diff options
author | Patrick Griffis <pgriffis@igalia.com> | 2019-02-28 16:26:40 -0500 |
---|---|---|
committer | Patrick Griffis <pgriffis@igalia.com> | 2019-05-22 16:55:02 +0200 |
commit | 04d85e1b523f183f1c4f4d8e973a094f66cdf238 (patch) | |
tree | 8f614e1b668df297487e2b2193c12aaeb82dec5f /tests/cookies-test.c | |
parent | ca7762f78ca105902926f96f7d3316da4eba0a72 (diff) | |
download | libsoup-04d85e1b523f183f1c4f4d8e973a094f66cdf238.tar.gz |
Implement strict secure cookies
This prevents insecure origins from creating or modifying secure cookies.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01
Diffstat (limited to 'tests/cookies-test.c')
-rw-r--r-- | tests/cookies-test.c | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/tests/cookies-test.c b/tests/cookies-test.c index f2fcc63f..8161ce1b 100644 --- a/tests/cookies-test.c +++ b/tests/cookies-test.c @@ -209,6 +209,49 @@ do_cookies_subdomain_policy_test (void) g_object_unref (jar); } +static void +do_cookies_strict_secure_test (void) +{ + SoupCookieJar *jar; + GSList *cookies; + SoupURI *insecure_uri; + SoupURI *secure_uri; + + insecure_uri = soup_uri_new ("http://gnome.org"); + secure_uri = soup_uri_new ("https://gnome.org"); + jar = soup_cookie_jar_new (); + + /* Set a cookie from secure origin */ + soup_cookie_jar_set_cookie (jar, secure_uri, "1=foo; secure"); + cookies = soup_cookie_jar_all_cookies (jar); + g_assert_cmpint (g_slist_length (cookies), ==, 1); + g_assert_cmpstr (soup_cookie_get_value(cookies->data), ==, "foo"); + g_slist_free_full (cookies, (GDestroyNotify)soup_cookie_free); + + /* Do not allow an insecure origin to overwrite a secure cookie */ + soup_cookie_jar_set_cookie (jar, insecure_uri, "1=bar"); + cookies = soup_cookie_jar_all_cookies (jar); + g_assert_cmpint (g_slist_length (cookies), ==, 1); + g_assert_cmpstr (soup_cookie_get_value(cookies->data), ==, "foo"); + g_slist_free_full (cookies, (GDestroyNotify)soup_cookie_free); + + /* Secure can only be set by from secure origin */ + soup_cookie_jar_set_cookie (jar, insecure_uri, "2=foo; secure"); + cookies = soup_cookie_jar_all_cookies (jar); + g_assert_cmpint (g_slist_length (cookies), ==, 1); + g_slist_free_full (cookies, (GDestroyNotify)soup_cookie_free); + + /* But we can make one for another path */ + soup_cookie_jar_set_cookie (jar, insecure_uri, "1=foo; path=/foo"); + cookies = soup_cookie_jar_all_cookies (jar); + g_assert_cmpint (g_slist_length (cookies), ==, 2); + g_slist_free_full (cookies, (GDestroyNotify)soup_cookie_free); + + soup_uri_free (insecure_uri); + soup_uri_free (secure_uri); + g_object_unref (jar); +} + /* FIXME: moar tests! */ static void do_cookies_parsing_test (void) @@ -361,6 +404,7 @@ main (int argc, char **argv) g_test_add_func ("/cookies/parsing/no-path-null-origin", do_cookies_parsing_nopath_nullorigin); g_test_add_func ("/cookies/get-cookies/empty-host", do_get_cookies_empty_host_test); g_test_add_func ("/cookies/remove-feature", do_remove_feature_test); + g_test_add_func ("/cookies/secure-cookies", do_cookies_strict_secure_test); ret = g_test_run (); |