search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1931425 - Limit how often moz-label's #setStyles runs r=reusable-components-revie...
[gecko.git] / netwerk / test / gtest / TestCookie.cpp
blob13179317e57674d9806ad0c82972f9616a318c13
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5
6 #include "TestCommon.h"
7 #include "gtest/gtest.h"
8 #include "nsContentUtils.h"
9 #include "nsICookieService.h"
10 #include "nsICookieManager.h"
11 #include "nsICookie.h"
12 #include <stdio.h>
13 #include "plstr.h"
14 #include "nsNetUtil.h"
15 #include "nsIChannel.h"
16 #include "nsIPrincipal.h"
17 #include "nsIScriptSecurityManager.h"
18 #include "nsServiceManagerUtils.h"
19 #include "nsNetCID.h"
20 #include "nsIPrefBranch.h"
21 #include "nsIPrefService.h"
22 #include "mozilla/dom/Document.h"
23 #include "mozilla/gtest/MozAssertions.h"
24 #include "mozilla/Preferences.h"
25 #include "mozilla/Unused.h"
26 #include "mozilla/net/CookieJarSettings.h"
27 #include "Cookie.h"
28 #include "CookieParser.h"
29 #include "nsIURI.h"
30 #include "nsIConsoleReportCollector.h"
31
32 using namespace mozilla;
33 using namespace mozilla::net;
34
35 static NS_DEFINE_CID(kCookieServiceCID, NS_COOKIESERVICE_CID);
36 static NS_DEFINE_CID(kPrefServiceCID, NS_PREFSERVICE_CID);
37
38 // various pref strings
39 static const char kCookiesPermissions[] = "network.cookie.cookieBehavior";
40 static const char kCookiesMaxPerHost[] = "network.cookie.maxPerHost";
41
42 void SetACookieInternal(nsICookieService* aCookieService, const char* aSpec,
43 const nsTArray<const char*>& aCookieStrings,
44 bool aAllowed) {
45 nsCOMPtr<nsIURI> uri;
46 NS_NewURI(getter_AddRefs(uri), aSpec);
47
48 // We create a dummy channel using the aSpec to simulate same-siteness
49 nsresult rv0;
50 nsCOMPtr<nsIScriptSecurityManager> ssm =
51 do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv0);
52 ASSERT_NS_SUCCEEDED(rv0);
53 nsCOMPtr<nsIPrincipal> specPrincipal;
54 nsCString tmpString(aSpec);
55 ssm->CreateContentPrincipalFromOrigin(tmpString,
56 getter_AddRefs(specPrincipal));
57
58 nsCOMPtr<nsIChannel> dummyChannel;
59 NS_NewChannel(getter_AddRefs(dummyChannel), uri, specPrincipal,
60 nsILoadInfo::SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK,
61 nsIContentPolicy::TYPE_OTHER);
62
63 nsCOMPtr<nsICookieJarSettings> cookieJarSettings =
64 aAllowed
65 ? CookieJarSettings::Create(CookieJarSettings::eRegular,
66 /* shouldResistFingerprinting */ false)
67 : CookieJarSettings::GetBlockingAll(
68 /* shouldResistFingerprinting */ false);
69 MOZ_RELEASE_ASSERT(cookieJarSettings);
70
71 nsCOMPtr<nsILoadInfo> loadInfo = dummyChannel->LoadInfo();
72 loadInfo->SetCookieJarSettings(cookieJarSettings);
73
74 for (const char* cookieString : aCookieStrings) {
75 nsresult rv = aCookieService->SetCookieStringFromHttp(
76 uri, nsDependentCString(cookieString), dummyChannel);
77 EXPECT_NS_SUCCEEDED(rv);
78 }
79 }
80
81 void SetACookieJarBlocked(nsICookieService* aCookieService, const char* aSpec,
82 const char* aCookieString) {
83 nsTArray<const char*> cookieStrings;
84 cookieStrings.AppendElement(aCookieString);
85 SetACookieInternal(aCookieService, aSpec, cookieStrings, false);
86 }
87
88 void SetACookie(nsICookieService* aCookieService, const char* aSpec,
89 const char* aCookieString) {
90 nsTArray<const char*> cookieStrings;
91 cookieStrings.AppendElement(aCookieString);
92 SetACookieInternal(aCookieService, aSpec, cookieStrings, true);
93 }
94
95 void SetACookie(nsICookieService* aCookieService, const char* aSpec,
96 const nsTArray<const char*>& aCookieStrings) {
97 SetACookieInternal(aCookieService, aSpec, aCookieStrings, true);
98 }
99
100 // The cookie string is returned via aCookie.
101 void GetACookie(nsICookieService* aCookieService, const char* aSpec,
102 nsACString& aCookie) {
103 nsCOMPtr<nsIURI> uri;
104 NS_NewURI(getter_AddRefs(uri), aSpec);
105
106 nsCOMPtr<nsIIOService> service = do_GetIOService();
107
108 nsCOMPtr<nsIChannel> channel;
109 Unused << service->NewChannelFromURI(
110 uri, nullptr, nsContentUtils::GetSystemPrincipal(),
111 nsContentUtils::GetSystemPrincipal(), 0, nsIContentPolicy::TYPE_DOCUMENT,
112 getter_AddRefs(channel));
113
114 Unused << aCookieService->GetCookieStringFromHttp(uri, channel, aCookie);
115 }
116
117 // The cookie string is returned via aCookie.
118 void GetACookieNoHttp(nsICookieService* aCookieService, const char* aSpec,
119 nsACString& aCookie) {
120 nsCOMPtr<nsIURI> uri;
121 NS_NewURI(getter_AddRefs(uri), aSpec);
122
123 RefPtr<BasePrincipal> principal =
124 BasePrincipal::CreateContentPrincipal(uri, OriginAttributes());
125 MOZ_RELEASE_ASSERT(principal);
126
127 nsCOMPtr<mozilla::dom::Document> document;
128 nsresult rv = NS_NewDOMDocument(getter_AddRefs(document),
129 u""_ns, // aNamespaceURI
130 u""_ns, // aQualifiedName
131 nullptr, // aDoctype
132 uri, uri, principal,
133 false, // aLoadedAsData
134 nullptr, // aEventObject
135 DocumentFlavorHTML);
136 Unused << NS_WARN_IF(NS_FAILED(rv));
137
138 nsAutoString cookie;
139 ErrorResult err;
140 document->GetCookie(cookie, err);
141 EXPECT_TRUE(!err.Failed());
142
143 CopyUTF16toUTF8(cookie, aCookie);
144 }
145
146 // some #defines for comparison rules
147 #define MUST_BE_NULL 0
148 #define MUST_EQUAL 1
149 #define MUST_CONTAIN 2
150 #define MUST_NOT_CONTAIN 3
151 #define MUST_NOT_EQUAL 4
152
153 // a simple helper function to improve readability:
154 // takes one of the #defined rules above, and performs the appropriate test.
155 // true means the test passed; false means the test failed.
156 static inline bool CheckResult(const char* aLhs, uint32_t aRule,
157 const char* aRhs = nullptr) {
158 switch (aRule) {
159 case MUST_BE_NULL:
160 return !aLhs || !*aLhs;
161
162 case MUST_EQUAL:
163 return !PL_strcmp(aLhs, aRhs);
164
165 case MUST_NOT_EQUAL:
166 return PL_strcmp(aLhs, aRhs);
167
168 case MUST_CONTAIN:
169 return strstr(aLhs, aRhs) != nullptr;
170
171 case MUST_NOT_CONTAIN:
172 return strstr(aLhs, aRhs) == nullptr;
173
174 default:
175 return false; // failure
176 }
177 }
178
179 void InitPrefs(nsIPrefBranch* aPrefBranch) {
180 // init some relevant prefs, so the tests don't go awry.
181 // we use the most restrictive set of prefs we can;
182 // however, we don't test third party blocking here.
183 aPrefBranch->SetIntPref(kCookiesPermissions, 0); // accept all
184 // Set quotaPerHost to maxPerHost - 1, so there is only one cookie
185 // will be evicted everytime.
186 aPrefBranch->SetIntPref(kPrefCookieQuotaPerHost, 49);
187 // Set the base domain limit to 50 so we have a known value.
188 aPrefBranch->SetIntPref(kCookiesMaxPerHost, 50);
189
190 // SameSite=None by default. We have other tests for lax-by-default.
191 // XXX: Bug 1617611 - Fix all the tests broken by "cookies SameSite=Lax by
192 // default"
193 Preferences::SetBool("network.cookie.sameSite.laxByDefault", false);
194 Preferences::SetBool("network.cookieJarSettings.unblocked_for_testing", true);
195 Preferences::SetBool("dom.securecontext.allowlist_onions", false);
196 Preferences::SetBool("network.cookie.sameSite.schemeful", false);
197
198 // Disable a few security checks for document.cookie
199 Preferences::SetBool("dom.cookie.testing.enabled", true);
200 }
201
202 TEST(TestCookie, TestCookieMain)
203 {
204 nsresult rv0;
205
206 nsCOMPtr<nsICookieService> cookieService =
207 do_GetService(kCookieServiceCID, &rv0);
208 ASSERT_NS_SUCCEEDED(rv0);
209
210 nsCOMPtr<nsIPrefBranch> prefBranch = do_GetService(kPrefServiceCID, &rv0);
211 ASSERT_NS_SUCCEEDED(rv0);
212
213 InitPrefs(prefBranch);
214
215 nsCString cookie;
216
217 /* The basic idea behind these tests is the following:
218 *
219 * we set() some cookie, then try to get() it in various ways. we have
220 * several possible tests we perform on the cookie string returned from
221 * get():
222 *
223 * a) check whether the returned string is null (i.e. we got no cookies
224 * back). this is used e.g. to ensure a given cookie was deleted
225 * correctly, or to ensure a certain cookie wasn't returned to a given
226 * host.
227 * b) check whether the returned string exactly matches a given string.
228 * this is used where we want to make sure our cookie service adheres to
229 * some strict spec (e.g. ordering of multiple cookies), or where we
230 * just know exactly what the returned string should be.
231 * c) check whether the returned string contains/does not contain a given
232 * string. this is used where we don't know/don't care about the
233 * ordering of multiple cookies - we just want to make sure the cookie
234 * string contains them all, in some order.
235 *
236 * NOTE: this testsuite is not yet comprehensive or complete, and is
237 * somewhat contrived - still under development, and needs improving!
238 */
239
240 // test some basic variations of the domain & path
241 SetACookie(cookieService, "http://www.basic.com", "test=basic");
242 GetACookie(cookieService, "http://www.basic.com", cookie);
243 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic"));
244 GetACookie(cookieService, "http://www.basic.com/testPath/testfile.txt",
245 cookie);
246 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic"));
247 GetACookie(cookieService, "http://www.basic.com./", cookie);
248 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
249 GetACookie(cookieService, "http://www.basic.com.", cookie);
250 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
251 GetACookie(cookieService, "http://www.basic.com./testPath/testfile.txt",
252 cookie);
253 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
254 GetACookie(cookieService, "http://www.basic2.com/", cookie);
255 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
256 SetACookie(cookieService, "http://www.basic.com", "test=basic; max-age=-1");
257 GetACookie(cookieService, "http://www.basic.com/", cookie);
258 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
259
260 // *** domain tests
261
262 // test some variations of the domain & path, for different domains of
263 // a domain cookie
264 SetACookie(cookieService, "http://www.domain.com",
265 "test=domain; domain=domain.com");
266 GetACookie(cookieService, "http://domain.com", cookie);
267 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
268 GetACookie(cookieService, "http://domain.com.", cookie);
269 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
270 GetACookie(cookieService, "http://www.domain.com", cookie);
271 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
272 GetACookie(cookieService, "http://foo.domain.com", cookie);
273 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
274 SetACookie(cookieService, "http://www.domain.com",
275 "test=domain; domain=domain.com; max-age=-1");
276 GetACookie(cookieService, "http://domain.com", cookie);
277 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
278
279 SetACookie(cookieService, "http://www.domain.com",
280 "test=domain; domain=.domain.com");
281 GetACookie(cookieService, "http://domain.com", cookie);
282 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
283 GetACookie(cookieService, "http://www.domain.com", cookie);
284 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
285 GetACookie(cookieService, "http://bah.domain.com", cookie);
286 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=domain"));
287 SetACookie(cookieService, "http://www.domain.com",
288 "test=domain; domain=.domain.com; max-age=-1");
289 GetACookie(cookieService, "http://domain.com", cookie);
290 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
291
292 SetACookie(cookieService, "http://www.domain.com",
293 "test=domain; domain=.foo.domain.com");
294 GetACookie(cookieService, "http://foo.domain.com", cookie);
295 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
296
297 SetACookie(cookieService, "http://www.domain.com",
298 "test=domain; domain=moose.com");
299 GetACookie(cookieService, "http://foo.domain.com", cookie);
300 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
301
302 SetACookie(cookieService, "http://www.domain.com",
303 "test=domain; domain=domain.com.");
304 GetACookie(cookieService, "http://foo.domain.com", cookie);
305 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
306
307 SetACookie(cookieService, "http://www.domain.com",
308 "test=domain; domain=..domain.com");
309 GetACookie(cookieService, "http://foo.domain.com", cookie);
310 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
311
312 SetACookie(cookieService, "http://www.domain.com",
313 "test=domain; domain=..domain.com.");
314 GetACookie(cookieService, "http://foo.domain.com", cookie);
315 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
316
317 SetACookie(cookieService, "http://path.net/path/file",
318 R"(test=taco; path="/bogus")");
319 GetACookie(cookieService, "http://path.net/path/file", cookie);
320 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=taco"));
321 SetACookie(cookieService, "http://path.net/path/file",
322 "test=taco; max-age=-1");
323 GetACookie(cookieService, "http://path.net/path/file", cookie);
324 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
325
326 // *** path tests
327
328 // test some variations of the domain & path, for different paths of
329 // a path cookie
330 SetACookie(cookieService, "http://path.net/path/file",
331 "test=path; path=/path");
332 GetACookie(cookieService, "http://path.net/path", cookie);
333 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
334 GetACookie(cookieService, "http://path.net/path/", cookie);
335 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
336 GetACookie(cookieService, "http://path.net/path/hithere.foo", cookie);
337 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
338 GetACookie(cookieService, "http://path.net/path?hithere/foo", cookie);
339 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
340 GetACookie(cookieService, "http://path.net/path2", cookie);
341 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
342 GetACookie(cookieService, "http://path.net/path2/", cookie);
343 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
344 SetACookie(cookieService, "http://path.net/path/file",
345 "test=path; path=/path; max-age=-1");
346 GetACookie(cookieService, "http://path.net/path/", cookie);
347 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
348
349 SetACookie(cookieService, "http://path.net/path/file",
350 "test=path; path=/path/");
351 GetACookie(cookieService, "http://path.net/path", cookie);
352 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
353 GetACookie(cookieService, "http://path.net/path/", cookie);
354 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
355 SetACookie(cookieService, "http://path.net/path/file",
356 "test=path; path=/path/; max-age=-1");
357 GetACookie(cookieService, "http://path.net/path/", cookie);
358 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
359
360 // note that a site can set a cookie for a path it's not on.
361 // this is an intentional deviation from spec (see comments in
362 // CookieService::CheckPath()), so we test this functionality too
363 SetACookie(cookieService, "http://path.net/path/file",
364 "test=path; path=/foo/");
365 GetACookie(cookieService, "http://path.net/path", cookie);
366 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
367 GetACookie(cookieService, "http://path.net/foo", cookie);
368 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
369 SetACookie(cookieService, "http://path.net/path/file",
370 "test=path; path=/foo/; max-age=-1");
371 GetACookie(cookieService, "http://path.net/foo/", cookie);
372 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
373
374 // attributes with size > 1024 are ignored.
375 SetACookie(
376 cookieService, "http://path.net/",
377 "test=path; "
378 "path=/"
379 "123456789012345678901234567890123456789012345678901234567890123456789012"
380 "345678901234567890123456789012345678901234567890123456789012345678901234"
381 "567890123456789012345678901234567890123456789012345678901234567890123456"
382 "789012345678901234567890123456789012345678901234567890123456789012345678"
383 "901234567890123456789012345678901234567890123456789012345678901234567890"
384 "123456789012345678901234567890123456789012345678901234567890123456789012"
385 "345678901234567890123456789012345678901234567890123456789012345678901234"
386 "567890123456789012345678901234567890123456789012345678901234567890123456"
387 "789012345678901234567890123456789012345678901234567890123456789012345678"
388 "901234567890123456789012345678901234567890123456789012345678901234567890"
389 "123456789012345678901234567890123456789012345678901234567890123456789012"
390 "345678901234567890123456789012345678901234567890123456789012345678901234"
391 "567890123456789012345678901234567890123456789012345678901234567890123456"
392 "789012345678901234567890123456789012345678901234567890123456789012345678"
393 "9012345678901234567890/");
394 GetACookie(
395 cookieService,
396 "http://path.net/"
397 "123456789012345678901234567890123456789012345678901234567890123456789012"
398 "345678901234567890123456789012345678901234567890123456789012345678901234"
399 "567890123456789012345678901234567890123456789012345678901234567890123456"
400 "789012345678901234567890123456789012345678901234567890123456789012345678"
401 "901234567890123456789012345678901234567890123456789012345678901234567890"
402 "123456789012345678901234567890123456789012345678901234567890123456789012"
403 "345678901234567890123456789012345678901234567890123456789012345678901234"
404 "567890123456789012345678901234567890123456789012345678901234567890123456"
405 "789012345678901234567890123456789012345678901234567890123456789012345678"
406 "901234567890123456789012345678901234567890123456789012345678901234567890"
407 "123456789012345678901234567890123456789012345678901234567890123456789012"
408 "345678901234567890123456789012345678901234567890123456789012345678901234"
409 "567890123456789012345678901234567890123456789012345678901234567890123456"
410 "789012345678901234567890123456789012345678901234567890123456789012345678"
411 "9012345678901234567890",
412 cookie);
413 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
414 GetACookie(cookieService, "http://path.net/", cookie);
415 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=path"));
416 // the following cookie has a path > 1024 bytes implicitly specified by the
417 // uri path
418 SetACookie(
419 cookieService,
420 "http://longpath.net/"
421 "123456789012345678901234567890123456789012345678901234567890123456789012"
422 "345678901234567890123456789012345678901234567890123456789012345678901234"
423 "567890123456789012345678901234567890123456789012345678901234567890123456"
424 "789012345678901234567890123456789012345678901234567890123456789012345678"
425 "901234567890123456789012345678901234567890123456789012345678901234567890"
426 "123456789012345678901234567890123456789012345678901234567890123456789012"
427 "345678901234567890123456789012345678901234567890123456789012345678901234"
428 "567890123456789012345678901234567890123456789012345678901234567890123456"
429 "789012345678901234567890123456789012345678901234567890123456789012345678"
430 "901234567890123456789012345678901234567890123456789012345678901234567890"
431 "123456789012345678901234567890123456789012345678901234567890123456789012"
432 "345678901234567890123456789012345678901234567890123456789012345678901234"
433 "567890123456789012345678901234567890123456789012345678901234567890123456"
434 "789012345678901234567890123456789012345678901234567890123456789012345678"
435 "9012345678901234567890/",
436 "test=path");
437 GetACookie(
438 cookieService,
439 "http://longpath.net/"
440 "123456789012345678901234567890123456789012345678901234567890123456789012"
441 "345678901234567890123456789012345678901234567890123456789012345678901234"
442 "567890123456789012345678901234567890123456789012345678901234567890123456"
443 "789012345678901234567890123456789012345678901234567890123456789012345678"
444 "901234567890123456789012345678901234567890123456789012345678901234567890"
445 "123456789012345678901234567890123456789012345678901234567890123456789012"
446 "345678901234567890123456789012345678901234567890123456789012345678901234"
447 "567890123456789012345678901234567890123456789012345678901234567890123456"
448 "789012345678901234567890123456789012345678901234567890123456789012345678"
449 "901234567890123456789012345678901234567890123456789012345678901234567890"
450 "123456789012345678901234567890123456789012345678901234567890123456789012"
451 "345678901234567890123456789012345678901234567890123456789012345678901234"
452 "567890123456789012345678901234567890123456789012345678901234567890123456"
453 "789012345678901234567890123456789012345678901234567890123456789012345678"
454 "9012345678901234567890/",
455 cookie);
456 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
457 // the following cookie includes a tab in the path
458 SetACookie(cookieService, "http://pathwithtab.net/",
459 "test=path; path=/foo\tbar/");
460 GetACookie(cookieService, "http://pathwithtab.net/foo\tbar/", cookie);
461 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
462 // the following cookie includes a tab in the name
463 SetACookie(cookieService, "http://pathwithtab.net/", "test\ttabs=tab");
464 GetACookie(cookieService, "http://pathwithtab.net/", cookie);
465 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test\ttabs=tab"));
466 // the following cookie includes a tab in the value - allowed
467 SetACookie(cookieService, "http://pathwithtab.net/", "test=tab\ttest");
468 GetACookie(cookieService, "http://pathwithtab.net/", cookie);
469 EXPECT_TRUE(
470 CheckResult(cookie.get(), MUST_EQUAL, "test\ttabs=tab; test=tab\ttest"));
471 SetACookie(cookieService, "http://pathwithtab.net/",
472 "test=tab\ttest; max-age=-1");
473 GetACookie(cookieService, "http://pathwithtab.net/", cookie);
474 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test\ttabs=tab"));
475
476 // *** expiry & deletion tests
477 // XXX add server time str parsing tests here
478
479 // test some variations of the expiry time,
480 // and test deletion of previously set cookies
481 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=-1");
482 GetACookie(cookieService, "http://expireme.org/", cookie);
483 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
484 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=0");
485 GetACookie(cookieService, "http://expireme.org/", cookie);
486 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
487 SetACookie(cookieService, "http://expireme.org/", "test=expiry; expires=bad");
488 GetACookie(cookieService, "http://expireme.org/", cookie);
489 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=expiry"));
490 SetACookie(cookieService, "http://expireme.org/",
491 "test=expiry; expires=Thu, 10 Apr 1980 16:33:12 GMT");
492 GetACookie(cookieService, "http://expireme.org/", cookie);
493 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
494 SetACookie(cookieService, "http://expireme.org/",
495 R"(test=expiry; expires="Thu, 10 Apr 1980 16:33:12 GMT)");
496 GetACookie(cookieService, "http://expireme.org/", cookie);
497 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
498 SetACookie(cookieService, "http://expireme.org/",
499 R"(test=expiry; expires="Thu, 10 Apr 1980 16:33:12 GMT")");
500 GetACookie(cookieService, "http://expireme.org/", cookie);
501 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
502
503 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=60");
504 GetACookie(cookieService, "http://expireme.org/", cookie);
505 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=expiry"));
506 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=-20");
507 GetACookie(cookieService, "http://expireme.org/", cookie);
508 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
509 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=60");
510 GetACookie(cookieService, "http://expireme.org/", cookie);
511 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=expiry"));
512 SetACookie(cookieService, "http://expireme.org/",
513 "test=expiry; expires=Thu, 10 Apr 1980 16:33:12 GMT");
514 GetACookie(cookieService, "http://expireme.org/", cookie);
515 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
516 SetACookie(cookieService, "http://expireme.org/", "test=expiry; max-age=60");
517 SetACookie(cookieService, "http://expireme.org/",
518 "newtest=expiry; max-age=60");
519 GetACookie(cookieService, "http://expireme.org/", cookie);
520 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=expiry"));
521 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "newtest=expiry"));
522 SetACookie(cookieService, "http://expireme.org/",
523 "test=differentvalue; max-age=0");
524 GetACookie(cookieService, "http://expireme.org/", cookie);
525 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "newtest=expiry"));
526 SetACookie(cookieService, "http://expireme.org/",
527 "newtest=evendifferentvalue; max-age=0");
528 GetACookie(cookieService, "http://expireme.org/", cookie);
529 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
530
531 SetACookie(cookieService, "http://foo.expireme.org/",
532 "test=expiry; domain=.expireme.org; max-age=60");
533 GetACookie(cookieService, "http://expireme.org/", cookie);
534 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=expiry"));
535 SetACookie(cookieService, "http://bar.expireme.org/",
536 "test=differentvalue; domain=.expireme.org; max-age=0");
537 GetACookie(cookieService, "http://expireme.org/", cookie);
538 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
539
540 nsAutoCString ServerTime;
541 nsAutoCString CookieString;
542
543 // *** multiple cookie tests
544
545 // test the setting of multiple cookies, and test the order of precedence
546 // (a later cookie overwriting an earlier one, in the same header string)
547 SetACookie(cookieService, "http://multiple.cookies/",
548 nsTArray<const char*>{
549 "test=multiple; domain=.multiple.cookies ", " test=different ",
550 " test=same; domain=.multiple.cookies ", "newtest=ciao ",
551 "newtest=foo; max-age=-6 ", " newtest=reincarnated"});
552 GetACookie(cookieService, "http://multiple.cookies/", cookie);
553 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "test=multiple"));
554 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=different"));
555 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=same"));
556 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "newtest=ciao"));
557 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "newtest=foo"));
558 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "newtest=reincarnated"));
559 SetACookie(cookieService, "http://multiple.cookies/",
560 "test=expiry; domain=.multiple.cookies; max-age=0");
561 GetACookie(cookieService, "http://multiple.cookies/", cookie);
562 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "test=same"));
563 SetACookie(cookieService, "http://multiple.cookies/",
564 nsTArray<const char*>{"", " test=different; max-age=0 ", ""});
565 GetACookie(cookieService, "http://multiple.cookies/", cookie);
566 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "test=different"));
567 SetACookie(cookieService, "http://multiple.cookies/",
568 "newtest=dead; max-age=0");
569 GetACookie(cookieService, "http://multiple.cookies/", cookie);
570 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
571
572 // *** parser tests
573
574 // test the cookie header parser, under various circumstances.
575 SetACookie(cookieService, "http://parser.test/",
576 "test=parser; domain=.parser.test; ;; ;=; ,,, ===,abc,=; "
577 "abracadabra! max-age=20;=;;");
578 GetACookie(cookieService, "http://parser.test/", cookie);
579 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=parser"));
580 SetACookie(cookieService, "http://parser.test/",
581 "test=parser; domain=.parser.test; max-age=0");
582 GetACookie(cookieService, "http://parser.test/", cookie);
583 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
584 SetACookie(cookieService, "http://parser.test/",
585 nsTArray<const char*>{
586 "test=\"fubar! = foo;bar\\\";\" parser; domain=.parser.test; "
587 "max-age=6",
588 "five; max-age=2.63,"});
589 GetACookie(cookieService, "http://parser.test/", cookie);
590 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, R"(test="fubar! = foo)"));
591 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "five"));
592 SetACookie(cookieService, "http://parser.test/",
593 nsTArray<const char*>{"test=kill; domain=.parser.test; max-age=0 ",
594 " five; max-age=0"});
595 GetACookie(cookieService, "http://parser.test/", cookie);
596 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
597
598 // test the handling of VALUE-only cookies (see bug 169091),
599 // i.e. "six" should assume an empty NAME, which allows other VALUE-only
600 // cookies to overwrite it
601 SetACookie(cookieService, "http://parser.test/", "six");
602 GetACookie(cookieService, "http://parser.test/", cookie);
603 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "six"));
604 SetACookie(cookieService, "http://parser.test/", "seven");
605 GetACookie(cookieService, "http://parser.test/", cookie);
606 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "seven"));
607 SetACookie(cookieService, "http://parser.test/", " =eight");
608 GetACookie(cookieService, "http://parser.test/", cookie);
609 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "eight"));
610 SetACookie(cookieService, "http://parser.test/", "test=six");
611 GetACookie(cookieService, "http://parser.test/", cookie);
612 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=six"));
613
614 // *** path ordering tests
615
616 // test that cookies are returned in path order - longest to shortest.
