mirror of
https://github.com/servo/servo.git
synced 2025-08-03 12:40:06 +01:00
correctly send secure cookies after hsts url match
Fix for #8100, where sites in the hsts list were not recieving secure cookies if the site was originally loading using a plain http url.
This commit is contained in:
Bob
parent
5862675b82
commit
759099c78d
2 changed files with 49 additions and 4 deletions
|
|
@ -513,6 +513,7 @@ fn request_must_be_secured(url: &Url, hsts_list: &Arc<RwLock<HSTSList>>) -> bool
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn modify_request_headers(headers: &mut Headers,
|
pub fn modify_request_headers(headers: &mut Headers,
|
||||||
|
url: &Url,
|
||||||
doc_url: &Url,
|
doc_url: &Url,
|
||||||
user_agent: &str,
|
user_agent: &str,
|
||||||
cookie_jar: &Arc<RwLock<CookieStorage>>,
|
cookie_jar: &Arc<RwLock<CookieStorage>>,
|
||||||
|
|
@ -529,7 +530,7 @@ pub fn modify_request_headers(headers: &mut Headers,
|
||||||
set_default_accept_encoding(headers);
|
set_default_accept_encoding(headers);
|
||||||
// https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 11
|
// https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 11
|
||||||
if load_data.credentials_flag {
|
if load_data.credentials_flag {
|
||||||
set_request_cookies(doc_url.clone(), headers, cookie_jar);
|
set_request_cookies(url.clone(), headers, cookie_jar);
|
||||||
|
|
||||||
// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch step 12
|
// https://fetch.spec.whatwg.org/#http-network-or-cache-fetch step 12
|
||||||
if !headers.has::<Authorization<Basic>>() {
|
if !headers.has::<Authorization<Basic>>() {
|
||||||
|
|
@ -725,7 +726,7 @@ pub fn load<A>(load_data: LoadData,
|
||||||
|
|
||||||
let request_id = uuid::Uuid::new_v4().to_simple_string();
|
let request_id = uuid::Uuid::new_v4().to_simple_string();
|
||||||
|
|
||||||
modify_request_headers(&mut request_headers, &doc_url, &user_agent, &cookie_jar, &load_data);
|
modify_request_headers(&mut request_headers, &url, &doc_url, &user_agent, &cookie_jar, &load_data);
|
||||||
|
|
||||||
let response = try!(obtain_response(request_factory, &url, &method, &request_headers,
|
let response = try!(obtain_response(request_factory, &url, &method, &request_headers,
|
||||||
&cancel_listener, &load_data.data, &load_data.method,
|
&cancel_listener, &load_data.data, &load_data.method,
|
||||||
|
|
|
||||||
|
|
@ -18,10 +18,10 @@ use hyper::status::StatusCode;
|
||||||
use msg::constellation_msg::PipelineId;
|
use msg::constellation_msg::PipelineId;
|
||||||
use net::cookie::Cookie;
|
use net::cookie::Cookie;
|
||||||
use net::cookie_storage::CookieStorage;
|
use net::cookie_storage::CookieStorage;
|
||||||
use net::hsts::{HSTSList};
|
use net::hsts::{HSTSList, HSTSEntry};
|
||||||
use net::http_loader::{load, LoadError, HttpRequestFactory, HttpRequest, HttpResponse};
|
use net::http_loader::{load, LoadError, HttpRequestFactory, HttpRequest, HttpResponse};
|
||||||
use net::resource_thread::CancellationListener;
|
use net::resource_thread::CancellationListener;
|
||||||
use net_traits::{LoadData, CookieSource, LoadContext};
|
use net_traits::{LoadData, CookieSource, LoadContext, IncludeSubdomains};
|
||||||
use std::borrow::Cow;
|
use std::borrow::Cow;
|
||||||
use std::io::{self, Write, Read, Cursor};
|
use std::io::{self, Write, Read, Cursor};
|
||||||
use std::sync::mpsc::Receiver;
|
use std::sync::mpsc::Receiver;
|
||||||
|
|
@ -813,6 +813,50 @@ fn test_load_sets_requests_cookies_header_for_url_by_getting_cookies_from_the_re
|
||||||
&CancellationListener::new(None));
|
&CancellationListener::new(None));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_load_sends_secure_cookie_if_http_changed_to_https_due_to_entry_in_hsts_store() {
|
||||||
|
let url = url!("http://mozilla.com");
|
||||||
|
let secured_url = url!("https://mozilla.com");
|
||||||
|
|
||||||
|
let hsts_list = Arc::new(RwLock::new(HSTSList::new()));
|
||||||
|
let cookie_jar = Arc::new(RwLock::new(CookieStorage::new()));
|
||||||
|
|
||||||
|
{
|
||||||
|
let mut hsts_list = hsts_list.write().unwrap();
|
||||||
|
let entry = HSTSEntry::new(
|
||||||
|
"mozilla.com".to_owned(), IncludeSubdomains::Included, Some(1000000)
|
||||||
|
).unwrap();
|
||||||
|
hsts_list.push(entry);
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
let mut cookie_jar = cookie_jar.write().unwrap();
|
||||||
|
let cookie_url = secured_url.clone();
|
||||||
|
let mut cookie_pair = CookiePair::new("mozillaIs".to_owned(), "theBest".to_owned());
|
||||||
|
cookie_pair.secure = true;
|
||||||
|
|
||||||
|
let cookie = Cookie::new_wrapped(
|
||||||
|
cookie_pair,
|
||||||
|
&cookie_url,
|
||||||
|
CookieSource::NonHTTP
|
||||||
|
).unwrap();
|
||||||
|
cookie_jar.push(cookie, CookieSource::HTTP);
|
||||||
|
}
|
||||||
|
|
||||||
|
let mut load_data = LoadData::new(LoadContext::Browsing, url, None);
|
||||||
|
load_data.data = Some(<[_]>::to_vec("Yay!".as_bytes()));
|
||||||
|
|
||||||
|
let mut headers = Headers::new();
|
||||||
|
headers.set_raw("Cookie".to_owned(), vec![<[_]>::to_vec("mozillaIs=theBest".as_bytes())]);
|
||||||
|
|
||||||
|
let _ = load::<AssertRequestMustIncludeHeaders>(
|
||||||
|
load_data.clone(), hsts_list, cookie_jar, None,
|
||||||
|
&AssertMustIncludeHeadersRequestFactory {
|
||||||
|
expected_headers: headers,
|
||||||
|
body: <[_]>::to_vec(&*load_data.data.unwrap())
|
||||||
|
}, DEFAULT_USER_AGENT.to_owned(), &CancellationListener::new(None));
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_load_sends_cookie_if_nonhttp() {
|
fn test_load_sends_cookie_if_nonhttp() {
|
||||||
let url = url!("http://mozilla.com");
|
let url = url!("http://mozilla.com");
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue