Fix cookie prefix tests.

The layout tests aren't testing much at the moment, as they're never served over HTTPS. This patch creates `.https` versions of the tests and reworks them to actually exercise the behavior of `__Host` and `__Secure` cookie prefixes. Bug: 843945 Change-Id: I31968133ca8846f3ffc4faec2339e3d0d03c77f8 Reviewed-on: https://chromium-review.googlesource.com/1179150 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Philip Jägenstedt <foolip@chromium.org> Cr-Commit-Position: refs/heads/master@{#584016}

Fix cookie prefix tests.
The layout tests aren't testing much at the moment, as they're never served over HTTPS. This patch creates `.https` versions of the tests and reworks them to actually exercise the behavior of `__Host` and `__Secure` cookie prefixes. Bug: 843945 Change-Id: I31968133ca8846f3ffc4faec2339e3d0d03c77f8 Reviewed-on: https://chromium-review.googlesource.com/1179150 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Philip Jägenstedt <foolip@chromium.org> Cr-Commit-Position: refs/heads/master@{#584016}
caa764f5 · Mike West · Commit Bot · 46b0d6a9 · caa764f5 · caa764f5
Commit caa764f5 authored Aug 17, 2018 by Mike West Committed by Commit Bot Aug 17, 2018
15 changed files
--- a/third_party/WebKit/LayoutTests/TestExpectations
+++ b/third_party/WebKit/LayoutTests/TestExpectations
@@ -4260,8 +4260,6 @@ crbug.com/827231 external/wpt/cookie-store/document_cookie.tentative.html [ Pass
 crbug.com/827231 external/wpt/cookie-store/document_cookie.tentative.https.html [ Pass Failure ]
 # Failing cookies tests with random numbers in error message
-crbug.com/843945 external/wpt/cookies/prefix/__secure.http.secure.html [ Failure ]
-crbug.com/843945 external/wpt/cookies/prefix/document-cookie.non-secure.html [ Failure ]
 crbug.com/843945 external/wpt/cookies/samesite/fetch.html [ Failure ]
 crbug.com/843945 external/wpt/cookies/samesite/form-get-blank-reload.html [ Failure ]
 crbug.com/843945 external/wpt/cookies/samesite/form-get-blank.html [ Failure ]

--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.document-cookie.non-secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.document-cookie.non-secure.html
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.document-cookie.https.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.document-cookie.https.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  ["", "MaxAge=10"].forEach(extraParams => {
+    // Without 'secure'
+    set_prefixed_cookie_via_dom_test({
+      prefix: "__Host-",
+      params: "Path=/;" + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Host: Secure origin: Does not set 'Path=/;" + extraParams + "'"
+    });
+    // With 'secure'
+    set_prefixed_cookie_via_dom_test({
+      prefix: "__Host-",
+      params: "Secure; Path=/;" + extraParams,
+      shouldExistInDOM: true,
+      shouldExistViaHTTP: true,
+      title: "__Host: Secure origin: Does set 'Secure; Path=/;" + extraParams + "'"
+    });
+    // With 'domain'
+    set_prefixed_cookie_via_dom_test({
+      prefix: "__Host-",
+      params: "Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Host: Secure origin: Does not set 'Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams + "'"
+    });
+  });
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__Host-",
+    params: "Secure; Path=/cookies/resources/list.py",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__Host: Secure origin: Does not set 'Secure; Path=/cookies/resources/list.py'"
+  });
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.http.non-secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.http.non-secure.html
@@ -10,7 +10,7 @@
      params: "Path=/;" + extraParams,
      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Host: Non-secure origin: 'Path=/;" + extraParams + "'"
+      title: "__Host: Non-secure origin: Does not set 'Path=/;" + extraParams + "'"
    });
    // With 'secure'
@@ -19,7 +19,16 @@
      params: "Secure; Path=/;" + extraParams,
      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Host: Non-secure origin: 'Secure; Path=/;" + extraParams + "'"
+      title: "__Host: Non-secure origin: Does not set 'Secure; Path=/;" + extraParams + "'"
+    });
+    // With 'domain'
+    set_prefixed_cookie_via_http_test({
+      prefix: "__Host-",
+      params: "Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Host: Secure origin: Does not set 'Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams + "'"
    });
  });
@@ -28,7 +37,7 @@
    params: "Secure; Path=/cookies/resources/list.py",
    shouldExistInDOM: false,
    shouldExistViaHTTP: false,
-    title: "__Host: Non-secure origin: 'Secure; Path=/cookies/resources/list.py'"
+    title: "__Host: Non-secure origin: Does not set 'Secure; Path=/cookies/resources/list.py'"
  });
 </script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.header.https.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__host.header.https.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  ["", "MaxAge=10", "HttpOnly"].forEach(extraParams => {
+    // Without 'secure'
+    set_prefixed_cookie_via_http_test({
+      prefix: "__Host-",
+      params: "Path=/;" + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Host: Secure origin: Does not set 'Path=/;" + extraParams + "'"
+    });
+    // With 'secure'
+    set_prefixed_cookie_via_http_test({
+      prefix: "__Host-",
+      params: "Secure; Path=/;" + extraParams,
+      shouldExistInDOM: true,
+      shouldExistViaHTTP: true,
+      title: "__Host: Secure origin: Does set 'Secure; Path=/;" + extraParams + "'"
+    });
+    // With 'domain'
+    set_prefixed_cookie_via_http_test({
+      prefix: "__Host-",
+      params: "Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Host: Secure origin: Does not set 'Secure; Path=/; Domain=" + document.location.hostname + "; " + extraParams + "'"
+    });
+  });
+  set_prefixed_cookie_via_http_test({
+    prefix: "__Host-",
+    params: "Secure; Path=/cookies/resources/list.py",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__Host: Secure origin: Does not set 'Secure; Path=/cookies/resources/list.py'"
+  });
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.document-cookie.non-secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.document-cookie.non-secure.html
@@ -3,14 +3,14 @@
 <script src="/resources/testharnessreport.js"></script>
 <script src="/cookies/resources/cookie-helper.sub.js"></script>
 <script>
-  ["", "domain="+document.location.hostname, "MaxAge=10", "HttpOnly"].forEach(extraParams => {
+  ["", "MaxAge=10", "domain="+document.location.hostname].forEach(extraParams => {
    // Without 'secure'
    set_prefixed_cookie_via_dom_test({
      prefix: "__Secure-",
      params: "Path=/;" + extraParams,
      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Secure: Non-secure origin: 'Path=/;" + extraParams + "'"
+      title: "__Secure: Non-secure origin: Should not set 'Path=/;" + extraParams + "'"
    });
    // With 'secure'
@@ -19,7 +19,7 @@
      params: "Secure; Path=/;" + extraParams,
      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Secure: Non-secure origin: 'Secure; Path=/;" + extraParams + "'"
+      title: "__Secure: Non-secure origin: Should not set 'Secure; Path=/;" + extraParams + "'"
    });
  });
 </script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.document-cookie.https.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.document-cookie.https.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  ["", "MaxAge=10", "domain="+document.location.hostname].forEach(extraParams => {
+    // Without 'secure'
+    set_prefixed_cookie_via_dom_test({
+      prefix: "__Secure-",
+      params: "Path=/;" + extraParams,
+      shouldExistInDOM: false,
+      shouldExistViaHTTP: false,
+      title: "__Secure: Secure origin: Should not set 'Path=/;" + extraParams + "'"
+    });
+    // With 'secure'
+    set_prefixed_cookie_via_dom_test({
+      prefix: "__Secure-",
+      params: "Secure; Path=/;" + extraParams,
+      shouldExistInDOM: true,
+      shouldExistViaHTTP: true,
+      title: "__Secure: Secure origin: Should set 'Secure; Path=/;" + extraParams + "'"
+    });
+  });
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.non-secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.non-secure.html
@@ -8,18 +8,16 @@
    set_prefixed_cookie_via_http_test({
      prefix: "__Secure-",
      params: "Path=/;" + extraParams,
-      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Secure: Non-secure origin: 'Path=/;" + extraParams + "'"
+      title: "__Secure: Non-secure origin: Should not set 'Path=/;" + extraParams + "'"
    });
    // With 'secure'
    set_prefixed_cookie_via_http_test({
      prefix: "__Secure-",
      params: "Secure; Path=/;" + extraParams,
-      shouldExistInDOM: false,
+      shouldExistViaHTTP: true,
-      shouldExistViaHTTP: false,
+      title: "__Secure: Non-secure origin: Should set 'Secure; Path=/;" + extraParams + "'"
-      title: "__Secure: Non-secure origin: 'Secure; Path=/;" + extraParams + "'"
    });
  });
 </script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.secure.html
@@ -6,22 +6,18 @@
  ["", "domain="+CROSS_SITE_HOST, "MaxAge=10", "HttpOnly"].forEach(extraParams => {
    // Without 'secure'
    set_prefixed_cookie_via_http_test({
-      origin: SECURE_CROSS_SITE_ORIGIN,
      prefix: "__Secure-",
      params: "Path=/;" + extraParams,
-      shouldExistInDOM: false,
      shouldExistViaHTTP: false,
-      title: "__Secure: secure origin: 'Path=/;" + extraParams + "'"
+      title: "__Secure: secure origin: Should not set 'Path=/;" + extraParams + "'"
    });
    // With 'secure'
    set_prefixed_cookie_via_http_test({
-      origin: SECURE_CROSS_SITE_ORIGIN,
      prefix: "__Secure-",
      params: "Secure;Path=/;" + extraParams,
-      shouldExistInDOM: false,
      shouldExistViaHTTP: true,
-      title: "__Secure: secure origin: 'Secure;Path=/;" + extraParams + "'"
+      title: "__Secure: secure origin: Should set 'Secure;Path=/;" + extraParams + "'"
    });
  });
 </script>
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.secure-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/__secure.http.secure-expected.txt
-This is a testharness.js-based test.
-PASS __Secure: secure origin: 'Path=/;'
-FAIL __Secure: secure origin: 'Secure;Path=/;' assert_equals: expected (string) "0.13232969518371385" but got (undefined) undefined
-PASS __Secure: secure origin: 'Path=/;domain=not-web-platform.test'
-FAIL __Secure: secure origin: 'Secure;Path=/;domain=not-web-platform.test' assert_equals: expected (string) "0.8627187387844981" but got (undefined) undefined
-PASS __Secure: secure origin: 'Path=/;MaxAge=10'
-FAIL __Secure: secure origin: 'Secure;Path=/;MaxAge=10' assert_equals: expected (string) "0.9587977318025727" but got (undefined) undefined
-PASS __Secure: secure origin: 'Path=/;HttpOnly'
-FAIL __Secure: secure origin: 'Secure;Path=/;HttpOnly' assert_equals: expected (string) "0.23905638776137872" but got (undefined) undefined
-Harness: the test ran to completion.
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/document-cookie.non-secure-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/document-cookie.non-secure-expected.txt
-This is a testharness.js-based test.
-FAIL No prefix, root path, no special behavior assert_equals: expected (string) "0.3174911394171902" but got (undefined) undefined
-FAIL No prefix, domain, no special behavior assert_equals: expected (string) "0.6894663850906013" but got (undefined) undefined
-PASS __Secure: Non-secure origin: 'Path=/;'
-PASS __Secure: Non-secure origin: 'Secure; Path=/;'
-PASS __Secure: Non-secure origin: 'Path=/;domain=web-platform.test'
-PASS __Secure: Non-secure origin: 'Secure; Path=/;domain=web-platform.test'
-PASS __Secure: Non-secure origin: 'Path=/;MaxAge=10'
-PASS __Secure: Non-secure origin: 'Secure; Path=/;MaxAge=10'
-PASS __Secure: Non-secure origin: 'Path=/;HttpOnly'
-PASS __Secure: Non-secure origin: 'Secure; Path=/;HttpOnly'
-PASS __Host: Non-secure origin: 'Path=/; '
-PASS __Host: Non-secure origin: 'Secure; Path=/; '
-PASS __Host: Non-secure origin: 'Path=/; domain=web-platform.test'
-PASS __Host: Non-secure origin: 'Secure; Path=/; domain=web-platform.test'
-PASS __Host: Non-secure origin: 'Path=/; MaxAge=10'
-PASS __Host: Non-secure origin: 'Secure; Path=/; MaxAge=10'
-PASS __Host: Non-secure origin: 'Path=/; HttpOnly'
-PASS __Host: Non-secure origin: 'Secure; Path=/; HttpOnly'
-PASS __Host: Non-secure origin: 'Path=/cookies/resources/list.py;Secure'
-Harness: the test ran to completion.