617 // if the header doesn't specify a path, it's taken from the host URI.
618 SetACookie(cookieService, "http://multi.path.tests/",
619 "test1=path; path=/one/two/three");
620 SetACookie(cookieService, "http://multi.path.tests/",
621 nsTArray<const char*>{"test2=path; path=/one ",
622 " test3=path; path=/one/two/three/four ",
623 " test4=path; path=/one/two ",
624 " test5=path; path=/one/two/"});
625 SetACookie(cookieService, "http://multi.path.tests/one/two/three/four/five/",
626 "test6=path");
627 SetACookie(cookieService,
628 "http://multi.path.tests/one/two/three/four/five/six/",
629 "test7=path; path=");
630 SetACookie(cookieService, "http://multi.path.tests/", "test8=path; path=/");
631 GetACookie(cookieService,
632 "http://multi.path.tests/one/two/three/four/five/six/", cookie);
633 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL,
634 "test7=path; test6=path; test3=path; test1=path; "
635 "test5=path; test4=path; test2=path; test8=path"));
636
637 // *** Cookie prefix tests
638
639 // prefixed cookies can't be set from insecure HTTP
640 SetACookie(cookieService, "http://prefixed.test/", "__Secure-test1=test");
641 SetACookie(cookieService, "http://prefixed.test/",
642 "__Secure-test2=test; secure");
643 SetACookie(cookieService, "http://prefixed.test/", "__Host-test1=test");
644 SetACookie(cookieService, "http://prefixed.test/",
645 "__Host-test2=test; secure");
646 GetACookie(cookieService, "http://prefixed.test/", cookie);
647 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
648
649 // prefixed cookies won't be set without the secure flag
650 SetACookie(cookieService, "https://prefixed.test/", "__Secure-test=test");
651 SetACookie(cookieService, "https://prefixed.test/", "__Host-test=test");
652 GetACookie(cookieService, "https://prefixed.test/", cookie);
653 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
654
655 // prefixed cookies can be set when done correctly
656 SetACookie(cookieService, "https://prefixed.test/",
657 "__Secure-test=test; secure");
658 SetACookie(cookieService, "https://prefixed.test/",
659 "__Host-test=test; secure");
660 GetACookie(cookieService, "https://prefixed.test/", cookie);
661 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "__Secure-test=test"));
662 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "__Host-test=test"));
663
664 // but when set must not be returned to the host insecurely
665 GetACookie(cookieService, "http://prefixed.test/", cookie);
666 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
667
668 // Host-prefixed cookies cannot specify a domain
669 SetACookie(cookieService, "https://host.prefixed.test/",
670 "__Host-a=test; secure; domain=prefixed.test");
671 SetACookie(cookieService, "https://host.prefixed.test/",
672 "__Host-b=test; secure; domain=.prefixed.test");
673 SetACookie(cookieService, "https://host.prefixed.test/",
674 "__Host-c=test; secure; domain=host.prefixed.test");
675 SetACookie(cookieService, "https://host.prefixed.test/",
676 "__Host-d=test; secure; domain=.host.prefixed.test");
677 GetACookie(cookieService, "https://host.prefixed.test/", cookie);
678 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
679
680 // Host-prefixed cookies can only have a path of "/"
681 SetACookie(cookieService, "https://host.prefixed.test/some/path",
682 "__Host-e=test; secure");
683 SetACookie(cookieService, "https://host.prefixed.test/some/path",
684 "__Host-f=test; secure; path=/");
685 SetACookie(cookieService, "https://host.prefixed.test/some/path",
686 "__Host-g=test; secure; path=/some");
687 GetACookie(cookieService, "https://host.prefixed.test/", cookie);
688 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "__Host-f=test"));
689
690 // *** leave-secure-alone tests
691
692 // testing items 0 & 1 for 3.1 of spec Deprecate modification of ’secure’
693 // cookies from non-secure origins
694 SetACookie(cookieService, "http://www.security.test/",
695 "test=non-security; secure");
696 GetACookieNoHttp(cookieService, "https://www.security.test/", cookie);
697 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
698 SetACookie(cookieService, "https://www.security.test/path/",
699 "test=security; secure; path=/path/");
700 GetACookieNoHttp(cookieService, "https://www.security.test/path/", cookie);
701 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=security"));
702 // testing items 2 & 3 & 4 for 3.2 of spec Deprecate modification of ’secure’
703 // cookies from non-secure origins
704 // Secure site can modify cookie value
705 SetACookie(cookieService, "https://www.security.test/path/",
706 "test=security2; secure; path=/path/");
707 GetACookieNoHttp(cookieService, "https://www.security.test/path/", cookie);
708 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=security2"));
709 // If new cookie contains same name, same host and partially matching path
710 // with an existing security cookie on non-security site, it can't modify an
711 // existing security cookie.
712 SetACookie(cookieService, "http://www.security.test/path/foo/",
713 "test=non-security; path=/path/foo");
714 GetACookieNoHttp(cookieService, "https://www.security.test/path/foo/",
715 cookie);
716 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=security2"));
717 // Non-secure cookie can set by same name, same host and non-matching path.
718 SetACookie(cookieService, "http://www.security.test/bar/",
719 "test=non-security; path=/bar");
720 GetACookieNoHttp(cookieService, "http://www.security.test/bar/", cookie);
721 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=non-security"));
722 // Modify value and downgrade secure level.
723 SetACookie(
724 cookieService, "https://www.security.test/",
725 "test_modify_cookie=security-cookie; secure; domain=.security.test");
726 GetACookieNoHttp(cookieService, "https://www.security.test/", cookie);
727 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL,
728 "test_modify_cookie=security-cookie"));
729 SetACookie(cookieService, "https://www.security.test/",
730 "test_modify_cookie=non-security-cookie; domain=.security.test");
731 GetACookieNoHttp(cookieService, "https://www.security.test/", cookie);
732 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL,
733 "test_modify_cookie=non-security-cookie"));
734
735 // Test the non-security cookie can set when domain or path not same to secure
736 // cookie of same name.
737 SetACookie(cookieService, "https://www.security.test/", "test=security3");
738 GetACookieNoHttp(cookieService, "http://www.security.test/", cookie);
739 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=security3"));
740 SetACookie(cookieService, "http://www.security.test/",
741 "test=non-security2; domain=security.test");
742 GetACookieNoHttp(cookieService, "http://www.security.test/", cookie);
743 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test=non-security2"));
744
745 // *** nsICookieManager interface tests
746 nsCOMPtr<nsICookieManager> cookieMgr =
747 do_GetService(NS_COOKIEMANAGER_CONTRACTID, &rv0);
748 ASSERT_NS_SUCCEEDED(rv0);
749
750 const nsCOMPtr<nsICookieManager>& cookieMgr2 = cookieMgr;
751 ASSERT_TRUE(cookieMgr2);
752
753 mozilla::OriginAttributes attrs;
754
755 // first, ensure a clean slate
756 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
757 // add some cookies
758 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr2->AddNative("cookiemgr.test"_ns, // domain
759 "/foo"_ns, // path
760 "test1"_ns, // name
761 "yes"_ns, // value
762 false, // is secure
763 false, // is httponly
764 true, // is session
765 INT64_MAX, // expiry time
766 &attrs, // originAttributes
767 nsICookie::SAMESITE_NONE,
768 nsICookie::SCHEME_HTTPS,
769 false, // is partitioned
770 nullptr // operation ID
771 )));
772 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr2->AddNative(
773 "cookiemgr.test"_ns, // domain
774 "/foo"_ns, // path
775 "test2"_ns, // name
776 "yes"_ns, // value
777 false, // is secure
778 true, // is httponly
779 true, // is session
780 PR_Now() / PR_USEC_PER_SEC + 2, // expiry time
781 &attrs, // originAttributes
782 nsICookie::SAMESITE_NONE, nsICookie::SCHEME_HTTPS,
783 false, // is partitioned
784 nullptr // operation ID
785 )));
786 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr2->AddNative("new.domain"_ns, // domain
787 "/rabbit"_ns, // path
788 "test3"_ns, // name
789 "yes"_ns, // value
790 false, // is secure
791 false, // is httponly
792 true, // is session
793 INT64_MAX, // expiry time
794 &attrs, // originAttributes
795 nsICookie::SAMESITE_NONE,
796 nsICookie::SCHEME_HTTPS,
797 false, // is partitioned
798 nullptr // operation ID
799 )));
800 // confirm using enumerator
801 nsTArray<RefPtr<nsICookie>> cookies;
802 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
803 nsCOMPtr<nsICookie> expiredCookie, newDomainCookie;
804 for (const auto& cookie : cookies) {
805 nsAutoCString name;
806 cookie->GetName(name);
807 if (name.EqualsLiteral("test2")) {
808 expiredCookie = cookie;
809 } else if (name.EqualsLiteral("test3")) {
810 newDomainCookie = cookie;
811 }
812 }
813 EXPECT_EQ(cookies.Length(), 3ul);
814 // check the httpOnly attribute of the second cookie is honored
815 GetACookie(cookieService, "http://cookiemgr.test/foo/", cookie);
816 EXPECT_TRUE(CheckResult(cookie.get(), MUST_CONTAIN, "test2=yes"));
817 GetACookieNoHttp(cookieService, "http://cookiemgr.test/foo/", cookie);
818 EXPECT_TRUE(CheckResult(cookie.get(), MUST_NOT_CONTAIN, "test2=yes"));
819 // check CountCookiesFromHost()
820 uint32_t hostCookies = 0;
821 EXPECT_TRUE(NS_SUCCEEDED(
822 cookieMgr2->CountCookiesFromHost("cookiemgr.test"_ns, &hostCookies)));
823 EXPECT_EQ(hostCookies, 2u);
824 // check CookieExistsNative() using the third cookie
825 bool found;
826 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr2->CookieExistsNative(
827 "new.domain"_ns, "/rabbit"_ns, "test3"_ns, &attrs, &found)));
828 EXPECT_TRUE(found);
829
830 // sleep four seconds, to make sure the second cookie has expired
831 PR_Sleep(4 * PR_TicksPerSecond());
832 // check that both CountCookiesFromHost() and CookieExistsNative() count the
833 // expired cookie
834 EXPECT_TRUE(NS_SUCCEEDED(
835 cookieMgr2->CountCookiesFromHost("cookiemgr.test"_ns, &hostCookies)));
836 EXPECT_EQ(hostCookies, 2u);
837 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr2->CookieExistsNative(
838 "cookiemgr.test"_ns, "/foo"_ns, "test2"_ns, &attrs, &found)));
839 EXPECT_TRUE(found);
840 // double-check RemoveAll() using the enumerator
841 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
842 cookies.SetLength(0);
843 EXPECT_TRUE(NS_SUCCEEDED(cookieMgr->GetCookies(cookies)) &&
844 cookies.IsEmpty());
845
846 // *** eviction and creation ordering tests
847
848 // test that cookies are
849 // a) returned by order of creation time (oldest first, newest last)
850 // b) evicted by order of lastAccessed time, if the limit on cookies per host
851 // (50) is reached
852 nsAutoCString name;
853 nsAutoCString expected;
854 for (int32_t i = 0; i < 60; ++i) {
855 name = "test"_ns;
856 name.AppendInt(i);
857 name += "=creation"_ns;
858 SetACookie(cookieService, "http://creation.ordering.tests/", name.get());
859
860 if (i >= 10) {
861 expected += name;
862 if (i < 59) expected += "; "_ns;
863 }
864 }
865 GetACookie(cookieService, "http://creation.ordering.tests/", cookie);
866 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, expected.get()));
867
868 cookieMgr->RemoveAll();
869
870 for (int32_t i = 0; i < 60; ++i) {
871 name = "test"_ns;
872 name.AppendInt(i);
873 name += "=delete_non_security"_ns;
874
875 // Create 50 cookies that include the secure flag.
876 if (i < 50) {
877 name += "; secure"_ns;
878 SetACookie(cookieService, "https://creation.ordering.tests/", name.get());
879 } else {
880 // non-security cookies will be removed beside the latest cookie that be
881 // created.
882 SetACookie(cookieService, "http://creation.ordering.tests/", name.get());
883 }
884 }
885 GetACookie(cookieService, "http://creation.ordering.tests/", cookie);
886
887 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
888
889 // *** SameSite attribute - parsing and cookie storage tests
890 // Clear the cookies
891 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
892
893 // None of these cookies will be set because using
894 // CookieJarSettings::GetBlockingAll().
895 SetACookieJarBlocked(cookieService, "http://samesite.test", "unset=yes");
896 SetACookieJarBlocked(cookieService, "http://samesite.test",
897 "unspecified=yes; samesite");
898 SetACookieJarBlocked(cookieService, "http://samesite.test",
899 "empty=yes; samesite=");
900 SetACookieJarBlocked(cookieService, "http://samesite.test",
901 "bogus=yes; samesite=bogus");
902 SetACookieJarBlocked(cookieService, "http://samesite.test",
903 "strict=yes; samesite=strict");
904 SetACookieJarBlocked(cookieService, "http://samesite.test",
905 "lax=yes; samesite=lax");
906
907 cookies.SetLength(0);
908 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
909
910 EXPECT_TRUE(cookies.IsEmpty());
911
912 // Set cookies with various incantations of the samesite attribute:
913 // No same site attribute present
914 SetACookie(cookieService, "http://samesite.test", "unset=yes");
915 // samesite attribute present but with no value
916 SetACookie(cookieService, "http://samesite.test",
917 "unspecified=yes; samesite");
918 // samesite attribute present but with an empty value
919 SetACookie(cookieService, "http://samesite.test", "empty=yes; samesite=");
920 // samesite attribute present but with an invalid value
921 SetACookie(cookieService, "http://samesite.test",
922 "bogus=yes; samesite=bogus");
923 // samesite=strict
924 SetACookie(cookieService, "http://samesite.test",
925 "strict=yes; samesite=strict");
926 // samesite=lax
927 SetACookie(cookieService, "http://samesite.test", "lax=yes; samesite=lax");
928
929 cookies.SetLength(0);
930 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
931
932 // check the cookies for the required samesite value
933 for (const auto& cookie : cookies) {
934 nsAutoCString name;
935 cookie->GetName(name);
936 int32_t sameSiteAttr;
937 cookie->GetSameSite(&sameSiteAttr);
938 if (name.EqualsLiteral("unset")) {
939 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_NONE);
940 } else if (name.EqualsLiteral("unspecified")) {
941 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_NONE);
942 } else if (name.EqualsLiteral("empty")) {
943 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_NONE);
944 } else if (name.EqualsLiteral("bogus")) {
945 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_NONE);
946 } else if (name.EqualsLiteral("strict")) {
947 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_STRICT);
948 } else if (name.EqualsLiteral("lax")) {
949 EXPECT_TRUE(sameSiteAttr == nsICookie::SAMESITE_LAX);
950 }
951 }
952
953 EXPECT_TRUE(cookies.Length() == 6);
954
955 // *** SameSite attribute
956 // Clear the cookies
957 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
958
959 // please note that the flag aForeign is always set to true using this test
960 // setup because no nsIChannel is passed to SetCookieString(). therefore we
961 // can only test that no cookies are sent for cross origin requests using
962 // same-site cookies.
963 SetACookie(cookieService, "http://www.samesite.com",
964 "test=sameSiteStrictVal; samesite=strict");
965 GetACookie(cookieService, "http://www.notsamesite.com", cookie);
966 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
967
968 SetACookie(cookieService, "http://www.samesite.test",
969 "test=sameSiteLaxVal; samesite=lax");
970 GetACookie(cookieService, "http://www.notsamesite.com", cookie);
971 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
972
973 static const char* secureURIs[] = {
974 "http://localhost", "http://localhost:1234", "http://127.0.0.1",
975 "http://127.0.0.2", "http://127.1.0.1", "http://[::1]",
976 // TODO bug 1220810 "http://xyzzy.localhost"
977 };
978
979 uint32_t numSecureURIs = sizeof(secureURIs) / sizeof(const char*);
980 for (uint32_t i = 0; i < numSecureURIs; ++i) {
981 SetACookie(cookieService, secureURIs[i], "test=basic; secure");
982 GetACookie(cookieService, secureURIs[i], cookie);
983 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic"));
984 SetACookie(cookieService, secureURIs[i], "test=basic1");
985 GetACookie(cookieService, secureURIs[i], cookie);
986 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=basic1"));
987 }
988
989 // XXX the following are placeholders: add these tests please!
990 // *** "noncompliant cookie" tests
991 // *** IP address tests
992 // *** speed tests
993 }
994
995 TEST(TestCookie, SameSiteLax)
996 {
997 Preferences::SetBool("network.cookie.sameSite.laxByDefault", true);
998
999 nsresult rv;
1000
1001 nsCOMPtr<nsICookieService> cookieService =
1002 do_GetService(kCookieServiceCID, &rv);
1003 ASSERT_NS_SUCCEEDED(rv);
1004
1005 nsCOMPtr<nsICookieManager> cookieMgr =
1006 do_GetService(NS_COOKIEMANAGER_CONTRACTID, &rv);
1007 ASSERT_NS_SUCCEEDED(rv);
1008
1009 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
1010
1011 SetACookie(cookieService, "http://samesite.test", "unset=yes");
1012
1013 nsTArray<RefPtr<nsICookie>> cookies;
1014 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
1015 EXPECT_EQ(cookies.Length(), (uint64_t)1);
1016
1017 Cookie* cookie = static_cast<Cookie*>(cookies[0].get());
1018 EXPECT_EQ(cookie->RawSameSite(), nsICookie::SAMESITE_NONE);
1019 EXPECT_EQ(cookie->SameSite(), nsICookie::SAMESITE_LAX);
1020
1021 Preferences::SetCString("network.cookie.sameSite.laxByDefault.disabledHosts",
1022 "foo.com,samesite.test,bar.net");
1023
1024 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
1025
1026 cookies.SetLength(0);
1027 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
1028 EXPECT_EQ(cookies.Length(), (uint64_t)0);
1029
1030 SetACookie(cookieService, "http://samesite.test", "unset=yes");
1031
1032 cookies.SetLength(0);
1033 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
1034 EXPECT_EQ(cookies.Length(), (uint64_t)1);
1035
1036 cookie = static_cast<Cookie*>(cookies[0].get());
1037 EXPECT_EQ(cookie->RawSameSite(), nsICookie::SAMESITE_NONE);
1038 EXPECT_EQ(cookie->SameSite(), nsICookie::SAMESITE_LAX);
1039 }
1040
1041 TEST(TestCookie, OnionSite)
1042 {
1043 Preferences::SetBool("dom.securecontext.allowlist_onions", true);
1044 Preferences::SetBool("network.cookie.sameSite.laxByDefault", false);
1045
1046 nsresult rv;
1047 nsCString cookie;
1048
1049 nsCOMPtr<nsICookieService> cookieService =
