tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

attributes.www.sub.html (4860B)

      1 <!doctype html>
      2 <html>
      3 
      4 <head>
      5  <meta charset=utf-8>
      6  <title>Test cookie attribute size restrictions</title>
      7  <meta name=help href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4">
      8  <meta name="timeout" content="long">
      9  <script src="/resources/testharness.js"></script>
     10  <script src="/resources/testharnessreport.js"></script>
     11  <script src="/resources/testdriver.js"></script>
     12  <script src="/resources/testdriver-vendor.js"></script>
     13  <script src="/cookies/resources/cookie-test.js"></script>
     14 </head>
     15 
     16 <body>
     17  <div id=log></div>
     18  <script>
     19    const host = "{{host}}";
     20    const attrSizeTests = [
     21      {
     22        cookie: `test=1; path=/cookies/size; path=/cookies/siz${"e".repeat(1024)}`,
     23        expected: "test=1",
     24        name: "Too long path attribute (>1024 bytes) is ignored; previous valid path wins.",
     25        defaultPath: false,
     26      },
     27      {
     28        cookie: `test=2; path=/cookies/siz${"e".repeat(1024)}; path=/cookies/size`,
     29        expected: "test=2",
     30        name: "Too long path attribute (>1024 bytes) is ignored; next valid path wins.",
     31        defaultPath: false,
     32      },
     33      {
     34        // Look for the cookie using the default path to ensure that it
     35        // doesn't show up if the path attribute actually takes effect.
     36        cookie: `test=3; path=/${"a".repeat(1023)};`,
     37        expected: "",
     38        name: "Max size path attribute (1024 bytes) is not ignored",
     39      },
     40      {
     41        // Look for the cookie using the default path to ensure that it
     42        // shows up if the path is ignored.
     43        cookie: `test=4; path=/${"a".repeat(1024)};`,
     44        expected: "test=4",
     45        name: "Too long path attribute (>1024 bytes) is ignored",
     46      },
     47      {
     48        // This page opens on the www subdomain, so we set domain to {{host}}
     49        // to see if anything works as expected. Using a valid domain other
     50        // than ${host} will cause the cookie to fail to be set.
     51 
     52        // NOTE: the domain we use for testing here is technically invalid per
     53        // the RFCs that define the format of domain names, but currently
     54        // neither RFC6265bis or the major browsers enforce those restrictions
     55        // when parsing cookie domain attributes. If that changes, update these
     56        // tests.
     57        cookie: `test=5; domain=${host}; domain=${"a".repeat(1024)}.com`,
     58        expected: "test=5",
     59        name: "Too long domain attribute (>1024 bytes) is ignored; previous valid domain wins.",
     60      },
     61      {
     62        cookie: `test=6; domain=${"a".repeat(1024)}.com; domain=${host}`,
     63        expected: "test=6",
     64        name: "Too long domain attribute (>1024 bytes) is ignored; next valid domain wins.",
     65      },
     66      {
     67        cookie: `test=7; domain=${"a".repeat(1020)}.com;`,
     68        expected: "",
     69        name: "Max size domain attribute (1024 bytes) is not ignored"
     70      },
     71      {
     72        cookie: `test=8; domain=${"a".repeat(1021)}.com;`,
     73        expected: "test=8",
     74        name: "Too long domain attribute (>1024 bytes) is ignored"
     75      },
     76      {
     77        cookie: cookieStringWithNameAndValueLengths(2048, 2048) +
     78          `; domain=${"a".repeat(1020)}.com; domain=${host}`,
     79        expected: cookieStringWithNameAndValueLengths(2048, 2048),
     80        name: "Set cookie with max size name/value pair and max size attribute value",
     81      },
     82      {
     83        // RFC6265bis doesn't specify a maximum size of the entire Set-Cookie
     84        // header, although some browsers do
     85        cookie: cookieStringWithNameAndValueLengths(2048, 2048) +
     86          `; domain=${"a".repeat(1020)}.com` +
     87          `; domain=${"a".repeat(1020)}.com` +
     88          `; domain=${"a".repeat(1020)}.com` +
     89          `; domain=${"a".repeat(1020)}.com; domain=${host}`,
     90        expected: cookieStringWithNameAndValueLengths(2048, 2048),
     91        name: "Set cookie with max size name/value pair and multiple max size attributes (>8k bytes total)",
     92      },
     93      {
     94        cookie: `test=11; max-age=${"1".repeat(1024)};`,
     95        expected: "test=11",
     96        name: "Max length Max-Age attribute value (1024 bytes) doesn't cause cookie rejection"
     97      },
     98      {
     99        cookie: `test=12; max-age=${"1".repeat(1025)};`,
    100        expected: "test=12",
    101        name: "Too long Max-Age attribute value (>1024 bytes) doesn't cause cookie rejection"
    102      },
    103      {
    104        cookie: `test=13; max-age=-${"1".repeat(1023)};`,
    105        expected: "",
    106        name: "Max length negative Max-Age attribute value (1024 bytes) doesn't get ignored"
    107      },
    108      {
    109        cookie: `test=14; max-age=-${"1".repeat(1024)};`,
    110        expected: "test=14",
    111        name: "Too long negative Max-Age attribute value (>1024 bytes) gets ignored"
    112      },
    113    ];
    114 
    115    for (const test of attrSizeTests) {
    116      httpCookieTest(test.cookie, test.expected, test.name, test.defaultPath);
    117    }
    118  </script>
    119 </body>
    120 
    121 </html>