1024 bytes) is ignored; previous valid path wins.",
defaultPath: false,
},
{
cookie: `test=2; path=/cookies/siz${"e".repeat(1024)}; path=/cookies/size`,
expected: "test=2",
name: "Too long path attribute (>1024 bytes) is ignored; next valid path wins.",
defaultPath: false,
},
{
// Look for the cookie using the default path to ensure that it
// doesn't show up if the path attribute actually takes effect.
cookie: `test=3; path=/${"a".repeat(1023)};`,
expected: "",
name: "Max size path attribute (1024 bytes) is not ignored",
},
{
// Look for the cookie using the default path to ensure that it
// shows up if the path is ignored.
cookie: `test=4; path=/${"a".repeat(1024)};`,
expected: "test=4",
name: "Too long path attribute (>1024 bytes) is ignored",
},
{
// This page opens on the www subdomain, so we set domain to {{host}}
// to see if anything works as expected. Using a valid domain other
// than ${host} will cause the cookie to fail to be set.
// NOTE: the domain we use for testing here is technically invalid per
// the RFCs that define the format of domain names, but currently
// neither RFC6265bis or the major browsers enforce those restrictions
// when parsing cookie domain attributes. If that changes, update these
// tests.
cookie: `test=5; domain=${host}; domain=${"a".repeat(1024)}.com`,
expected: "test=5",
name: "Too long domain attribute (>1024 bytes) is ignored; previous valid domain wins.",
},
{
cookie: `test=6; domain=${"a".repeat(1024)}.com; domain=${host}`,
expected: "test=6",
name: "Too long domain attribute (>1024 bytes) is ignored; next valid domain wins.",
},
{
cookie: `test=7; domain=${"a".repeat(1020)}.com;`,
expected: "",
name: "Max size domain attribute (1024 bytes) is not ignored"
},
{
cookie: `test=8; domain=${"a".repeat(1021)}.com;`,
expected: "test=8",
name: "Too long domain attribute (>1024 bytes) is ignored"
},
{
cookie: cookieStringWithNameAndValueLengths(2048, 2048) +
`; domain=${"a".repeat(1020)}.com; domain=${host}`,
expected: cookieStringWithNameAndValueLengths(2048, 2048),
name: "Set cookie with max size name/value pair and max size attribute value",
},
{
// RFC6265bis doesn't specify a maximum size of the entire Set-Cookie
// header, although some browsers do
cookie: cookieStringWithNameAndValueLengths(2048, 2048) +
`; domain=${"a".repeat(1020)}.com` +
`; domain=${"a".repeat(1020)}.com` +
`; domain=${"a".repeat(1020)}.com` +
`; domain=${"a".repeat(1020)}.com; domain=${host}`,
expected: cookieStringWithNameAndValueLengths(2048, 2048),
name: "Set cookie with max size name/value pair and multiple max size attributes (>8k bytes total)",
},
{
cookie: `test=11; max-age=${"1".repeat(1024)};`,
expected: "test=11",
name: "Max length Max-Age attribute value (1024 bytes) doesn't cause cookie rejection"
},
{
cookie: `test=12; max-age=${"1".repeat(1025)};`,
expected: "test=12",
name: "Too long Max-Age attribute value (>1024 bytes) doesn't cause cookie rejection"
},
{
cookie: `test=13; max-age=-${"1".repeat(1023)};`,
expected: "",
name: "Max length negative Max-Age attribute value (1024 bytes) doesn't get ignored"
},
{
cookie: `test=14; max-age=-${"1".repeat(1024)};`,
expected: "test=14",
name: "Too long negative Max-Age attribute value (>1024 bytes) gets ignored"
},
];
for (const test of attrSizeTests) {
httpCookieTest(test.cookie, test.expected, test.name, test.defaultPath);
}
</script>
</body>
</html>
|