invalid.html (5672B)
1 <!doctype html> 2 <html> 3 <head> 4 <meta charset=utf-8> 5 <title>Test invalid attribute parsing</title> 6 <meta name=help href="https://tools.ietf.org/html/rfc6265#section-5.2"> 7 <meta name="timeout" content="long"> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <script src="/resources/testdriver.js"></script> 11 <script src="/resources/testdriver-vendor.js"></script> 12 <script src="/cookies/resources/cookie-test.js"></script> 13 </head> 14 <body> 15 <div id=log></div> 16 <script> 17 // These tests ensure that invalid attributes don't affect 18 // cookie parsing. `Path` isn't important to the tests where it appears, 19 // but it's used to be able to place the invalid attribute in different 20 // locations. 21 const invalidAttributeTests = [ 22 { 23 cookie: "test=1; lol; Path=/", 24 expected: "test=1", 25 name: "Set cookie with invalid attribute", 26 defaultPath: false 27 }, 28 { 29 cookie: "test=2; Path=/; lol", 30 expected: "test=2", 31 name: "Set cookie ending with invalid attribute.", 32 defaultPath: false 33 }, 34 { 35 cookie: "test=3; Path=/; 'lol'", 36 expected: "test=3", 37 name: "Set cookie ending with quoted invalid attribute.", 38 defaultPath: false 39 }, 40 { 41 cookie: 'test=4; Path=/; "lol"', 42 expected: "test=4", 43 name: "Set cookie ending with double-quoted invalid attribute.", 44 defaultPath: false 45 }, 46 { 47 cookie: "test=5; Path=/; lol=", 48 expected: "test=5", 49 name: "Set cookie ending with invalid attribute equals.", 50 defaultPath: false 51 }, 52 { 53 cookie: 'test=6; lol="aaa;bbb"; Path=/', 54 expected: "test=6", 55 name: "Set cookie with two invalid attributes (lol=\"aaa and bbb).", 56 defaultPath: false 57 }, 58 { 59 cookie: 'test=7; Path=/; lol="aaa;bbb"', 60 expected: "test=7", 61 name: "Set cookie ending with two invalid attributes (lol=\"aaa and bbb).", 62 defaultPath: false 63 }, 64 { 65 cookie: 'test=8; "Secure"', 66 expected: "test=8", 67 // This gets parsed as an unrecognized \"Secure\" attribute, not a valid 68 // Secure attribute. That's why it gets set on an non-secure origin. 69 name: "Set cookie for quoted Secure attribute", 70 }, 71 { 72 cookie: "test=9; Secure qux", 73 expected: "test=9", 74 // This should be parsed as an unrecognized "Secure qux" attribute 75 // and ignored. That is, the cookie will not be Secure. 76 name: "Set cookie for Secure qux", 77 }, 78 { 79 cookie: "test=10; b,az=qux", 80 expected: "test=10", 81 name: "Ignore invalid attribute name with comma", 82 }, 83 { 84 cookie: "test=11; baz=q,ux", 85 expected: "test=11", 86 name: "Ignore invalid attribute value with comma", 87 }, 88 { 89 cookie: " test = 12 ;foo;;; bar", 90 expected: "test=12", 91 name: "Set cookie ignoring multiple invalid attributes, whitespace, and semicolons", 92 }, 93 { 94 cookie: " test=== 13 ;foo;;; bar", 95 expected: "test=== 13", 96 name: "Set cookie with multiple '='s in its value, ignoring multiple invalid attributes, whitespace, and semicolons", 97 }, 98 { 99 cookie: "test=14; version=1;", 100 expected: "test=14", 101 name: "Set cookie with (invalid) version=1 attribute", 102 }, 103 { 104 cookie: "test=15; version=1000;", 105 expected: "test=15", 106 name: "Set cookie with (invalid) version=1000 attribute", 107 }, 108 { 109 cookie: "test=16; customvalue='1000 or more';", 110 expected: "test=16", 111 name: "Set cookie ignoring anything after ; (which looks like an invalid attribute)", 112 }, 113 { 114 cookie: "test=17; customvalue='1000 or more'", 115 expected: "test=17", 116 name: "Set cookie ignoring anything after ; (which looks like an invalid attribute, with no trailing semicolon)", 117 }, 118 { 119 cookie: "test=18; foo=bar, a=b", 120 expected: "test=18", 121 name: "Ignore keys after semicolon", 122 }, 123 { 124 cookie: "test=19;max-age=3600, c=d;path=/", 125 expected: "test=19", 126 name: "Ignore attributes after semicolon", 127 defaultPath: false, 128 }, 129 { 130 cookie: ["testA=20", "=", "testb=20"], 131 expected: "testA=20; testb=20", 132 name: "Ignore `Set-Cookie: =`", 133 }, 134 { 135 cookie: ["test=21", ""], 136 expected: "test=21", 137 name: "Ignore empty cookie string", 138 }, 139 { 140 cookie: ["test22", "="], 141 expected: "test22", 142 name: "Ignore `Set-Cookie: =` with other `Set-Cookie` headers", 143 }, 144 { 145 cookie: ["testA23", "; testB23"], 146 expected: "testA23", 147 name: "Ignore name- and value-less `Set-Cookie: ; bar`", 148 }, 149 { 150 cookie: ["test24", " "], 151 expected: "test24", 152 name: "Ignore name- and value-less `Set-Cookie: `", 153 }, 154 { 155 cookie: ["test25", "\t"], 156 expected: "test25", 157 name: "Ignore name- and value-less `Set-Cookie: \\t`", 158 }, 159 { 160 cookie: "test=26; domain=.parser.test; ;; ;=; ,,, ===,abc,=; abracadabra! max-age=20;=;;", 161 expected: "", 162 name: "Ignore cookie with domain that won't domain match (along with other invalid noise)", 163 }, 164 ]; 165 166 for (const test of invalidAttributeTests) { 167 httpCookieTest(test.cookie, test.expected, test.name, test.defaultPath); 168 } 169 </script> 170 </body> 171 </html>