Changeset 233830 in webkit

Timestamp:

Jul 13, 2018 6:07:38 PM (6 years ago)

Author:

wilander@apple.com

Message:

Flesh out WebSocket cookie tests to cover cookie policy for third-party resources
​https://bugs.webkit.org/show_bug.cgi?id=187541
<rdar://problem/42048729>

Reviewed by Alex Christensen.

• http/tests/cookies/resources/cookie-utilities.js:

Added a function for setting a cookie in a WebSocket handshake.

• http/tests/websocket/tests/hybi/cookie_wsh.py:

(web_socket_do_extra_handshake):

Now sets the root path for new cookies so that they can be seen by
for example cookies/resources/echo-cookies.php.

• http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party-expected.txt: Added.
• http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html: Added.
• http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party-expected.txt: Added.
• http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party.html: Added.
• http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior-expected.txt:
• http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html:

Now tests under the condition where localhost as third-party is
allowed to set a new cookie as third party. It also makes sure to use
cookies with the path set to the root so that all cookies are visible.

Location:

trunk/LayoutTests

Files:

• ChangeLog (modified) (1 diff)
• http/tests/cookies/resources/cookie-utilities.js (modified) (1 diff)
• http/tests/websocket/tests/hybi/cookie_wsh.py (modified) (2 diffs)
• http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party-expected.txt (added)
• http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html (added)
• http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party-expected.txt (added)
• http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party.html (added)
• http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior-expected.txt (modified) (1 diff)
• http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html (modified) (5 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-07-13  John Wilander  <wilander@apple.com>
+
+        Flesh out WebSocket cookie tests to cover cookie policy for third-party resources
+        https://bugs.webkit.org/show_bug.cgi?id=187541
+        <rdar://problem/42048729>
+
+        Reviewed by Alex Christensen.
+
+        * http/tests/cookies/resources/cookie-utilities.js:
+            Added a function for setting a cookie in a WebSocket handshake.
+        * http/tests/websocket/tests/hybi/cookie_wsh.py:
+        (web_socket_do_extra_handshake):
+            Now sets the root path for new cookies so that they can be seen by
+            for example cookies/resources/echo-cookies.php.
+        * http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party-expected.txt: Added.
+        * http/tests/websocket/tests/hybi/websocket-allowed-setting-cookie-as-third-party.html: Added.
+        * http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party-expected.txt: Added.
+        * http/tests/websocket/tests/hybi/websocket-blocked-from-setting-cookie-as-third-party.html: Added.
+        * http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior-expected.txt:
+        * http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html:
+            Now tests under the condition where localhost as third-party is
+            allowed to set a new cookie as third party. It also makes sure to use
+            cookies with the path set to the root so that all cookies are visible.
+
 2018-07-13  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/http/tests/cookies/resources/cookie-utilities.js

@@ -229 +229 @@
         testFailed(`DOM cookie "${name}" should have value ${expectedValue}. Was ${value}.`);
 }
+
+function setCookieUsingWebSocketFromHost(host)
+{
+    var promise = new Promise(resolve => {
+        var websocket = new WebSocket(`ws://${host}:8880/websocket/tests/hybi/cookie?set`);
+        websocket.onclose = () => resolve();
+    });
+    return promise;
+}

trunk/LayoutTests/http/tests/websocket/tests/hybi/cookie_wsh.py

@@ -1 +1 @@
 # Copyright (C) 2014 Google Inc. All rights reserved.
+# Copyright (C) 2018 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -39 +40 @@
 
     ONE_DAY_LIFE = 'Max-Age=86400'
+    ROOT_PATH = 'path=/'
 
     if command == 'set':
-        _add_set_cookie(request, '; '.join(['foo=bar', ONE_DAY_LIFE]))
+        _add_set_cookie(request, '; '.join(['foo=bar', ONE_DAY_LIFE, ROOT_PATH]))
     elif command == 'set_httponly':
         _add_set_cookie(request,
-            '; '.join(['httpOnlyFoo=bar', ONE_DAY_LIFE, 'httpOnly']))
+            '; '.join(['httpOnlyFoo=bar', ONE_DAY_LIFE, ROOT_PATH, 'httpOnly']))
     elif command == 'clear':
         _add_set_cookie(request, 'foo=0; Max-Age=0')

trunk/LayoutTests/http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior-expected.txt

@@ -4 +4 @@
 
 
-Same origin WebSocket:
-PASS cookieValue is "foo=bar"
+Setting third-party cookie 'foo' through cross-origin WebSocket handshake and checking that it doesn't write first-party cookies.
+PASS cookieValue is ""
 
-Cross origin WebSocket:
-PASS cookieValue is ""
+Opening localhost third-party iframe to check its cookies.
 PASS successfullyParsed is true
 
 TEST COMPLETE
 
+
+--------
+Frame: '<!--frame1-->'
+--------
+Cookies are: setAsFirstParty = value foo = bar

trunk/LayoutTests/http/tests/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html

@@ -3 +3 @@
 <head>
 <script src="../../../../js-test-resources/js-test.js"></script>
+<script src="../../../cookies/resources/cookie-utilities.js"></script>
 <script>
 window.jsTestIsAsync = true;
@@ -10 +11 @@
 function clearCookie()
 {
-    document.cookie = "foo=0; Max-Age=0"; // The key "foo" must match the key used in the WebSocket Set-Cookie header.
-}
-
-function setCookieFromHost(host)
-{
-    var promise = new Promise(resolve => {
-        var websocket = new WebSocket(`ws://${host}:8880/websocket/tests/hybi/cookie?set`);
-        websocket.onclose = () => resolve();
-    });
-    return promise;
+    document.cookie = "foo=0; Max-Age=0; path=/"; // The key "foo" must match the key used in the WebSocket Set-Cookie header.
 }
 
@@ -30 +22 @@
 {
     clearCookie();
-    document.cookie = "foo=should_be_overwritten_by_websocket_set_cookie";
-    await setCookieFromHost("127.0.0.1");
+    document.cookie = "foo=should_be_overwritten_by_websocket_set_cookie; path=/";
+    await setCookieUsingWebSocketFromHost("127.0.0.1");
     cookieValue = echoCookie();
     shouldBeEqualToString("cookieValue", "foo=bar");
@@ -39 +31 @@
 {
     clearCookie();
-    await setCookieFromHost("localhost");
+    await setCookieUsingWebSocketFromHost("localhost");
     cookieValue = echoCookie();
     shouldBeEmptyString("cookieValue");
@@ -46 +38 @@
 async function runTests()
 {
-    debug("Same origin WebSocket:");
-    await testSameOriginCookie();
-    debug("<br>Cross origin WebSocket:");
-    await testCrossOriginCookie();
-    finishJSTest();
+    switch (document.location.hash) {
+        case "":
+            await testSameOriginCookie();
+            // Test that a third-party without pre-existing cookies does not write first-party cookies.
+            await testCrossOriginCookie();
+            // Navigate to localhost to set first-party cookie 'setAsFirstParty'.
+            document.location.href = "http://localhost:8000/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html#setCookieAsFirstParty";
+            break;
+        case "#setCookieAsFirstParty":
+            await setCookie("setAsFirstParty", "value");
+            // Navigate back to 127.0.0.1 to test third-party cookie.
+            document.location.href = "http://127.0.0.1:8000/websocket/tests/hybi/websocket-cookie-overwrite-behavior.html#didSetCookieAsFirstParty";
+            break;
+        case "#didSetCookieAsFirstParty":
+            testRunner.dumpChildFramesAsText();
+            // Test that a third-party with a pre-existing cookie does not write first-party cookies.
+            debug("Setting third-party cookie 'foo' through cross-origin WebSocket handshake and checking that it doesn't write first-party cookies.");
+            await testCrossOriginCookie();
+            let iframeElement = document.createElement("iframe");
+            iframeElement.src = "http://localhost:8000/cookies/resources/echo-cookies.php";
+            iframeElement.onload = finishJSTest;
+            debug("<br>Opening localhost third-party iframe to check its cookies.");
+            document.body.appendChild(iframeElement);
+            break;
+    }
 }
 </script>