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/document-cookie.non-secure.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/prefix/document-cookie.non-secure.html
@@ -12,7 +12,7 @@
      assert_dom_cookie(name, value, shouldExistInDOM);
-      return credFetch("/cookies/rfx6265bis/resources/list.py")
+      return credFetch("/cookies/resources/list.py")
        .then(r => r.json())
        .then(cookies => assert_equals(cookies[name], shouldExistViaHTTP ? value : undefined));
    }, title);

--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/resources/cookie-helper.sub.js
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/resources/cookie-helper.sub.js
@@ -180,27 +180,13 @@ return credFetch(origin + "/cookies/resources/dropSecure.py")
 }
 //
-// DOM based cookie manipulation API's
+// DOM based cookie manipulation APIs
 //
-// borrowed from http://www.quirksmode.org/js/cookies.html
-function create_cookie_from_js(name, value, days, secure_flag) {
-  if (days) {
-    var date = new Date();
-    date.setTime(date.getTime()+(days*24*60*60*1000));
-    var expires = "; expires="+date.toGMTString();
-  }
-  else var expires = "";
-  var secure = "";
-  if (secure_flag == true) {
-    secure = "secure; ";
-  }
-  document.cookie = name+"="+value+expires+"; "+secure+"path=/";
-}
 // erase cookie value and set for expiration
 function erase_cookie_from_js(name) {
-  create_cookie_from_js(name,"",-1);
+  let secure = self.location.protocol == "https:" ? "Secure" : "";
-  assert_dom_cookie(name, "", false);
+  document.cookie = `${name}=0; path=/; expires=${new Date(0).toUTCString()}; ${secure}`;
+  var re = new RegExp("(?:^|; )" + name);
+  assert_equals(re.test(document.cookie), false, "Sanity check: " + name + " has been deleted.");
 }
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/secure/cookie-forcing-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/secure/cookie-forcing-expected.txt
-This is a testharness.js-based test.
-FAIL non-secure origins should be able to force out insecure cookies. assert_not_equals: got disallowed value undefined
-Harness: the test ran to completion.
--- a/third_party/WebKit/LayoutTests/external/wpt/cookies/secure/cookie-forcing.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/cookies/secure/cookie-forcing.html
-<!DOCTYPE html>
-<script src="/resources/testharness.js"></script>
-<script src="/resources/testharnessreport.js"></script>
-<script src="/cookies/resources/cookie-helper.sub.js"></script>
-<script>
-  function cookie_force_test(secure_origin, secure_cookie, present, title) {
-    var counter = 0;
-    promise_test(t => {
-      var testCookieValue = "" + Math.random();
-      var markerCookieName = "marker";
-      var markerCookieValue = "markerVal";
-      var brakes = 5000; //limit cookie setting limit in case browers are magic
-      // Set an initial cookie as a marker
-      create_cookie_from_js(markerCookieName, markerCookieValue, 10, secure_cookie);
-      //TODO we cant trust document.cookie to set secure cookies. Need a round trip to a secure origin.
-      assert_dom_cookie(markerCookieName, markerCookieValue, true);
-      // Set new cookies until marker is gone
-      try {
-        for (i = 0; i < brakes; i++) {
-          create_cookie_from_js(markerCookieName + counter++, markerCookieValue, 10, secure_cookie);
-          assert_dom_cookie(markerCookieName, markerCookieValue, true);
-        }
-      } catch(err) {
-        //shame on me, just fiddling for now
-      }
-      assert_dom_cookie(markerCookieName, markerCookieValue, present);
-      if (present == false) {
-        alert("It took " + counter + " cookies to force out the marker cookie");
-      } else {
-        alert("Even after " + counter + " cookies the marker cookie was not forced out. Try incresing the current limit of " + brakes);
-      }
-    }, title);
-  }
-  //actual tests to verify that non-secure origins should "leave secure cookies alone"
-  cookie_force_test(false, false, false, "non-secure origins should be able to force out insecure cookies.");
-</script>