1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <string>
6
7 #include "base/test/scoped_feature_list.h"
8 #include "net/base/features.h"
9 #include "net/cookies/cookie_constants.h"
10 #include "net/cookies/cookie_inclusion_status.h"
11 #include "net/cookies/parsed_cookie.h"
12 #include "testing/gtest/include/gtest/gtest.h"
13
14 namespace net {
15
TEST(ParsedCookieTest,TestBasic)16 TEST(ParsedCookieTest, TestBasic) {
17 ParsedCookie pc1("a=b");
18 EXPECT_TRUE(pc1.IsValid());
19 EXPECT_FALSE(pc1.IsSecure());
20 EXPECT_FALSE(pc1.IsHttpOnly());
21 EXPECT_FALSE(pc1.IsPartitioned());
22 EXPECT_EQ("a", pc1.Name());
23 EXPECT_EQ("b", pc1.Value());
24 EXPECT_FALSE(pc1.HasPath());
25 EXPECT_FALSE(pc1.HasDomain());
26 EXPECT_FALSE(pc1.HasExpires());
27 EXPECT_FALSE(pc1.HasMaxAge());
28 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc1.SameSite());
29 EXPECT_EQ(CookiePriority::COOKIE_PRIORITY_DEFAULT, pc1.Priority());
30
31 ParsedCookie pc2(
32 "c=d; secure; httponly; path=/foo; domain=bar.test; "
33 "max-age=60; samesite=lax; priority=high; partitioned;");
34 EXPECT_TRUE(pc2.IsValid());
35 EXPECT_TRUE(pc2.IsSecure());
36 EXPECT_TRUE(pc2.IsHttpOnly());
37 EXPECT_TRUE(pc2.IsPartitioned());
38 EXPECT_EQ("c", pc2.Name());
39 EXPECT_EQ("d", pc2.Value());
40 EXPECT_TRUE(pc2.HasPath());
41 EXPECT_EQ("/foo", pc2.Path());
42 EXPECT_TRUE(pc2.HasDomain());
43 EXPECT_EQ("bar.test", pc2.Domain());
44 EXPECT_FALSE(pc2.HasExpires());
45 EXPECT_TRUE(pc2.HasMaxAge());
46 EXPECT_EQ("60", pc2.MaxAge());
47 EXPECT_EQ(CookieSameSite::LAX_MODE, pc2.SameSite());
48 EXPECT_EQ(CookiePriority::COOKIE_PRIORITY_HIGH, pc2.Priority());
49 }
50
TEST(ParsedCookieTest,TestEmpty)51 TEST(ParsedCookieTest, TestEmpty) {
52 const char* kTestCookieLines[]{"", " ", "=", "=;", " =;",
53 "= ;", " = ;", ";", " ;", " ; ",
54 "\t", "\t;", "\t=\t", "\t=", "=\t"};
55
56 for (const char* test : kTestCookieLines) {
57 ParsedCookie pc(test);
58 EXPECT_FALSE(pc.IsValid());
59 }
60 }
61
TEST(ParsedCookieTest,TestSetEmptyNameValue)62 TEST(ParsedCookieTest, TestSetEmptyNameValue) {
63 CookieInclusionStatus status;
64 ParsedCookie empty("", /*block_truncated=*/false, &status);
65 EXPECT_FALSE(empty.IsValid());
66 EXPECT_TRUE(status.HasExclusionReason(
67 CookieInclusionStatus::ExclusionReason::EXCLUDE_NO_COOKIE_CONTENT));
68 EXPECT_FALSE(empty.SetValue(""));
69 EXPECT_FALSE(empty.IsValid());
70
71 ParsedCookie empty_value("name=");
72 EXPECT_TRUE(empty_value.IsValid());
73 EXPECT_EQ("name", empty_value.Name());
74 EXPECT_FALSE(empty_value.SetName(""));
75 EXPECT_EQ("name", empty_value.Name());
76 EXPECT_TRUE(empty_value.IsValid());
77
78 ParsedCookie empty_name("value");
79 EXPECT_TRUE(empty_name.IsValid());
80 EXPECT_EQ("value", empty_name.Value());
81 EXPECT_FALSE(empty_name.SetValue(""));
82 EXPECT_EQ("value", empty_name.Value());
83 EXPECT_TRUE(empty_name.IsValid());
84 }
85
TEST(ParsedCookieTest,ParseValueStrings)86 TEST(ParsedCookieTest, ParseValueStrings) {
87 std::string valid_values[] = {
88 "httpONLY", "1%7C1624663551161", "<K0<r<C_<G_<S0",
89 "lastRequest=1624663552846&activeDays=%5B0%2C0", "si=8da88dce-5fee-4835"};
90 for (const auto& value : valid_values) {
91 EXPECT_EQ(ParsedCookie::ParseValueString(value), value);
92 EXPECT_TRUE(ParsedCookie::ValueMatchesParsedValue(value));
93 }
94
95 std::string invalid_values[] = {
96 "\nhttpONLYsecure", // Newline char at start
97 "httpONLY\nsecure", // Newline char in middle
98 "httpONLYsecure\n", // Newline char at end
99 "\r<K0<r<C_<G_<S0", // Carriage return at start
100 "<K0<r\r<C_<G_<S0", // Carriage return in middle
101 "<K0<r<C_<G_<S0\r", // Carriage return at end
102 ";lastRequest=1624663552846", // Token separator at start
103 "lastRequest=1624663552846; activeDays=%5B0%2C0", // Token separator in
104 // middle
105 std::string("\0abcdef", 7), // 0 byte at start
106 std::string("abc\0def", 7), // 0 byte in middle
107 std::string("abcdef\0", 7)}; // 0 byte at end
108 for (const auto& value : invalid_values) {
109 EXPECT_NE(ParsedCookie::ParseValueString(value), value);
110 EXPECT_FALSE(ParsedCookie::ValueMatchesParsedValue(value));
111 }
112
113 // Strings with leading whitespace should parse OK but
114 // ValueMatchesParsedValue() should fail.
115 std::string leading_whitespace_values[] = {
116 " 1%7C1624663551161", // Space at start
117 "\t1%7C1624663551161", // Tab at start
118 };
119 for (const auto& value : leading_whitespace_values) {
120 EXPECT_TRUE(ParsedCookie::ParseValueString(value).length() ==
121 value.length() - 1);
122 EXPECT_FALSE(ParsedCookie::ValueMatchesParsedValue(value));
123 }
124
125 // Strings with trailing whitespace or the separator character should parse OK
126 // but ValueMatchesParsedValue() should fail.
127 std::string valid_values_with_trailing_chars[] = {
128 "lastRequest=1624663552846 ", // Space at end
129 "lastRequest=1624663552846\t", // Tab at end
130 "lastRequest=1624663552846;", // Token separator at end
131 };
132 const size_t valid_value_length =
133 valid_values_with_trailing_chars[0].length() - 1;
134 for (const auto& value : valid_values_with_trailing_chars) {
135 EXPECT_TRUE(ParsedCookie::ParseValueString(value).length() ==
136 valid_value_length);
137 EXPECT_FALSE(ParsedCookie::ValueMatchesParsedValue(value));
138 }
139
140 // A valid value (truncated after the ';') but parses out to a substring.
141 std::string value_with_separator_in_middle(
142 "lastRequest=1624663552846; activeDays=%5B0%2C0");
143 EXPECT_TRUE(
144 ParsedCookie::ParseValueString(value_with_separator_in_middle).length() ==
145 value_with_separator_in_middle.find(';'));
146 EXPECT_FALSE(
147 ParsedCookie::ValueMatchesParsedValue(value_with_separator_in_middle));
148 }
149
TEST(ParsedCookieTest,TestQuoted)150 TEST(ParsedCookieTest, TestQuoted) {
151 // These are some quoting cases which the major browsers all
152 // handle differently. I've tested Internet Explorer 6, Opera 9.6,
153 // Firefox 3, and Safari Windows 3.2.1. We originally tried to match
154 // Firefox closely, however we now match Internet Explorer and Safari.
155 const struct {
156 const char* input;
157 const char* expected;
158 } kTests[] = {
159 // Trailing whitespace after a quoted value. The whitespace after
160 // the quote is stripped in all browsers.
