[ tor-browser ].git.dasho

attributes-ctl.sub.html (4646B)
      1 <!doctype html>
      2 <html>
      3  <head>
      4    <meta charset=utf-8>
      5    <title>Test cookie attribute parsing with control characters</title>
      6    <meta name=help href="https://tools.ietf.org/html/rfc6265#section-5.2">
      7    <meta name="timeout" content="long">
      8    <script src="/resources/testharness.js"></script>
      9    <script src="/resources/testharnessreport.js"></script>
     10    <script src="/resources/testdriver.js"></script>
     11    <script src="/resources/testdriver-vendor.js"></script>
     12    <script src="/cookies/resources/cookie-test.js"></script>
     13  </head>
     14  <body>
     15    <div id=log></div>
     16    <script>
     17      const host = "{{host}}";
     18      const path = "/cookies/attributes";
     19 
     20      // Tests for control characters (CTLs) in a cookie's attribute values.
     21      // CTLs are defined by RFC 5234 to be %x00-1F / %x7F.
     22      const CTLS = getCtlCharacters();
     23 
     24      // All CTLs, with the exception of %x09 (the tab character), should
     25      // cause the cookie to be rejected.
     26      // In these tests we rely on subsequent attributes with the same name
     27      // overriding the earlier one. In the cases where the control character
     28      // should cause the entire cookie line to be rejected, if the control
     29      // character were not present the cookie line should be one that
     30      // would not be rejected. That way, if the attribute value is ignored
     31      // instead of the cookie line being rejected, the test will catch it.
     32      for (const ctl of CTLS) {
     33        const controlCharacterAttributeTests = [
     34          {
     35            cookie: `test${ctl.code}domain=t; Domain=test${ctl.chr}.co; Domain=${host};`,
     36            name: `Cookie with %x${ctl.code.toString(16)} in Domain attribute value is handled correctly.`,
     37          },
     38          {
     39            cookie: `test${ctl.code}domain2=t; Domain=${host}${ctl.chr};`,
     40            name: `Cookie with %x${ctl.code.toString(16)} after Domain attribute value is handled correctly.`,
     41          },
     42          {
     43            cookie: `test${ctl.code}path=t; Path=/te${ctl.chr}st; Path=${path}`,
     44            name: `Cookie with %x${ctl.code.toString(16)} in Path attribute value is handled correctly.`,
     45          },
     46          {
     47            cookie: `test${ctl.code}path2=t; Path=${path}${ctl.chr};`,
     48            name: `Cookie with %x${ctl.code.toString(16)} after Path attribute value is handled correctly.`,
     49          },
     50          {
     51            cookie: `test${ctl.code}maxage=t; Max-Age=10${ctl.chr}00; Max-Age=1000;`,
     52            name: `Cookie with %x${ctl.code.toString(16)} in Max-Age attribute value is handled correctly.`,
     53          },
     54          {
     55            cookie: `test${ctl.code}maxage2=t; Max-Age=1000${ctl.chr};`,
     56            name: `Cookie with %x${ctl.code.toString(16)} after Max-Age attribute value is handled correctly.`,
     57          },
     58          {
     59            cookie: `test${ctl.code}expires=t; Expires=Fri, 01 Jan 20${ctl.chr}38 00:00:00 GMT; ` +
     60              'Expires=Fri, 01 Jan 2038 00:00:00 GMT;',
     61            name: `Cookie with %x${ctl.code.toString(16)} in Expires attribute value is handled correctly.`,
     62          },
     63          {
     64            cookie: `test${ctl.code}expires2=t; Expires=Fri, 01 Jan 2038 00:00:00 GMT${ctl.chr};`,
     65            name: `Cookie with %x${ctl.code.toString(16)} after Expires attribute value is handled correctly.`,
     66          },
     67          {
     68            cookie: `test${ctl.code}secure=t; Sec${ctl.chr}ure;`,
     69            name: `Cookie with %x${ctl.code.toString(16)} in Secure attribute is handled correctly.`,
     70          },
     71          {
     72            cookie: `test${ctl.code}secure2=t; Secure${ctl.chr};`,
     73            name: `Cookie with %x${ctl.code.toString(16)} after Secure attribute is handled correctly.`,
     74          },
     75          {
     76            cookie: `test${ctl.code}httponly=t; Http${ctl.chr}Only;`,
     77            name: `Cookie with %x${ctl.code.toString(16)} in HttpOnly attribute is handled correctly.`,
     78          },
     79          {
     80            cookie: `test${ctl.code}samesite=t; SameSite=La${ctl.chr}x; SameSite=Lax;`,
     81            name: `Cookie with %x${ctl.code.toString(16)} in SameSite attribute value is handled correctly.`,
     82          },
     83          {
     84            cookie: `test${ctl.code}samesite2=t; SameSite=Lax${ctl.chr};`,
     85            name: `Cookie with %x${ctl.code.toString(16)} after SameSite attribute value is handled correctly.`,
     86          },
     87        ];
     88 
     89        for (const test of controlCharacterAttributeTests) {
     90          if (ctl.code === 0x09) {
     91            domCookieTest(test.cookie, test.cookie.split(";")[0], test.name);
     92          } else {
     93            domCookieTest(test.cookie, "", test.name);
     94          }
     95        }
     96      }
     97    </script>
     98  </body>
     99 </html>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE