diff options
author | Bob Long <robertjflong@gmail.com> | 2016-04-16 21:48:54 +0100 |
---|---|---|
committer | Jeremy Daer <jeremydaer@gmail.com> | 2016-04-17 17:58:15 -0700 |
commit | f0f828cc1499cf54495e545daecb992a21fef324 (patch) | |
tree | 6f68290a166e0c6e7888060053acf9884332a2bc /test/spec_response.rb | |
parent | 0c748485a93fcf806741e8afd4dcc10603bbcfcb (diff) | |
download | rack-f0f828cc1499cf54495e545daecb992a21fef324.tar.gz |
Validate the SameSite cookie option
The draft spec for the SameSite option mentions two configuration
options: Strict & Lax. This commit introduces validation of the
associated same_site attribute.
The main motivation for validating this value is ensuring that awry
option values don't cause unexpected behaviour. As this is a sensitive
security option, I think validation is warranted.
The main drawback of validating the option value is that Rack won't
immediately support new options.
Signed-off-by: Jeremy Daer <jeremydaer@gmail.com>
Diffstat (limited to 'test/spec_response.rb')
-rw-r--r-- | test/spec_response.rb | 46 |
1 files changed, 42 insertions, 4 deletions
diff --git a/test/spec_response.rb b/test/spec_response.rb index 70d81590..02e51435 100644 --- a/test/spec_response.rb +++ b/test/spec_response.rb @@ -115,18 +115,56 @@ describe Rack::Response do response["Set-Cookie"].must_equal "foo=bar" end - it "can set SameSite cookies with any truthy value" do + it "can set SameSite cookies with symbol value :lax" do response = Rack::Response.new - response.set_cookie "foo", {:value => "bar", :same_site => Object.new} - response["Set-Cookie"].must_equal "foo=bar; SameSite" + response.set_cookie "foo", {:value => "bar", :same_site => :lax} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax" end - it "can set SameSite cookies with string value" do + it "can set SameSite cookies with symbol value :Lax" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :lax} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax" + end + + it "can set SameSite cookies with string value 'Lax'" do response = Rack::Response.new response.set_cookie "foo", {:value => "bar", :same_site => "Lax"} response["Set-Cookie"].must_equal "foo=bar; SameSite=Lax" end + it "can set SameSite cookies with boolean value true" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => true} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with symbol value :strict" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :strict} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with symbol value :Strict" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => :Strict} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict" + end + + it "can set SameSite cookies with string value 'Strict'" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :same_site => "Strict"} + response["Set-Cookie"].must_equal "foo=bar; SameSite=Strict" + end + + it "validates the SameSite option value" do + response = Rack::Response.new + lambda { + response.set_cookie "foo", {:value => "bar", :same_site => "Foo"} + }.must_raise(ArgumentError). + message.must_match(/Invalid SameSite value: "Foo"/) + end + it "can set SameSite cookies with symbol value" do response = Rack::Response.new response.set_cookie "foo", {:value => "bar", :same_site => :Strict} |