161 {"\"zzz \" ", "\"zzz \""},
162 // Handling a quoted value with a ';', like FOO="zz;pp" ;
163 // IE and Safari: "zz;
164 // Firefox and Opera: "zz;pp"
165 {"\"zz;pp\" ;", "\"zz"},
166 // Handling a value with multiple quoted parts, like FOO="zzz " "ppp" ;
167 // IE and Safari: "zzz " "ppp";
168 // Firefox: "zzz ";
169 // Opera: <rejects cookie>
170 {
171 "\"zzz \" \"ppp\" ",
172 "\"zzz \" \"ppp\"",
173 },
174 // A quote in a value that didn't start quoted. like FOO=A"B ;
175 // IE, Safari, and Firefox: A"B;
176 // Opera: <rejects cookie>
177 {
178 "A\"B",
179 "A\"B",
180 }};
181
182 for (const auto& test : kTests) {
183 ParsedCookie pc(std::string("aBc=") + test.input +
184 " ; path=\"/\" ; httponly ");
185 EXPECT_TRUE(pc.IsValid());
186 EXPECT_FALSE(pc.IsSecure());
187 EXPECT_TRUE(pc.IsHttpOnly());
188 EXPECT_TRUE(pc.HasPath());
189 EXPECT_EQ("aBc", pc.Name());
190 EXPECT_EQ(test.expected, pc.Value());
191
192 EXPECT_TRUE(pc.SetValue(pc.Value()));
193 EXPECT_EQ(test.expected, pc.Value());
194
195 // If a path was quoted, the path attribute keeps the quotes. This will
196 // make the cookie effectively useless, but path parameters aren't
197 // supposed to be quoted. Bug 1261605.
198 EXPECT_EQ("\"/\"", pc.Path());
199 }
200 }
201
TEST(ParsedCookieTest,TestNameless)202 TEST(ParsedCookieTest, TestNameless) {
203 ParsedCookie pc("BLAHHH; path=/; secure;");
204 EXPECT_TRUE(pc.IsValid());
205 EXPECT_TRUE(pc.IsSecure());
206 EXPECT_TRUE(pc.HasPath());
207 EXPECT_EQ("/", pc.Path());
208 EXPECT_EQ("", pc.Name());
209 EXPECT_EQ("BLAHHH", pc.Value());
210 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
211 }
212
TEST(ParsedCookieTest,TestAttributeCase)213 TEST(ParsedCookieTest, TestAttributeCase) {
214 ParsedCookie pc(
215 "BLAH; Path=/; sECuRe; httpONLY; sAmESitE=LaX; pRIoRitY=hIgH; "
216 "pARTitIoNeD;");
217 EXPECT_TRUE(pc.IsValid());
218 EXPECT_TRUE(pc.IsSecure());
219 EXPECT_TRUE(pc.IsHttpOnly());
220 EXPECT_TRUE(pc.IsPartitioned());
221 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite());
222 EXPECT_TRUE(pc.HasPath());
223 EXPECT_EQ("/", pc.Path());
224 EXPECT_EQ("", pc.Name());
225 EXPECT_EQ("BLAH", pc.Value());
226 EXPECT_EQ(COOKIE_PRIORITY_HIGH, pc.Priority());
227 EXPECT_EQ(6U, pc.NumberOfAttributes());
228 }
229
TEST(ParsedCookieTest,TestDoubleQuotedNameless)230 TEST(ParsedCookieTest, TestDoubleQuotedNameless) {
231 ParsedCookie pc("\"BLA\\\"HHH\"; path=/; secure;");
232 EXPECT_TRUE(pc.IsValid());
233 EXPECT_TRUE(pc.IsSecure());
234 EXPECT_TRUE(pc.HasPath());
235 EXPECT_EQ("/", pc.Path());
236 EXPECT_EQ("", pc.Name());
237 EXPECT_EQ("\"BLA\\\"HHH\"", pc.Value());
238 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
239 EXPECT_EQ(2U, pc.NumberOfAttributes());
240 }
241
TEST(ParsedCookieTest,QuoteOffTheEnd)242 TEST(ParsedCookieTest, QuoteOffTheEnd) {
243 ParsedCookie pc("a=\"B");
244 EXPECT_TRUE(pc.IsValid());
245 EXPECT_EQ("a", pc.Name());
246 EXPECT_EQ("\"B", pc.Value());
247 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
248 EXPECT_EQ(0U, pc.NumberOfAttributes());
249 }
250
TEST(ParsedCookieTest,MissingName)251 TEST(ParsedCookieTest, MissingName) {
252 ParsedCookie pc("=ABC");
253 EXPECT_TRUE(pc.IsValid());
254 EXPECT_EQ("", pc.Name());
255 EXPECT_EQ("ABC", pc.Value());
256 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
257 EXPECT_EQ(0U, pc.NumberOfAttributes());
258
259 // Ensure that a preceding equal sign is emitted in the cookie line.
260
261 // Note that this goes against what's specified in RFC6265bis and differs from
262 // how CanonicalCookie produces cookie lines. As currently written (draft 9),
263 // the spec says that a cookie with an empty name should not prepend an '='
264 // character when writing out the cookie line, but in the case where the value
265 // already contains an equal sign the cookie line will be parsed incorrectly
266 // on the receiving end. ParsedCookie.ToCookieLine is only used by the
267 // extensions API to feed modified cookies into a network request for
268 // reparsing, though, so here it's more important that the values always
269 // deserialize correctly than conform to the spec
270 ParsedCookie pc2("=ABC");
271 EXPECT_EQ("=ABC", pc2.ToCookieLine());
272 EXPECT_TRUE(pc2.SetValue("param=value"));
273 EXPECT_EQ("=param=value", pc2.ToCookieLine());
274 ParsedCookie pc3("=param=value");
275 EXPECT_EQ("", pc3.Name());
276 EXPECT_EQ("param=value", pc3.Value());
277 EXPECT_EQ("=param=value", pc3.ToCookieLine());
278 }
279
TEST(ParsedCookieTest,MissingValue)280 TEST(ParsedCookieTest, MissingValue) {
281 ParsedCookie pc("ABC=; path = /wee");
282 EXPECT_TRUE(pc.IsValid());
283 EXPECT_EQ("ABC", pc.Name());
284 EXPECT_EQ("", pc.Value());
285 EXPECT_TRUE(pc.HasPath());
286 EXPECT_EQ("/wee", pc.Path());
287 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
288 EXPECT_EQ(1U, pc.NumberOfAttributes());
289
290 // Ensure that a trailing equal sign is emitted in the cookie line
291 ParsedCookie pc2("ABC=");
292 EXPECT_EQ("ABC=", pc2.ToCookieLine());
293 }
294
TEST(ParsedCookieTest,Whitespace)295 TEST(ParsedCookieTest, Whitespace) {
296 ParsedCookie pc(" A = BC ;secure;;; samesite = lax ");
297 EXPECT_TRUE(pc.IsValid());
298 EXPECT_EQ("A", pc.Name());
299 EXPECT_EQ("BC", pc.Value());
300 EXPECT_FALSE(pc.HasPath());
301 EXPECT_FALSE(pc.HasDomain());
302 EXPECT_TRUE(pc.IsSecure());
303 EXPECT_FALSE(pc.IsHttpOnly());
304 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite());
305 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
306 // We parse anything between ; as attributes, so we end up with two
307 // attributes with an empty string name and value.
308 EXPECT_EQ(4U, pc.NumberOfAttributes());
309 }
TEST(ParsedCookieTest,MultipleEquals)310 TEST(ParsedCookieTest, MultipleEquals) {
311 ParsedCookie pc(" A=== BC ;secure;;; httponly");
312 EXPECT_TRUE(pc.IsValid());
313 EXPECT_EQ("A", pc.Name());
314 EXPECT_EQ("== BC", pc.Value());
315 EXPECT_FALSE(pc.HasPath());
316 EXPECT_FALSE(pc.HasDomain());
317 EXPECT_TRUE(pc.IsSecure());
318 EXPECT_TRUE(pc.IsHttpOnly());
319 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite());
320 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
321 EXPECT_EQ(4U, pc.NumberOfAttributes());
322 }
323
TEST(ParsedCookieTest,QuotedTrailingWhitespace)324 TEST(ParsedCookieTest, QuotedTrailingWhitespace) {
325 ParsedCookie pc(
326 "ANCUUID=\"zohNumRKgI0oxyhSsV3Z7D\" ; "
327 "expires=Sun, 18-Apr-2027 21:06:29 GMT ; "
328 "path=/ ; ");
329 EXPECT_TRUE(pc.IsValid());
330 EXPECT_EQ("ANCUUID", pc.Name());
331 // Stripping whitespace after the quotes matches all other major browsers.
332 EXPECT_EQ("\"zohNumRKgI0oxyhSsV3Z7D\"", pc.Value());
333 EXPECT_TRUE(pc.HasExpires());
334 EXPECT_TRUE(pc.HasPath());
335 EXPECT_EQ("/", pc.Path());
336 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
337 EXPECT_EQ(2U, pc.NumberOfAttributes());
338 }
339
TEST(ParsedCookieTest,TrailingWhitespace)340 TEST(ParsedCookieTest, TrailingWhitespace) {
341 ParsedCookie pc(
342 "ANCUUID=zohNumRKgI0oxyhSsV3Z7D ; "
343 "expires=Sun, 18-Apr-2027 21:06:29 GMT ; "
344 "path=/ ; ");
345 EXPECT_TRUE(pc.IsValid());
346 EXPECT_EQ("ANCUUID", pc.Name());
347 EXPECT_EQ("zohNumRKgI0oxyhSsV3Z7D", pc.Value());
348 EXPECT_TRUE(pc.HasExpires());
349 EXPECT_TRUE(pc.HasPath());
350 EXPECT_EQ("/", pc.Path());
351 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
352 EXPECT_EQ(2U, pc.NumberOfAttributes());
353 }
354
TEST(ParsedCookieTest,LotsOfPairs)355 TEST(ParsedCookieTest, LotsOfPairs) {
356 for (int i = 1; i < 100; i++) {
357 std::string blankpairs;
358 blankpairs.resize(i, ';');
359
360 ParsedCookie c("a=b;" + blankpairs + "secure");
361 EXPECT_EQ("a", c.Name());
362 EXPECT_EQ("b", c.Value());
363 EXPECT_TRUE(c.IsValid());
364 EXPECT_TRUE(c.IsSecure());
365 }
366 }
367
TEST(ParsedCookieTest,EnforceSizeConstraints)368 TEST(ParsedCookieTest, EnforceSizeConstraints) {
369 CookieInclusionStatus status;
370
371 // Create maximum size and one-less-than-maximum size name and value
372 // strings for testing.
373 std::string max_name(ParsedCookie::kMaxCookieNamePlusValueSize, 'a');
374 std::string max_value(ParsedCookie::kMaxCookieNamePlusValueSize, 'b');
375 std::string almost_max_name = max_name.substr(1, std::string::npos);
376 std::string almost_max_value = max_value.substr(1, std::string::npos);
377
378 // Test name + value size limits enforced by the constructor.
379 ParsedCookie pc1(max_name + "=");
380 EXPECT_TRUE(pc1.IsValid());
381 EXPECT_EQ(max_name, pc1.Name());
382
383 ParsedCookie pc2(max_name + "=; path=/foo;");
384 EXPECT_TRUE(pc2.IsValid());
385 EXPECT_EQ(max_name, pc2.Name());
386
387 ParsedCookie pc3(max_name + "X=", /*block_truncated=*/true, &status);
388 EXPECT_FALSE(pc3.IsValid());
389 EXPECT_TRUE(status.HasOnlyExclusionReason(
390 CookieInclusionStatus::ExclusionReason::
391 EXCLUDE_NAME_VALUE_PAIR_EXCEEDS_MAX_SIZE));
392
393 ParsedCookie pc4("=" + max_value);
394 EXPECT_TRUE(pc4.IsValid());
395 EXPECT_EQ(max_value, pc4.Value());
396
397 ParsedCookie pc5("=" + max_value + "; path=/foo;");
398 EXPECT_TRUE(pc5.IsValid());
399 EXPECT_EQ(max_value, pc5.Value());
400
401 ParsedCookie pc6("=" + max_value + "X", /*block_truncated=*/true, &status);
402 EXPECT_FALSE(pc6.IsValid());
403 EXPECT_TRUE(status.HasOnlyExclusionReason(
404 CookieInclusionStatus::ExclusionReason::
405 EXCLUDE_NAME_VALUE_PAIR_EXCEEDS_MAX_SIZE));
406
407 ParsedCookie pc7(almost_max_name + "=x");
408 EXPECT_TRUE(pc7.IsValid());
409 EXPECT_EQ(almost_max_name, pc7.Name());
410 EXPECT_EQ("x", pc7.Value());
411
412 ParsedCookie pc8(almost_max_name + "=x; path=/foo;");
413 EXPECT_TRUE(pc8.IsValid());
414 EXPECT_EQ(almost_max_name, pc8.Name());
415 EXPECT_EQ("x", pc8.Value());
416
417 ParsedCookie pc9(almost_max_name + "=xX", /*block_truncated=*/true, &status);
418 EXPECT_FALSE(pc9.IsValid());
419 EXPECT_TRUE(status.HasOnlyExclusionReason(
420 CookieInclusionStatus::ExclusionReason::
421 EXCLUDE_NAME_VALUE_PAIR_EXCEEDS_MAX_SIZE));
422
423 ParsedCookie pc10("x=" + almost_max_value);
424 EXPECT_TRUE(pc10.IsValid());
425 EXPECT_EQ("x", pc10.Name());
426 EXPECT_EQ(almost_max_value, pc10.Value());
427
428 ParsedCookie pc11("x=" + almost_max_value + "; path=/foo;");
429 EXPECT_TRUE(pc11.IsValid());
430 EXPECT_EQ("x", pc11.Name());
431 EXPECT_EQ(almost_max_value, pc11.Value());
432
433 ParsedCookie pc12("xX=" + almost_max_value, /*block_truncated=*/true,
434 &status);
435 EXPECT_FALSE(pc12.IsValid());
436 EXPECT_TRUE(status.HasOnlyExclusionReason(
437 CookieInclusionStatus::ExclusionReason::
438 EXCLUDE_NAME_VALUE_PAIR_EXCEEDS_MAX_SIZE));
439
440 // Test attribute value size limits enforced by the constructor.
441 std::string almost_max_path(ParsedCookie::kMaxCookieAttributeValueSize - 1,
442 'c');
443 std::string max_path = "/" + almost_max_path;
444 std::string too_long_path = "/X" + almost_max_path;
445
446 ParsedCookie pc20("name=value; path=" + max_path);
447 EXPECT_TRUE(pc20.IsValid());
448 EXPECT_TRUE(pc20.HasPath());
449 EXPECT_EQ("/" + almost_max_path, pc20.Path());
450
451 ParsedCookie pc21("name=value; path=" + too_long_path,
452 /*block_truncated=*/true, &status);
453 EXPECT_TRUE(pc21.IsValid());
454 EXPECT_FALSE(pc21.HasPath());
455 EXPECT_TRUE(status.HasWarningReason(
456 CookieInclusionStatus::WARN_ATTRIBUTE_VALUE_EXCEEDS_MAX_SIZE));
457
458 // NOTE: max_domain is based on the max attribute value as defined in
459 // RFC6525bis, but this is larger than what is recommended by RFC1123.
460 // In theory some browsers could restrict domains to that smaller size,
461 // but ParsedCookie doesn't.
462 std::string max_domain(ParsedCookie::kMaxCookieAttributeValueSize, 'd');
463 max_domain.replace(ParsedCookie::kMaxCookieAttributeValueSize - 4, 4, ".com");
464 std::string too_long_domain = "x" + max_domain;
465
466 ParsedCookie pc30("name=value; domain=" + max_domain);
467 EXPECT_TRUE(pc30.IsValid());
468 EXPECT_TRUE(pc30.HasDomain());
469 EXPECT_EQ(max_domain, pc30.Domain());
470
471 ParsedCookie pc31("name=value; domain=" + too_long_domain);
472 EXPECT_TRUE(pc31.IsValid());
473 EXPECT_FALSE(pc31.HasDomain());
474 EXPECT_TRUE(status.HasWarningReason(
475 CookieInclusionStatus::WARN_ATTRIBUTE_VALUE_EXCEEDS_MAX_SIZE));
476
477 std::string pc40_suffix = "; domain=example.com";
478
479 ParsedCookie pc40("a=b" + pc40_suffix);
480 EXPECT_TRUE(pc40.IsValid());
481
482 // Test name + value size limits enforced by SetName / SetValue
483 EXPECT_FALSE(pc40.SetName(max_name));
484 EXPECT_EQ("a=b" + pc40_suffix, pc40.ToCookieLine());
485 EXPECT_TRUE(pc40.IsValid());
486
487 EXPECT_FALSE(pc40.SetValue(max_value));
488 EXPECT_EQ("a=b" + pc40_suffix, pc40.ToCookieLine());
489 EXPECT_TRUE(pc40.IsValid());
490
491 EXPECT_TRUE(pc40.SetName(almost_max_name));
492 EXPECT_EQ(almost_max_name + "=b" + pc40_suffix, pc40.ToCookieLine());
493 EXPECT_TRUE(pc40.IsValid());
494
495 EXPECT_FALSE(pc40.SetValue("xX"));
496 EXPECT_EQ(almost_max_name + "=b" + pc40_suffix, pc40.ToCookieLine());
497 EXPECT_TRUE(pc40.IsValid());
498
499 EXPECT_TRUE(pc40.SetName("a"));
500 EXPECT_TRUE(pc40.SetValue(almost_max_value));
501 EXPECT_EQ("a=" + almost_max_value + pc40_suffix, pc40.ToCookieLine());
502 EXPECT_TRUE(pc40.IsValid());
503
504 EXPECT_FALSE(pc40.SetName("xX"));
505 EXPECT_EQ("a=" + almost_max_value + pc40_suffix, pc40.ToCookieLine());
506 EXPECT_TRUE(pc40.IsValid());
507
508 std::string lots_of_spaces(ParsedCookie::kMaxCookieNamePlusValueSize, ' ');
509 std::string test_str = "test";
510 std::string padded_test_str = lots_of_spaces + test_str + lots_of_spaces;
511
512 // Ensure that leading/trailing whitespace gets stripped before the length
513 // calculations are enforced.
514 ParsedCookie pc41("name=value");
515 EXPECT_TRUE(pc41.SetName(padded_test_str));
516 EXPECT_TRUE(pc41.SetValue(padded_test_str));
517 EXPECT_EQ(test_str, pc41.Name());
518 EXPECT_EQ(test_str, pc41.Value());
519
520 std::string name_equals_value = "name=value";
521 ParsedCookie pc50(name_equals_value);
522
523 EXPECT_TRUE(pc50.SetPath(max_path));
524 EXPECT_EQ(pc50.Path(), max_path);
525 EXPECT_EQ(name_equals_value + "; path=" + max_path, pc50.ToCookieLine());
526 EXPECT_TRUE(pc50.IsValid());
527
528 // Test attribute value size limits enforced by SetPath
529 EXPECT_FALSE(pc50.SetPath(too_long_path));
530 EXPECT_EQ(pc50.Path(), max_path);
531 EXPECT_EQ(name_equals_value + "; path=" + max_path, pc50.ToCookieLine());
532 EXPECT_TRUE(pc50.IsValid());
533
534 std::string test_path = "/test";
535 std::string padded_test_path = lots_of_spaces + test_path + lots_of_spaces;
536
537 EXPECT_TRUE(pc50.SetPath(padded_test_path));
538 EXPECT_EQ(test_path, pc50.Path());
539
540 ParsedCookie pc51(name_equals_value);
541
542 EXPECT_TRUE(pc51.SetDomain(max_domain));
543 EXPECT_EQ(pc51.Domain(), max_domain);
544 EXPECT_EQ(name_equals_value + "; domain=" + max_domain, pc51.ToCookieLine());
545 EXPECT_TRUE(pc51.IsValid());
546
547 // Test attribute value size limits enforced by SetDomain
548 EXPECT_FALSE(pc51.SetDomain(too_long_domain));
549 EXPECT_EQ(pc51.Domain(), max_domain);
550 EXPECT_EQ(name_equals_value + "; domain=" + max_domain, pc51.ToCookieLine());
551 EXPECT_TRUE(pc51.IsValid());
552
553 std::string test_domain = "example.com";
554 std::string padded_test_domain =
555 lots_of_spaces + test_domain + lots_of_spaces;
556
557 EXPECT_TRUE(pc51.SetDomain(padded_test_domain));
558 EXPECT_EQ(test_domain, pc51.Domain());
559 }
560
TEST(ParsedCookieTest,EmbeddedTerminator)561 TEST(ParsedCookieTest, EmbeddedTerminator) {
562 using std::string_literals::operator""s;
563
564 base::test::ScopedFeatureList feature_list;
565 feature_list.InitAndEnableFeature(net::features::kBlockTruncatedCookies);
566
567 for (const bool block_truncated : {true, false}) {
568 SCOPED_TRACE(testing::Message()
569 << "Using block_trucated == " << block_truncated);
570
571 CookieInclusionStatus status1;
572 CookieInclusionStatus status2;
573 CookieInclusionStatus status3;
574 ParsedCookie pc1("AAA=BB\0ZYX"s, block_truncated, &status1);
575 ParsedCookie pc2("AAA=BB\rZYX"s, block_truncated, &status2);
576 ParsedCookie pc3("AAA=BB\nZYX"s, block_truncated, &status3);
577
578 if (block_truncated) {
579 EXPECT_FALSE(pc1.IsValid());
580 EXPECT_FALSE(pc2.IsValid());
581 EXPECT_FALSE(pc3.IsValid());
582 EXPECT_TRUE(status1.HasOnlyExclusionReason(
583 CookieInclusionStatus::ExclusionReason::
584 EXCLUDE_DISALLOWED_CHARACTER));
585 EXPECT_TRUE(status2.HasOnlyExclusionReason(
586 CookieInclusionStatus::ExclusionReason::
587 EXCLUDE_DISALLOWED_CHARACTER));
588 EXPECT_TRUE(status3.HasOnlyExclusionReason(
589 CookieInclusionStatus::ExclusionReason::
590 EXCLUDE_DISALLOWED_CHARACTER));
591 } else {
592 ASSERT_TRUE(pc1.IsValid());
593 EXPECT_EQ("AAA", pc1.Name());
594 EXPECT_EQ("BB", pc1.Value());
595 ASSERT_TRUE(pc2.IsValid());
596 EXPECT_EQ("AAA", pc2.Name());
597 EXPECT_EQ("BB", pc2.Value());
598 ASSERT_TRUE(pc3.IsValid());
599 EXPECT_EQ("AAA", pc3.Name());
600 EXPECT_EQ("BB", pc3.Value());
601 }
602 }
603 }
604
TEST(ParsedCookieTest,ParseTokensAndValues)605 TEST(ParsedCookieTest, ParseTokensAndValues) {
606 EXPECT_EQ("hello", ParsedCookie::ParseTokenString("hello\nworld"));
607 EXPECT_EQ("fs!!@", ParsedCookie::ParseTokenString("fs!!@;helloworld"));
608 EXPECT_EQ("hello world\tgood",
609 ParsedCookie::ParseTokenString("hello world\tgood\rbye"));
610 EXPECT_EQ("A", ParsedCookie::ParseTokenString("A=B=C;D=E"));
611 EXPECT_EQ("hello", ParsedCookie::ParseValueString("hello\nworld"));
612 EXPECT_EQ("fs!!@", ParsedCookie::ParseValueString("fs!!@;helloworld"));
613 EXPECT_EQ("hello world\tgood",
614 ParsedCookie::ParseValueString("hello world\tgood\rbye"));
615 EXPECT_EQ("A=B=C", ParsedCookie::ParseValueString("A=B=C;D=E"));
616 }
617
TEST(ParsedCookieTest,SerializeCookieLine)618 TEST(ParsedCookieTest, SerializeCookieLine) {
619 const char input[] =
620 "ANCUUID=zohNumRKgI0oxyhSsV3Z7D ; "
621 "expires=Sun, 18-Apr-2027 21:06:29 GMT ; "
622 "path=/ ; priority=low ; ";
623 const char output[] =
624 "ANCUUID=zohNumRKgI0oxyhSsV3Z7D; "
625 "expires=Sun, 18-Apr-2027 21:06:29 GMT; "
626 "path=/; priority=low";
627 ParsedCookie pc(input);
628 EXPECT_EQ(output, pc.ToCookieLine());
629 }
630
TEST(ParsedCookieTest,SetNameAndValue)631 TEST(ParsedCookieTest, SetNameAndValue) {
632 ParsedCookie cookie("a=b");
633 EXPECT_TRUE(cookie.IsValid());
634 EXPECT_TRUE(cookie.SetDomain("foobar.com"));
635 EXPECT_TRUE(cookie.SetName("name"));
636 EXPECT_TRUE(cookie.SetValue("value"));
637 EXPECT_EQ("name=value; domain=foobar.com", cookie.ToCookieLine());
638 EXPECT_TRUE(cookie.IsValid());
639
640 ParsedCookie pc("name=value");
641 EXPECT_TRUE(pc.IsValid());
642
643 // Set invalid name / value.
644 EXPECT_FALSE(pc.SetName("foo\nbar"));
645 EXPECT_EQ("name=value", pc.ToCookieLine());
646 EXPECT_TRUE(pc.IsValid());
647
648 EXPECT_FALSE(pc.SetName("foo\rbar"));
649 EXPECT_EQ("name=value", pc.ToCookieLine());
650 EXPECT_TRUE(pc.IsValid());
651
652 EXPECT_FALSE(pc.SetValue(std::string("foo\0bar", 7)));
653 EXPECT_EQ("name=value", pc.ToCookieLine());
654 EXPECT_TRUE(pc.IsValid());
655
656 // Set previously invalid name / value.
657 EXPECT_TRUE(pc.SetName("@foobar"));
658 EXPECT_EQ("@foobar=value", pc.ToCookieLine());
659 EXPECT_TRUE(pc.IsValid());
660
661 EXPECT_TRUE(pc.SetName("foo bar"));
662 EXPECT_EQ("foo bar=value", pc.ToCookieLine());
663 EXPECT_TRUE(pc.IsValid());
664
665 EXPECT_TRUE(pc.SetName("\"foobar"));
666 EXPECT_EQ("\"foobar=value", pc.ToCookieLine());
667 EXPECT_TRUE(pc.IsValid());
668
669 EXPECT_TRUE(pc.SetValue("foo bar"));
670 EXPECT_EQ("\"foobar=foo bar", pc.ToCookieLine());
671 EXPECT_TRUE(pc.IsValid());
672
673 EXPECT_TRUE(pc.SetValue("\"foobar"));
674 EXPECT_EQ("\"foobar=\"foobar", pc.ToCookieLine());
675 EXPECT_TRUE(pc.IsValid());
676
677 EXPECT_TRUE(pc.SetName(" foo bar "));
678 EXPECT_EQ("foo bar=\"foobar", pc.ToCookieLine());
679 EXPECT_TRUE(pc.IsValid());
680
681 EXPECT_TRUE(pc.SetValue(" foo bar "));
682 EXPECT_EQ("foo bar=foo bar", pc.ToCookieLine());
683 EXPECT_TRUE(pc.IsValid());
684
685 // Set valid name / value.
686 EXPECT_TRUE(pc.SetValue("value"));
687 EXPECT_TRUE(pc.SetName(std::string()));
688 EXPECT_EQ("=value", pc.ToCookieLine());
689 EXPECT_TRUE(pc.IsValid());
690
691 EXPECT_TRUE(pc.SetName("test"));
692 EXPECT_EQ("test=value", pc.ToCookieLine());
693 EXPECT_TRUE(pc.IsValid());
694
695 EXPECT_TRUE(pc.SetValue("\"foobar\""));
696 EXPECT_EQ("test=\"foobar\"", pc.ToCookieLine());
697 EXPECT_TRUE(pc.IsValid());
698
699 EXPECT_TRUE(pc.SetValue(std::string()));
700 EXPECT_EQ("test=", pc.ToCookieLine());
701 EXPECT_TRUE(pc.IsValid());
702
703 // Ensure that failure occurs when trying to set a name containing '='.
704 EXPECT_FALSE(pc.SetName("invalid=name"));
705 EXPECT_EQ("test=", pc.ToCookieLine());
706 EXPECT_TRUE(pc.IsValid());
707
708 // Ensure that trying to set a name containing ';' fails.
709 EXPECT_FALSE(pc.SetName("invalid;name"));
710 EXPECT_EQ("test=", pc.ToCookieLine());
711 EXPECT_TRUE(pc.IsValid());
712
713 EXPECT_FALSE(pc.SetValue("invalid;value"));
714 EXPECT_EQ("test=", pc.ToCookieLine());
715 EXPECT_TRUE(pc.IsValid());
716
717 // Ensure tab characters are treated as control characters.
718 // TODO(crbug.com/1233602) Update this such that tab characters are allowed
719 // and are handled correctly.
720 EXPECT_FALSE(pc.SetName("\tinvalid\t"));
721 EXPECT_EQ("test=", pc.ToCookieLine());
722 EXPECT_TRUE(pc.IsValid());
723
724 EXPECT_FALSE(pc.SetValue("\tinvalid\t"));
725 EXPECT_EQ("test=", pc.ToCookieLine());
726 EXPECT_TRUE(pc.IsValid());
727
728 EXPECT_FALSE(pc.SetName("na\tme"));
729 EXPECT_EQ("test=", pc.ToCookieLine());
730 EXPECT_TRUE(pc.IsValid());
731
732 EXPECT_FALSE(pc.SetValue("val\tue"));
733 EXPECT_EQ("test=", pc.ToCookieLine());
734 EXPECT_TRUE(pc.IsValid());
735 }
736
TEST(ParsedCookieTest,SetAttributes)737 TEST(ParsedCookieTest, SetAttributes) {
738 ParsedCookie pc("name=value");
739 EXPECT_TRUE(pc.IsValid());
740
741 // Clear an unset attribute.
742 EXPECT_TRUE(pc.SetDomain(std::string()));
743 EXPECT_FALSE(pc.HasDomain());
744 EXPECT_EQ("name=value", pc.ToCookieLine());
745 EXPECT_TRUE(pc.IsValid());
746
747 // Set a string containing an invalid character
748 EXPECT_FALSE(pc.SetDomain("foo;bar"));
749 EXPECT_FALSE(pc.HasDomain());
750 EXPECT_EQ("name=value", pc.ToCookieLine());
751 EXPECT_TRUE(pc.IsValid());
752
753 // Set all other attributes and check that they are appended in order.
754 EXPECT_TRUE(pc.SetDomain("domain.com"));
755 EXPECT_TRUE(pc.SetPath("/"));
756 EXPECT_TRUE(pc.SetExpires("Sun, 18-Apr-2027 21:06:29 GMT"));
757 EXPECT_TRUE(pc.SetMaxAge("12345"));
758 EXPECT_TRUE(pc.SetIsSecure(true));
759 EXPECT_TRUE(pc.SetIsHttpOnly(true));
760 EXPECT_TRUE(pc.SetIsHttpOnly(true));
761 EXPECT_TRUE(pc.SetSameSite("LAX"));
762 EXPECT_TRUE(pc.SetPriority("HIGH"));
763 EXPECT_TRUE(pc.SetIsPartitioned(true));
764 EXPECT_EQ(
765 "name=value; domain=domain.com; path=/; "
766 "expires=Sun, 18-Apr-2027 21:06:29 GMT; max-age=12345; secure; "
767 "httponly; samesite=LAX; priority=HIGH; partitioned",
768 pc.ToCookieLine());
769 EXPECT_TRUE(pc.HasDomain());
770 EXPECT_TRUE(pc.HasPath());
771 EXPECT_TRUE(pc.HasExpires());
772 EXPECT_TRUE(pc.HasMaxAge());
773 EXPECT_TRUE(pc.IsSecure());
774 EXPECT_TRUE(pc.IsHttpOnly());
775 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite());
776 EXPECT_EQ(COOKIE_PRIORITY_HIGH, pc.Priority());
777
778 // Modify one attribute in the middle.
779 EXPECT_TRUE(pc.SetPath("/foo"));
780 EXPECT_TRUE(pc.HasDomain());
781 EXPECT_TRUE(pc.HasPath());
782 EXPECT_EQ("/foo", pc.Path());
783 EXPECT_TRUE(pc.HasExpires());
784 EXPECT_TRUE(pc.IsSecure());
785 EXPECT_TRUE(pc.IsHttpOnly());
786 EXPECT_EQ(
787 "name=value; domain=domain.com; path=/foo; "
788 "expires=Sun, 18-Apr-2027 21:06:29 GMT; max-age=12345; secure; "
789 "httponly; samesite=LAX; priority=HIGH; partitioned",
790 pc.ToCookieLine());
791
792 // Set priority to medium.
793 EXPECT_TRUE(pc.SetPriority("medium"));
794 EXPECT_EQ(CookiePriority::COOKIE_PRIORITY_MEDIUM, pc.Priority());
795 EXPECT_EQ(
796 "name=value; domain=domain.com; path=/foo; "
797 "expires=Sun, 18-Apr-2027 21:06:29 GMT; max-age=12345; secure; "
798 "httponly; samesite=LAX; priority=medium; partitioned",
799 pc.ToCookieLine());
800
801 // Clear attribute from the end.
802 EXPECT_TRUE(pc.SetIsPartitioned(false));
803 EXPECT_FALSE(pc.IsPartitioned());
804 EXPECT_EQ(
805 "name=value; domain=domain.com; path=/foo; "
806 "expires=Sun, 18-Apr-2027 21:06:29 GMT; max-age=12345; secure; "
807 "httponly; samesite=LAX; priority=medium",
808 pc.ToCookieLine());
809
810 // Clear the rest and change the name and value.
811 EXPECT_TRUE(pc.SetDomain(std::string()));
812 EXPECT_TRUE(pc.SetPath(std::string()));
813 EXPECT_TRUE(pc.SetExpires(std::string()));
814 EXPECT_TRUE(pc.SetMaxAge(std::string()));
815 EXPECT_TRUE(pc.SetIsSecure(false));
816 EXPECT_TRUE(pc.SetIsHttpOnly(false));
817 EXPECT_TRUE(pc.SetSameSite(std::string()));
818 EXPECT_TRUE(pc.SetName("name2"));
819 EXPECT_TRUE(pc.SetValue("value2"));
820 EXPECT_TRUE(pc.SetPriority(std::string()));
821 EXPECT_FALSE(pc.HasDomain());
822 EXPECT_FALSE(pc.HasPath());
823 EXPECT_FALSE(pc.HasExpires());
824 EXPECT_FALSE(pc.HasMaxAge());
825 EXPECT_FALSE(pc.IsSecure());
826 EXPECT_FALSE(pc.IsHttpOnly());
827 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite());
828 EXPECT_TRUE(pc.SetIsPartitioned(false));
829 EXPECT_EQ("name2=value2", pc.ToCookieLine());
830 EXPECT_FALSE(pc.IsPartitioned());
831 }
832
833 // Setting the domain attribute to the empty string should be valid.
TEST(ParsedCookieTest,EmptyDomainAttributeValid)834 TEST(ParsedCookieTest, EmptyDomainAttributeValid) {
835 ParsedCookie pc("name=value; domain=");
836 EXPECT_TRUE(pc.IsValid());
837 }
838
839 // Set the domain attribute twice in a cookie line. If the second attribute's
840 // value is empty, it should equal the empty string.
TEST(ParsedCookieTest,MultipleDomainAttributes)841 TEST(ParsedCookieTest, MultipleDomainAttributes) {
842 ParsedCookie pc1("name=value; domain=foo.com; domain=bar.com");
843 EXPECT_EQ("bar.com", pc1.Domain());
844 ParsedCookie pc2("name=value; domain=foo.com; domain=");
845 EXPECT_EQ(std::string(), pc2.Domain());
846 }
847
TEST(ParsedCookieTest,SetPriority)848 TEST(ParsedCookieTest, SetPriority) {
849 ParsedCookie pc("name=value");
850 EXPECT_TRUE(pc.IsValid());
851
852 EXPECT_EQ("name=value", pc.ToCookieLine());
853 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
854
855 // Test each priority, expect case-insensitive compare.
856 EXPECT_TRUE(pc.SetPriority("high"));
857 EXPECT_EQ("name=value; priority=high", pc.ToCookieLine());
858 EXPECT_EQ(COOKIE_PRIORITY_HIGH, pc.Priority());
859
860 EXPECT_TRUE(pc.SetPriority("mEDium"));
861 EXPECT_EQ("name=value; priority=mEDium", pc.ToCookieLine());
862 EXPECT_EQ(COOKIE_PRIORITY_MEDIUM, pc.Priority());
863
864 EXPECT_TRUE(pc.SetPriority("LOW"));
865 EXPECT_EQ("name=value; priority=LOW", pc.ToCookieLine());
866 EXPECT_EQ(COOKIE_PRIORITY_LOW, pc.Priority());
867
868 // Interpret invalid priority values as COOKIE_PRIORITY_DEFAULT.
869 EXPECT_TRUE(pc.SetPriority("Blah"));
870 EXPECT_EQ("name=value; priority=Blah", pc.ToCookieLine());
871 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
872
873 EXPECT_TRUE(pc.SetPriority("lowerest"));
874 EXPECT_EQ("name=value; priority=lowerest", pc.ToCookieLine());
875 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
876
877 EXPECT_TRUE(pc.SetPriority(""));
878 EXPECT_EQ("name=value", pc.ToCookieLine());
879 EXPECT_EQ(COOKIE_PRIORITY_DEFAULT, pc.Priority());
880 }
881
TEST(ParsedCookieTest,SetSameSite)882 TEST(ParsedCookieTest, SetSameSite) {
883 ParsedCookie pc("name=value");
884 EXPECT_TRUE(pc.IsValid());
885
886 EXPECT_EQ("name=value", pc.ToCookieLine());
887 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite());
888
889 // Test each samesite directive, expect case-insensitive compare.
890 EXPECT_TRUE(pc.SetSameSite("strict"));
891 EXPECT_EQ("name=value; samesite=strict", pc.ToCookieLine());
892 EXPECT_EQ(CookieSameSite::STRICT_MODE, pc.SameSite());
893 EXPECT_TRUE(pc.IsValid());
894
895 EXPECT_TRUE(pc.SetSameSite("lAx"));
896 EXPECT_EQ("name=value; samesite=lAx", pc.ToCookieLine());
897 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite());
898 EXPECT_TRUE(pc.IsValid());
899
900 EXPECT_TRUE(pc.SetSameSite("LAX"));
901 EXPECT_EQ("name=value; samesite=LAX", pc.ToCookieLine());
902 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite());
903 EXPECT_TRUE(pc.IsValid());
904
905 EXPECT_TRUE(pc.SetSameSite("None"));
906 EXPECT_EQ("name=value; samesite=None", pc.ToCookieLine());
907 EXPECT_EQ(CookieSameSite::NO_RESTRICTION, pc.SameSite());
908 EXPECT_TRUE(pc.IsValid());
909
910 EXPECT_TRUE(pc.SetSameSite("NONE"));
911 EXPECT_EQ("name=value; samesite=NONE", pc.ToCookieLine());
912 EXPECT_EQ(CookieSameSite::NO_RESTRICTION, pc.SameSite());
913 EXPECT_TRUE(pc.IsValid());
914
915 // Remove the SameSite attribute.
916 EXPECT_TRUE(pc.SetSameSite(""));
917 EXPECT_EQ("name=value", pc.ToCookieLine());
918 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite());
919 EXPECT_TRUE(pc.IsValid());
920
921 EXPECT_TRUE(pc.SetSameSite("Blah"));
922 EXPECT_EQ("name=value; samesite=Blah", pc.ToCookieLine());
923 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite());
924 EXPECT_TRUE(pc.IsValid());
925 }
926
927 // Test that the correct enum value is returned for the SameSite attribute
928 // string.
TEST(ParsedCookieTest,CookieSameSiteStringEnum)929 TEST(ParsedCookieTest, CookieSameSiteStringEnum) {
930 ParsedCookie pc("name=value; SameSite");
931 CookieSameSiteString actual = CookieSameSiteString::kLax;
932 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite(&actual));
933 EXPECT_EQ(CookieSameSiteString::kEmptyString, actual);
934
935 pc.SetSameSite("Strict");
936 EXPECT_EQ(CookieSameSite::STRICT_MODE, pc.SameSite(&actual));
937 EXPECT_EQ(CookieSameSiteString::kStrict, actual);
938
939 pc.SetSameSite("Lax");
940 EXPECT_EQ(CookieSameSite::LAX_MODE, pc.SameSite(&actual));
941 EXPECT_EQ(CookieSameSiteString::kLax, actual);
942
943 pc.SetSameSite("None");
944 EXPECT_EQ(CookieSameSite::NO_RESTRICTION, pc.SameSite(&actual));
945 EXPECT_EQ(CookieSameSiteString::kNone, actual);
946
947 pc.SetSameSite("Extended");
948 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite(&actual));
949 EXPECT_EQ(CookieSameSiteString::kExtended, actual);
950
951 pc.SetSameSite("Bananas");
952 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite(&actual));
953 EXPECT_EQ(CookieSameSiteString::kUnrecognized, actual);
954
955 ParsedCookie pc2("no_samesite=1");
956 EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc2.SameSite(&actual));
957 EXPECT_EQ(CookieSameSiteString::kUnspecified, actual);
958 }
959
TEST(ParsedCookieTest,SettersInputValidation)960 TEST(ParsedCookieTest, SettersInputValidation) {
961 ParsedCookie pc("name=foobar");
962 EXPECT_TRUE(pc.SetPath("baz"));
963 EXPECT_EQ(pc.ToCookieLine(), "name=foobar; path=baz");
964
965 EXPECT_TRUE(pc.SetPath(" baz "));
966 EXPECT_EQ(pc.ToCookieLine(), "name=foobar; path=baz");
967
968 EXPECT_TRUE(pc.SetPath(" "));
969 EXPECT_EQ(pc.ToCookieLine(), "name=foobar");
970
971 EXPECT_TRUE(pc.SetDomain(" baz "));
972 EXPECT_EQ(pc.ToCookieLine(), "name=foobar; domain=baz");
973
974 // Invalid characters
975 EXPECT_FALSE(pc.SetPath(" baz\n "));
976 EXPECT_FALSE(pc.SetPath("f;oo"));
977 EXPECT_FALSE(pc.SetPath("\r"));
978 EXPECT_FALSE(pc.SetPath("\a"));
979 EXPECT_FALSE(pc.SetPath("\t"));
980 EXPECT_FALSE(pc.SetSameSite("\r"));
981 }
982
TEST(ParsedCookieTest,ToCookieLineSpecialTokens)983 TEST(ParsedCookieTest, ToCookieLineSpecialTokens) {
984 // Special tokens "secure", "httponly" should be treated as
985 // any other name when they are in the first position.
986 {
987 ParsedCookie pc("");
988 pc.SetName("secure");
989 EXPECT_EQ(pc.ToCookieLine(), "secure=");
990 }
991 {
992 ParsedCookie pc("secure");
993 EXPECT_EQ(pc.ToCookieLine(), "=secure");
994 }
995 {
996 ParsedCookie pc("secure=foo");
997 EXPECT_EQ(pc.ToCookieLine(), "secure=foo");
998 }
999 {
1000 ParsedCookie pc("foo=secure");
1001 EXPECT_EQ(pc.ToCookieLine(), "foo=secure");
1002 }
1003 {
1004 ParsedCookie pc("httponly=foo");
1005 EXPECT_EQ(pc.ToCookieLine(), "httponly=foo");
1006 }
1007 {
1008 ParsedCookie pc("foo");
1009 pc.SetName("secure");
1010 EXPECT_EQ(pc.ToCookieLine(), "secure=foo");
1011 }
1012 {
1013 ParsedCookie pc("bar");
1014 pc.SetName("httponly");
1015 EXPECT_EQ(pc.ToCookieLine(), "httponly=bar");
1016 }
1017 {
1018 ParsedCookie pc("foo=bar; baz=bob");
1019 EXPECT_EQ(pc.ToCookieLine(), "foo=bar; baz=bob");
1020 }
1021 // Outside of the first position, the value associated with a special name
1022 // should not be printed.
1023 {
1024 ParsedCookie pc("name=foo; secure");
1025 EXPECT_EQ(pc.ToCookieLine(), "name=foo; secure");
1026 }
1027 {
1028 ParsedCookie pc("name=foo; secure=bar");
1029 EXPECT_EQ(pc.ToCookieLine(), "name=foo; secure");
1030 }
1031 {
1032 ParsedCookie pc("name=foo; httponly=baz");
1033 EXPECT_EQ(pc.ToCookieLine(), "name=foo; httponly");
1034 }
1035 {
1036 ParsedCookie pc("name=foo; bar=secure");
1037 EXPECT_EQ(pc.ToCookieLine(), "name=foo; bar=secure");
1038 }
1039 // Repeated instances of the special tokens are also fine.
1040 {
1041 ParsedCookie pc("name=foo; secure; secure=yesplease; secure; secure");
1042 EXPECT_TRUE(pc.IsValid());
1043 EXPECT_TRUE(pc.IsSecure());
1044 EXPECT_FALSE(pc.IsHttpOnly());
1045 }
1046 {
1047 ParsedCookie pc("partitioned=foo");
1048 EXPECT_EQ("partitioned", pc.Name());
1049 EXPECT_EQ("foo", pc.Value());
1050 EXPECT_FALSE(pc.IsPartitioned());
1051 }
1052 {
1053 ParsedCookie pc("partitioned=");
1054 EXPECT_EQ("partitioned", pc.Name());
1055 EXPECT_EQ("", pc.Value());
1056 EXPECT_FALSE(pc.IsPartitioned());
1057 }
1058 {
1059 ParsedCookie pc("=partitioned");
1060 EXPECT_EQ("", pc.Name());
1061 EXPECT_EQ("partitioned", pc.Value());
1062 EXPECT_FALSE(pc.IsPartitioned());
1063 }
1064 {
1065 ParsedCookie pc(
1066 "partitioned; partitioned; secure; httponly; httponly; secure");
1067 EXPECT_EQ("", pc.Name());
1068 EXPECT_EQ("partitioned", pc.Value());
1069 EXPECT_TRUE(pc.IsPartitioned());
1070 }
1071 }
1072
TEST(ParsedCookieTest,SameSiteValues)1073 TEST(ParsedCookieTest, SameSiteValues) {
1074 struct TestCase {
1075 const char* cookie;
1076 bool valid;
1077 CookieSameSite mode;
1078 } cases[]{{"n=v; samesite=strict", true, CookieSameSite::STRICT_MODE},
1079 {"n=v; samesite=lax", true, CookieSameSite::LAX_MODE},
1080 {"n=v; samesite=none", true, CookieSameSite::NO_RESTRICTION},
1081 {"n=v; samesite=boo", true, CookieSameSite::UNSPECIFIED},
1082 {"n=v; samesite", true, CookieSameSite::UNSPECIFIED},
1083 {"n=v", true, CookieSameSite::UNSPECIFIED}};
1084
1085 for (const auto& test : cases) {
1086 SCOPED_TRACE(test.cookie);
1087 ParsedCookie pc(test.cookie);
1088 EXPECT_EQ(test.valid, pc.IsValid());
1089 EXPECT_EQ(test.mode, pc.SameSite());
1090 }
1091 }
1092
TEST(ParsedCookieTest,InvalidNonAlphanumericChars)1093 TEST(ParsedCookieTest, InvalidNonAlphanumericChars) {
1094 // clang-format off
1095 const char* cases[] = {
1096 "name=\x05",
1097 "name=foo\x1c" "bar",
1098 "name=foobar\x11",
1099 "name=\x02" "foobar",
1100 "\x05=value",
1101 "foo\x05" "bar=value",
1102 "foobar\x05" "=value",
1103 "\x05" "foobar=value",
1104 "foo\x05" "bar=foo\x05" "bar",
1105 "foo=ba,ba\x05" "z=boo",
1106 "foo=ba,baz=bo\x05" "o",
1107 "foo=ba,ba\05" "z=bo\x05" "o",
1108 "foo=ba,ba\x7F" "z=bo",
1109 "fo\x7F" "o=ba,z=bo",
1110 "foo=bar\x7F" ";z=bo",
1111 };
1112 // clang-format on
1113
1114 for (size_t i = 0; i < std::size(cases); i++) {
1115 SCOPED_TRACE(testing::Message()
1116 << "Test case #" << base::NumberToString(i + 1));
1117 CookieInclusionStatus status;
1118 ParsedCookie pc(cases[i], /*block_truncated=*/true, &status);
1119 EXPECT_FALSE(pc.IsValid());
1120 EXPECT_TRUE(status.HasOnlyExclusionReason(
1121 CookieInclusionStatus::ExclusionReason::EXCLUDE_DISALLOWED_CHARACTER));
1122 }
1123 }
1124
TEST(ParsedCookieTest,ValidNonAlphanumericChars)1125 TEST(ParsedCookieTest, ValidNonAlphanumericChars) {
1126 // Note that some of these words are pasted backwords thanks to poor vim
1127 // bidi support. This should not affect the tests, however.
1128 const char pc1_literal[] = "name=العربية";
1129 const char pc2_literal[] = "name=普通話";
1130 const char pc3_literal[] = "name=ภาษาไทย";
1131 const char pc4_literal[] = "name=עִבְרִית";
1132 const char pc5_literal[] = "العربية=value";
1133 const char pc6_literal[] = "普通話=value";
1134 const char pc7_literal[] = "ภาษาไทย=value";
1135 const char pc8_literal[] = "עִבְרִית=value";
1136 const char pc9_literal[] = "@foo=bar";
1137
1138 ParsedCookie pc1(pc1_literal);
1139 ParsedCookie pc2(pc2_literal);
1140 ParsedCookie pc3(pc3_literal);
1141 ParsedCookie pc4(pc4_literal);
1142 ParsedCookie pc5(pc5_literal);
1143 ParsedCookie pc6(pc6_literal);
1144 ParsedCookie pc7(pc7_literal);
1145 ParsedCookie pc8(pc8_literal);
1146 ParsedCookie pc9(pc9_literal);
1147
1148 EXPECT_TRUE(pc1.IsValid());
1149 EXPECT_EQ(pc1_literal, pc1.ToCookieLine());
1150 EXPECT_TRUE(pc2.IsValid());
1151 EXPECT_EQ(pc2_literal, pc2.ToCookieLine());
1152 EXPECT_TRUE(pc3.IsValid());
1153 EXPECT_EQ(pc3_literal, pc3.ToCookieLine());
1154 EXPECT_TRUE(pc4.IsValid());
1155 EXPECT_EQ(pc4_literal, pc4.ToCookieLine());
1156 EXPECT_TRUE(pc5.IsValid());
1157 EXPECT_EQ(pc5_literal, pc5.ToCookieLine());
1158 EXPECT_TRUE(pc6.IsValid());
1159 EXPECT_EQ(pc6_literal, pc6.ToCookieLine());
1160 EXPECT_TRUE(pc7.IsValid());
1161 EXPECT_EQ(pc7_literal, pc7.ToCookieLine());
1162 EXPECT_TRUE(pc8.IsValid());
1163 EXPECT_EQ(pc8_literal, pc8.ToCookieLine());
1164 EXPECT_TRUE(pc9.IsValid());
1165 EXPECT_EQ(pc9_literal, pc9.ToCookieLine());
1166
1167 EXPECT_TRUE(pc1.SetValue(pc1.Value()));
1168 EXPECT_EQ(pc1_literal, pc1.ToCookieLine());
1169 EXPECT_TRUE(pc1.IsValid());
1170 EXPECT_TRUE(pc2.SetValue(pc2.Value()));
1171 EXPECT_EQ(pc2_literal, pc2.ToCookieLine());
1172 EXPECT_TRUE(pc2.IsValid());
1173 EXPECT_TRUE(pc3.SetValue(pc3.Value()));
1174 EXPECT_EQ(pc3_literal, pc3.ToCookieLine());
1175 EXPECT_TRUE(pc3.IsValid());
1176 EXPECT_TRUE(pc4.SetValue(pc4.Value()));
1177 EXPECT_EQ(pc4_literal, pc4.ToCookieLine());
1178 EXPECT_TRUE(pc4.IsValid());
1179 EXPECT_TRUE(pc5.SetName(pc5.Name()));
1180 EXPECT_EQ(pc5_literal, pc5.ToCookieLine());
1181 EXPECT_TRUE(pc5.IsValid());
1182 EXPECT_TRUE(pc6.SetName(pc6.Name()));
1183 EXPECT_EQ(pc6_literal, pc6.ToCookieLine());
1184 EXPECT_TRUE(pc6.IsValid());
1185 EXPECT_TRUE(pc7.SetName(pc7.Name()));
1186 EXPECT_EQ(pc7_literal, pc7.ToCookieLine());
1187 EXPECT_TRUE(pc7.IsValid());
1188 EXPECT_TRUE(pc8.SetName(pc8.Name()));
1189 EXPECT_EQ(pc8_literal, pc8.ToCookieLine());
1190 EXPECT_TRUE(pc8.IsValid());
1191 EXPECT_TRUE(pc9.SetName(pc9.Name()));
1192 EXPECT_EQ(pc9_literal, pc9.ToCookieLine());
1193 EXPECT_TRUE(pc9.IsValid());
1194 }
1195
TEST(ParsedCookieTest,TruncatingCharInCookieLine)1196 TEST(ParsedCookieTest, TruncatingCharInCookieLine) {
1197 using std::string_literals::operator""s;
1198
1199 base::test::ScopedFeatureList feature_list;
1200 feature_list.InitAndEnableFeature(net::features::kBlockTruncatedCookies);
1201
1202 // Test scenarios where a control char may appear at start, middle and end of
1203 // a cookie line. Control char array with NULL (\x0), CR (\xD), LF (xA),
1204 // HT (\x9) and BS (\x1B).
1205 const struct {
1206 const char ctlChar;
1207 const TruncatingCharacterInCookieStringType
1208 expectedTruncatingCharInCookieStringType;
1209 } kTests[] = {
1210 {'\x0', TruncatingCharacterInCookieStringType::kTruncatingCharNull},
1211 {'\xD', TruncatingCharacterInCookieStringType::kTruncatingCharNewline},
1212 {'\xA', TruncatingCharacterInCookieStringType::kTruncatingCharLineFeed},
1213 {'\x9', TruncatingCharacterInCookieStringType::kTruncatingCharNone},
1214 {'\x1B', TruncatingCharacterInCookieStringType::kTruncatingCharNone}};
1215
1216 for (const bool block_truncated : {true, false}) {
1217 SCOPED_TRACE(testing::Message()
1218 << "Using block_trucated == " << block_truncated);
1219
1220 for (const auto& test : kTests) {
1221 SCOPED_TRACE(testing::Message() << "Using test.ctlChar == "
1222 << base::NumberToString(test.ctlChar));
1223 const bool would_be_truncated =
1224 test.expectedTruncatingCharInCookieStringType !=
1225 TruncatingCharacterInCookieStringType::kTruncatingCharNone;
1226 std::string ctl_string(1, test.ctlChar);
1227 std::string ctl_at_start_cookie_string = ctl_string + "foo=bar"s;
1228 ParsedCookie ctl_at_start_cookie(ctl_at_start_cookie_string,
1229 block_truncated);
1230 EXPECT_EQ(ctl_at_start_cookie.GetTruncatingCharacterInCookieStringType(),
1231 test.expectedTruncatingCharInCookieStringType);
1232 // Lots of factors determine whether IsValid() is true here:
1233 //
1234 // - For the tab character ('\x9), leading whitespace is valid and the
1235 // spec indicates that it should just be removed and the cookie parsed
1236 // normally. Thus, in this case the cookie is valid regardless of whether
1237 // `block_truncated` is true.
1238 //
1239 // - For control characters that would truncate the cookie, they either
1240 // cause the cookie to be invalid if `block_truncated` is true or they
1241 // cause cookie truncation which results in an empty cookie, which is
1242 // also treated as invalid.
1243 //
1244 // - For the other control character case the cookie is always just
1245 // treated as invalid.
1246 EXPECT_EQ(ctl_at_start_cookie.IsValid(), test.ctlChar == '\x9');
1247
1248 std::string ctl_at_middle_cookie_string =
1249 "foo=bar;"s + ctl_string + "secure"s;
1250 ParsedCookie ctl_at_middle_cookie(ctl_at_middle_cookie_string,
1251 block_truncated);
1252 EXPECT_EQ(ctl_at_middle_cookie.GetTruncatingCharacterInCookieStringType(),
1253 test.expectedTruncatingCharInCookieStringType);
1254 if (would_be_truncated) {
1255 EXPECT_EQ(ctl_at_middle_cookie.IsValid(), !block_truncated);
1256 }
1257
1258 std::string ctl_at_end_cookie_string =
1259 "foo=bar;"s + "secure;"s + ctl_string;
1260 ParsedCookie ctl_at_end_cookie(ctl_at_end_cookie_string, block_truncated);
1261 EXPECT_EQ(ctl_at_end_cookie.GetTruncatingCharacterInCookieStringType(),
1262 test.expectedTruncatingCharInCookieStringType);
1263 if (would_be_truncated) {
1264 EXPECT_EQ(ctl_at_end_cookie.IsValid(), !block_truncated);
1265 }
1266 }
1267
1268 // Test if there are multiple control characters that terminate.
1269 std::string ctls_cookie_string = "foo=bar;\xA\xD"s;
1270 ParsedCookie ctls_cookie(ctls_cookie_string, block_truncated);
1271 EXPECT_EQ(ctls_cookie.GetTruncatingCharacterInCookieStringType(),
1272 TruncatingCharacterInCookieStringType::kTruncatingCharLineFeed);
1273 EXPECT_EQ(ctls_cookie.IsValid(), !block_truncated);
1274
1275 // Test with no control characters.
1276 std::string cookie_string = "foo=bar;"s;
1277 ParsedCookie cookie(cookie_string, block_truncated);
1278 EXPECT_EQ(cookie.GetTruncatingCharacterInCookieStringType(),
1279 TruncatingCharacterInCookieStringType::kTruncatingCharNone);
1280 EXPECT_TRUE(cookie.IsValid());
1281 }
1282 }
1283
TEST(ParsedCookieTest,HtabInNameOrValue)1284 TEST(ParsedCookieTest, HtabInNameOrValue) {
1285 std::string no_htab_string = "foo=bar";
1286 ParsedCookie no_htab(no_htab_string);
1287 EXPECT_FALSE(no_htab.HasInternalHtab());
1288
1289 std::string htab_leading_trailing_string = "\tfoo=bar\t";
1290 ParsedCookie htab_leading_trailing(htab_leading_trailing_string);
1291 EXPECT_FALSE(htab_leading_trailing.HasInternalHtab());
1292
1293 std::string htab_name_string = "f\too=bar";
1294 ParsedCookie htab_name(htab_name_string);
1295 EXPECT_TRUE(htab_name.HasInternalHtab());
1296
1297 std::string htab_value_string = "foo=b\tar";
1298 ParsedCookie htab_value(htab_value_string);
1299 EXPECT_TRUE(htab_value.HasInternalHtab());
1300 }
1301
1302 } // namespace net
1303