Fix handling of __Secure- and __Host- Cookie prefixes (#33717)

* Make checking for cookie prefixes case-insensitive

Cookie-Prefixes like "__Host-" and "__Secure-" are case insensitive
as per https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-15.html#name-storage-model.

This is tested by many WPT tests in cookies/prefix, for example
* cookies/prefix/__host.document-cookie.html
* cookies/prefix/__host.document-cookie.https.html

Since the implementation and the specification had diverged quite
significantly i also updated/added spec comments where appropriate
and slightly restructured code so its easier to follow. However,
the only change in behaviour is the prefix check described above.

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

* Update WPT expectations

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

* Remove unused import

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

* Fix cookie test cases

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

* Fix ignore cookie with __Host prefix and no specified path attribute

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

* Fix another cookie test case

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>

---------

Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
This commit is contained in:
Simon Wülker 2024-10-09 06:52:48 +02:00 committed by GitHub
parent a2b27012a5
commit ff6523c37e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 151 additions and 159 deletions

View file

@ -79,13 +79,17 @@ fn fn_cookie_constructor() {
assert!(ServoCookie::new_wrapped(cookie, url, CookieSource::HTTP).is_none());
let cookie = cookie::Cookie::parse(" baz = bar ; Secure; Path = /foo/bar/").unwrap();
assert!(ServoCookie::new_wrapped(cookie, url, CookieSource::HTTP).is_some());
assert!(
ServoCookie::new_wrapped(cookie, url, CookieSource::HTTP).is_none(),
"Cookie with \"Secure\" attribute from non-secure source should be rejected"
);
let cookie = cookie::Cookie::parse(" baz = bar ; HttpOnly").unwrap();
assert!(ServoCookie::new_wrapped(cookie, url, CookieSource::NonHTTP).is_none());
let secure_url = &ServoUrl::parse("https://example.com/foo").unwrap();
let cookie = cookie::Cookie::parse(" baz = bar ; Secure; Path = /foo/bar/").unwrap();
let cookie = ServoCookie::new_wrapped(cookie, url, CookieSource::HTTP).unwrap();
let cookie = ServoCookie::new_wrapped(cookie, secure_url, CookieSource::HTTP).unwrap();
assert_eq!(cookie.cookie.value(), "bar");
assert_eq!(cookie.cookie.name(), "baz");
assert!(cookie.cookie.secure().unwrap_or(false));