[ tor-browser ].git.dasho

httponly_cookies.https.window.js (3803B)
      1 // META: script=resources/cookie-test-helpers.js
      2 
      3 'use strict';
      4 
      5 promise_test(async t => {
      6  let eventPromise = observeNextCookieChangeEvent();
      7  await setCookieStringHttp('HTTPONLY-cookie=value; path=/; httponly');
      8  assert_equals(
      9      await getCookieString(),
     10      undefined,
     11      'HttpOnly cookie we wrote using HTTP in cookie jar' +
     12        ' is invisible to script');
     13  assert_equals(
     14      await getCookieStringHttp(),
     15      'HTTPONLY-cookie=value',
     16    'HttpOnly cookie we wrote using HTTP in HTTP cookie jar');
     17 
     18  await setCookieStringHttp('HTTPONLY-cookie=new-value; path=/; httponly');
     19  assert_equals(
     20      await getCookieString(),
     21      undefined,
     22      'HttpOnly cookie we overwrote using HTTP in cookie jar' +
     23        ' is invisible to script');
     24  assert_equals(
     25      await getCookieStringHttp(),
     26      'HTTPONLY-cookie=new-value',
     27    'HttpOnly cookie we overwrote using HTTP in HTTP cookie jar');
     28 
     29  eventPromise = observeNextCookieChangeEvent();
     30  await setCookieStringHttp(
     31      'HTTPONLY-cookie=DELETED; path=/; max-age=0; httponly');
     32  t.add_cleanup(async () => {
     33    await setCookieStringHttp(`HTTPONLY-cookie=DELETED; path=/; httponly; Max-Age=0`);
     34  });
     35  assert_equals(
     36      await getCookieString(),
     37      undefined,
     38      'Empty cookie jar after HTTP cookie-clearing using max-age=0');
     39  assert_equals(
     40      await getCookieStringHttp(),
     41      undefined,
     42      'Empty HTTP cookie jar after HTTP cookie-clearing using max-age=0');
     43 
     44  // HTTPONLY cookie changes should not have been observed; perform
     45  // a dummy change to verify that nothing else was queued up.
     46  await cookieStore.set('TEST', 'dummy');
     47  t.add_cleanup(async () => {
     48    await cookieStore.delete('TEST');
     49  });
     50  await verifyCookieChangeEvent(
     51    eventPromise, {changed: [{name: 'TEST', value: 'dummy'}]},
     52    'HttpOnly cookie deletion was not observed');
     53 }, 'HttpOnly cookies are not observed');
     54 
     55 
     56 cookie_test(async t => {
     57  document.cookie = 'cookie1=value1; path=/';
     58  document.cookie = 'cookie2=value2; path=/; httponly';
     59  document.cookie = 'cookie3=value3; path=/';
     60  assert_equals(
     61    await getCookieStringHttp(), 'cookie1=value1; cookie3=value3',
     62    'Trying to store an HttpOnly cookie with document.cookie fails');
     63 }, 'HttpOnly cookies can not be set by document.cookie');
     64 
     65 
     66 // Historical: Early iterations of the proposal included an httpOnly option.
     67 cookie_test(async t => {
     68  await cookieStore.set('cookie1', 'value1');
     69  await cookieStore.set('cookie2', 'value2', {httpOnly: true});
     70  await cookieStore.set('cookie3', 'value3');
     71  assert_equals(
     72    await getCookieStringHttp(),
     73    'cookie1=value1; cookie2=value2; cookie3=value3',
     74    'httpOnly is not an option for CookieStore.set()');
     75 }, 'HttpOnly cookies can not be set by CookieStore');
     76 
     77 promise_test(async t => {
     78  await setCookieStringHttp('HTTPONLY-cookie=value; path=/; httponly');
     79  t.add_cleanup(async () => {
     80    await setCookieStringHttp(`HTTPONLY-cookie=DELETED; path=/; httponly; Max-Age=0`);
     81  });
     82  assert_equals(
     83      await getCookieString(),
     84      undefined,
     85      'HttpOnly cookie we wrote using HTTP in cookie jar' +
     86        ' is invisible to script');
     87  assert_equals(
     88      await getCookieStringHttp(),
     89      'HTTPONLY-cookie=value',
     90    'HttpOnly cookie we wrote using HTTP in HTTP cookie jar');
     91 
     92  try {
     93    await cookieStore.set('HTTPONLY-cookie', 'dummy');
     94  } catch(e) {}
     95 
     96  assert_equals(
     97      await getCookieString(),
     98      undefined,
     99      'HttpOnly cookie is not overwritten');
    100 
    101  try {
    102    await cookieStore.delete('HTTPONLY-cookie');
    103  } catch(e) {}
    104 
    105  assert_equals(await getCookieString(), undefined, 'HttpOnly cookie is not overwritten');
    106 
    107  assert_equals(await getCookieStringHttp(), 'HTTPONLY-cookie=value', 'HttpOnly cookie is not deleted');
    108 }, 'HttpOnly cookies are not deleted/overwritten');
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE