Source code

Revision control

Copy as Markdown

Other Tools

Test Info:

<!doctype html>
<html>
<head>
<meta charset=utf-8>
<title>Test invalid attribute parsing</title>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/resources/testdriver.js"></script>
<script src="/resources/testdriver-vendor.js"></script>
<script src="/cookies/resources/cookie-test.js"></script>
</head>
<body>
<div id=log></div>
<script>
// These tests ensure that invalid attributes don't affect
// cookie parsing. `Path` isn't important to the tests where it appears,
// but it's used to be able to place the invalid attribute in different
// locations.
const invalidAttributeTests = [
{
cookie: "test=1; lol; Path=/",
expected: "test=1",
name: "Set cookie with invalid attribute",
defaultPath: false
},
{
cookie: "test=2; Path=/; lol",
expected: "test=2",
name: "Set cookie ending with invalid attribute.",
defaultPath: false
},
{
cookie: "test=3; Path=/; 'lol'",
expected: "test=3",
name: "Set cookie ending with quoted invalid attribute.",
defaultPath: false
},
{
cookie: 'test=4; Path=/; "lol"',
expected: "test=4",
name: "Set cookie ending with double-quoted invalid attribute.",
defaultPath: false
},
{
cookie: "test=5; Path=/; lol=",
expected: "test=5",
name: "Set cookie ending with invalid attribute equals.",
defaultPath: false
},
{
cookie: 'test=6; lol="aaa;bbb"; Path=/',
expected: "test=6",
name: "Set cookie with two invalid attributes (lol=\"aaa and bbb).",
defaultPath: false
},
{
cookie: 'test=7; Path=/; lol="aaa;bbb"',
expected: "test=7",
name: "Set cookie ending with two invalid attributes (lol=\"aaa and bbb).",
defaultPath: false
},
{
cookie: 'test=8; "Secure"',
expected: "test=8",
// This gets parsed as an unrecognized \"Secure\" attribute, not a valid
// Secure attribute. That's why it gets set on an non-secure origin.
name: "Set cookie for quoted Secure attribute",
},
{
cookie: "test=9; Secure qux",
expected: "test=9",
// This should be parsed as an unrecognized "Secure qux" attribute
// and ignored. That is, the cookie will not be Secure.
name: "Set cookie for Secure qux",
},
{
cookie: "test=10; b,az=qux",
expected: "test=10",
name: "Ignore invalid attribute name with comma",
},
{
cookie: "test=11; baz=q,ux",
expected: "test=11",
name: "Ignore invalid attribute value with comma",
},
{
cookie: " test = 12 ;foo;;; bar",
expected: "test=12",
name: "Set cookie ignoring multiple invalid attributes, whitespace, and semicolons",
},
{
cookie: " test=== 13 ;foo;;; bar",
expected: "test=== 13",
name: "Set cookie with multiple '='s in its value, ignoring multiple invalid attributes, whitespace, and semicolons",
},
{
cookie: "test=14; version=1;",
expected: "test=14",
name: "Set cookie with (invalid) version=1 attribute",
},
{
cookie: "test=15; version=1000;",
expected: "test=15",
name: "Set cookie with (invalid) version=1000 attribute",
},
{
cookie: "test=16; customvalue='1000 or more';",
expected: "test=16",
name: "Set cookie ignoring anything after ; (which looks like an invalid attribute)",
},
{
cookie: "test=17; customvalue='1000 or more'",
expected: "test=17",
name: "Set cookie ignoring anything after ; (which looks like an invalid attribute, with no trailing semicolon)",
},
{
cookie: "test=18; foo=bar, a=b",
expected: "test=18",
name: "Ignore keys after semicolon",
},
{
cookie: "test=19;max-age=3600, c=d;path=/",
expected: "test=19",
name: "Ignore attributes after semicolon",
defaultPath: false,
},
{
cookie: ["testA=20", "=", "testb=20"],
expected: "testA=20; testb=20",
name: "Ignore `Set-Cookie: =`",
},
{
cookie: ["test=21", ""],
expected: "test=21",
name: "Ignore empty cookie string",
},
{
cookie: ["test22", "="],
expected: "test22",
name: "Ignore `Set-Cookie: =` with other `Set-Cookie` headers",
},
{
cookie: ["testA23", "; testB23"],
expected: "testA23",
name: "Ignore name- and value-less `Set-Cookie: ; bar`",
},
{
cookie: ["test24", " "],
expected: "test24",
name: "Ignore name- and value-less `Set-Cookie: `",
},
{
cookie: ["test25", "\t"],
expected: "test25",
name: "Ignore name- and value-less `Set-Cookie: \\t`",
},
{
cookie: "test=26; domain=.parser.test; ;; ;=; ,,, ===,abc,=; abracadabra! max-age=20;=;;",
expected: "",
name: "Ignore cookie with domain that won't domain match (along with other invalid noise)",
},
];
for (const test of invalidAttributeTests) {
httpCookieTest(test.cookie, test.expected, test.name, test.defaultPath);
}
</script>
</body>
</html>