1050 do_GetService(kCookieServiceCID, &rv);
1051 ASSERT_NS_SUCCEEDED(rv);
1052
1053 // .onion secure cookie tests
1054 SetACookie(cookieService, "http://123456789abcdef.onion/",
1055 "test=onion-security; secure");
1056 GetACookieNoHttp(cookieService, "https://123456789abcdef.onion/", cookie);
1057 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security"));
1058 SetACookie(cookieService, "http://123456789abcdef.onion/",
1059 "test=onion-security2; secure");
1060 GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
1061 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security2"));
1062 SetACookie(cookieService, "https://123456789abcdef.onion/",
1063 "test=onion-security3; secure");
1064 GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
1065 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security3"));
1066 SetACookie(cookieService, "http://123456789abcdef.onion/",
1067 "test=onion-security4");
1068 GetACookieNoHttp(cookieService, "http://123456789abcdef.onion/", cookie);
1069 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "test=onion-security4"));
1070 }
1071
1072 TEST(TestCookie, HiddenPrefix)
1073 {
1074 nsresult rv;
1075 nsCString cookie;
1076
1077 nsCOMPtr<nsICookieService> cookieService =
1078 do_GetService(kCookieServiceCID, &rv);
1079 ASSERT_NS_SUCCEEDED(rv);
1080
1081 SetACookie(cookieService, "http://hiddenprefix.test/", "=__Host-test=a");
1082 GetACookie(cookieService, "http://hiddenprefix.test/", cookie);
1083 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1084
1085 SetACookie(cookieService, "http://hiddenprefix.test/", "=__Secure-test=a");
1086 GetACookie(cookieService, "http://hiddenprefix.test/", cookie);
1087 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1088
1089 SetACookie(cookieService, "http://hiddenprefix.test/", "=__Host-check");
1090 GetACookie(cookieService, "http://hiddenprefix.test/", cookie);
1091 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1092
1093 SetACookie(cookieService, "http://hiddenprefix.test/", "=__Secure-check");
1094 GetACookie(cookieService, "http://hiddenprefix.test/", cookie);
1095 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1096 }
1097
1098 TEST(TestCookie, BlockUnicode)
1099 {
1100 Preferences::SetBool("network.cookie.blockUnicode", true);
1101
1102 nsresult rv;
1103 nsCString cookie;
1104
1105 nsCOMPtr<nsICookieService> cookieService =
1106 do_GetService(kCookieServiceCID, &rv);
1107 ASSERT_NS_SUCCEEDED(rv);
1108
1109 SetACookie(cookieService, "http://unicode.com/", "name=🍪");
1110 GetACookie(cookieService, "http://unicode.com/", cookie);
1111 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1112
1113 SetACookie(cookieService, "http://unicode.com/", "🍪=value");
1114 GetACookie(cookieService, "http://unicode.com/", cookie);
1115 EXPECT_TRUE(CheckResult(cookie.get(), MUST_BE_NULL));
1116
1117 Preferences::SetBool("network.cookie.blockUnicode", false);
1118
1119 SetACookie(cookieService, "http://unicode.com/", "name=🍪");
1120 GetACookie(cookieService, "http://unicode.com/", cookie);
1121 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "name=🍪"));
1122
1123 nsCOMPtr<nsICookieManager> cookieMgr =
1124 do_GetService(NS_COOKIEMANAGER_CONTRACTID);
1125 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
1126
1127 SetACookie(cookieService, "http://unicode.com/", "🍪=value");
1128 GetACookie(cookieService, "http://unicode.com/", cookie);
1129 EXPECT_TRUE(CheckResult(cookie.get(), MUST_EQUAL, "🍪=value"));
1130
1131 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
1132 Preferences::ClearUser("network.cookie.blockUnicode");
1133 }
1134
1135 TEST(TestCookie, MaxAgeParser)
1136 {
1137 nsCOMPtr<nsIURI> uri;
1138 NS_NewURI(getter_AddRefs(uri), "https://maxage.net");
1139
1140 nsCOMPtr<nsIIOService> service = do_GetIOService();
1141
1142 nsCOMPtr<nsIChannel> channel;
1143 Unused << service->NewChannelFromURI(
1144 uri, nullptr, nsContentUtils::GetSystemPrincipal(),
1145 nsContentUtils::GetSystemPrincipal(), 0, nsIContentPolicy::TYPE_DOCUMENT,
1146 getter_AddRefs(channel));
1147
1148 nsCOMPtr<nsIConsoleReportCollector> crc = do_QueryInterface(channel);
1149
1150 CookieParser cp(crc, uri);
1151
1152 int64_t value;
1153 EXPECT_FALSE(cp.ParseMaxAgeAttribute(""_ns, &value));
1154
1155 EXPECT_TRUE(cp.ParseMaxAgeAttribute("0"_ns, &value));
1156 EXPECT_EQ(value, 0);
1157
1158 EXPECT_TRUE(cp.ParseMaxAgeAttribute("1"_ns, &value));
1159 EXPECT_EQ(value, 1);
1160
1161 EXPECT_TRUE(cp.ParseMaxAgeAttribute("1234"_ns, &value));
1162 EXPECT_EQ(value, 1234);
1163
1164 EXPECT_TRUE(cp.ParseMaxAgeAttribute("00000000000000001234"_ns, &value));
1165 EXPECT_EQ(value, 1234);
1166
1167 EXPECT_TRUE(cp.ParseMaxAgeAttribute("-1234"_ns, &value));
1168 EXPECT_EQ(value, INT64_MIN);
1169
1170 {
1171 nsCString str;
1172 for (int i = 0; i < 1024; ++i) {
1173 str.Append("9");
1174 }
1175 EXPECT_TRUE(cp.ParseMaxAgeAttribute(str, &value));
1176 EXPECT_EQ(value, INT64_MAX);
1177 }
1178
1179 EXPECT_FALSE(cp.ParseMaxAgeAttribute("1234a"_ns, &value));
1180 EXPECT_FALSE(cp.ParseMaxAgeAttribute("12a34"_ns, &value));
1181 EXPECT_FALSE(cp.ParseMaxAgeAttribute("12🌊34"_ns, &value));
1182
1183 nsresult rv;
1184 nsCOMPtr<nsICookieManager> cookieMgr =
1185 do_GetService(NS_COOKIEMANAGER_CONTRACTID, &rv);
1186 ASSERT_NS_SUCCEEDED(rv);
1187
1188 EXPECT_NS_SUCCEEDED(cookieMgr->RemoveAll());
1189
1190 nsCOMPtr<nsICookieService> cookieService =
1191 do_GetService(kCookieServiceCID, &rv);
1192 ASSERT_NS_SUCCEEDED(rv);
1193
1194 SetACookie(cookieService, "http://maxage.net/", "a=1; max-age=1234");
1195
1196 nsCString cookieStr;
1197 GetACookie(cookieService, "http://maxage.net/", cookieStr);
1198 EXPECT_TRUE(CheckResult(cookieStr.get(), MUST_EQUAL, "a=1"));
1199
1200 nsTArray<RefPtr<nsICookie>> cookies;
1201 EXPECT_NS_SUCCEEDED(cookieMgr->GetCookies(cookies));
1202 EXPECT_EQ(cookies.Length(), (uint64_t)1);
1203
1204 Cookie* cookie = static_cast<Cookie*>(cookies[0].get());
1205 EXPECT_FALSE(cookie->IsSession());
1206
1207 SetACookie(cookieService, "http://maxage.net/", "a=1; max-age=-1");
1208 GetACookie(cookieService, "http://maxage.net/", cookieStr);
1209 EXPECT_TRUE(CheckResult(cookieStr.get(), MUST_EQUAL, ""));
1210 }