Enforce existing requirements for setting httponly cookies on the

SetCanonicalCookie pathway (used to just be enforced via SetCookieWithOptions()). Discovered in writing tests for the cookie service, so using that bug. Bug: 721395 Change-Id: I6d8b0e44e99063200de6f5983d0049af4efd2bc6 Reviewed-on: https://chromium-review.googlesource.com/581797Reviewed-by: Matt Menke <mmenke@chromium.org> Commit-Queue: Randy Smith <rdsmith@chromium.org> Cr-Commit-Position: refs/heads/master@{#491643}

Enforce existing requirements for setting httponly cookies on the
SetCanonicalCookie pathway (used to just be enforced via SetCookieWithOptions()). Discovered in writing tests for the cookie service, so using that bug. Bug: 721395 Change-Id: I6d8b0e44e99063200de6f5983d0049af4efd2bc6 Reviewed-on: https://chromium-review.googlesource.com/581797Reviewed-by: Matt Menke <mmenke@chromium.org> Commit-Queue: Randy Smith <rdsmith@chromium.org> Cr-Commit-Position: refs/heads/master@{#491643}
10400077 · Randy Smith · Commit Bot · d33d00d5 · 10400077 · 10400077
Commit 10400077 authored Aug 03, 2017 by Randy Smith Committed by Commit Bot Aug 03, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 1 deletion

net/cookies/cookie_monster.cc net/cookies/cookie_monster.cc +2 -1

net/cookies/cookie_store_unittest.h net/cookies/cookie_store_unittest.h +39 -0

No files found.
--- a/net/cookies/cookie_monster.cc
+++ b/net/cookies/cookie_monster.cc
@@ -1409,7 +1409,8 @@ void CookieMonster::SetCanonicalCookie(std::unique_ptr<CanonicalCookie> cc,
                                       SetCookiesCallback callback) {
  DCHECK(thread_checker_.CalledOnValidThread());

-  if (cc->IsSecure() && !secure_source) {
+  if ((cc->IsSecure() && !secure_source) ||
+      (cc->IsHttpOnly() && !modify_http_only)) {
    MaybeRunCookieCallback(std::move(callback), false);
    return;
  }

--- a/net/cookies/cookie_store_unittest.h
+++ b/net/cookies/cookie_store_unittest.h
@@ -537,6 +537,45 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
          COOKIE_PRIORITY_DEFAULT),
      false, true));

+  if (TypeParam::supports_http_only) {
+    // Permission to modify http only cookies is required to create an
+    // httponly cookie.
+    EXPECT_FALSE(this->SetCanonicalCookie(
+        cs,
+        base::MakeUnique<CanonicalCookie>(
+            "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
+            base::Time(), false, true, CookieSameSite::DEFAULT_MODE,
+            COOKIE_PRIORITY_DEFAULT),
+        /* secure_source */ false, /* modify_http_only */ false));
+
+    // Permission to modify httponly cookies is also required to overwrite
+    // an httponly cookie.
+    EXPECT_TRUE(this->SetCanonicalCookie(
+        cs,
+        base::MakeUnique<CanonicalCookie>(
+            "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
+            base::Time(), false, true, CookieSameSite::DEFAULT_MODE,
+            COOKIE_PRIORITY_DEFAULT),
+        /* secure_source */ false, /* modify_http_only */ true));
+
+    EXPECT_FALSE(this->SetCanonicalCookie(
+        cs,
+        base::MakeUnique<CanonicalCookie>(
+            "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
+            base::Time(), false, true, CookieSameSite::DEFAULT_MODE,
+            COOKIE_PRIORITY_DEFAULT),
+        /* secure_source */ false, /* modify_http_only */ false));
+  } else {
+    // Leave store in same state as if the above tests had been run.
+    EXPECT_TRUE(this->SetCanonicalCookie(
+        cs,
+        base::MakeUnique<CanonicalCookie>(
+            "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
+            base::Time(), false, true, CookieSameSite::DEFAULT_MODE,
+            COOKIE_PRIORITY_DEFAULT),
+        /* secure_source */ false, /* modify_http_only */ true));
+  }
+
  // Get all the cookies for a given URL, regardless of properties. This 'get()'
  // operation shouldn't update the access time, as the test checks that the
  // access time is set properly upon creation. Updating the access time would