commit dac87dcf26778f497afbcd3706868b598be29564
author Joshua Bell <jsbell@chromium.org> Thu Apr 05 21:55:25 2018
committer Blink WPT Bot <blink-w3c-test-autoroller@chromium.org> Thu Apr 05 22:21:53 2018
tree b027306f39af489e1f19a838541995d6553c6fcd
parent e54fa9b4190db1c98fd2fb87ff869ba7991b337c

Cookie Store: disallow '=' in cookies with empty names

Per the explainer[1] and tests: "Cookies with an empty name cannot be
set using values containing = as this would result in ambiguous
serializations in the majority of current browsers."

Also, fix a test glitch now that this restriction is implemented.

[1] https://github.com/WICG/cookie-store/blob/gh-pages/explainer.md

Bug: 729800
Change-Id: I9ed02885c217cbdb4c86d8fd236d49c6c56b6e96
Reviewed-on: https://chromium-review.googlesource.com/994145
Commit-Queue: Joshua Bell <jsbell@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548563}

cookie-store/resources/no_name_equals_in_value.js

diff --git a/cookie-store/resources/no_name_equals_in_value.js b/cookie-store/resources/no_name_equals_in_value.js
index 3dc73e8..b6cfab5 100644
--- a/cookie-store/resources/no_name_equals_in_value.js
+++ b/cookie-store/resources/no_name_equals_in_value.js
@@ -3,10 +3,10 @@
 cookie_test(async t => {
   let eventPromise = observeNextCookieChangeEvent();
   await cookieStore.set('', 'first-value');
-  const actual1 =
-      (await cookieStore.getAll('')).map(({ value }) => value).join(';');
-  const expected1 = 'first-value';
-  assert_equals(actual1, expected1);
+  assert_equals(
+    (await cookieStore.getAll('')).map(({ value }) => value).join(';'),
+    'first-value',
+    'Cookie with no name and normal value should have been set');
   await verifyCookieChangeEvent(
     eventPromise, {changed: [{name: '', value: 'first-value'}]},
     'Observed no-name change');
@@ -16,31 +16,26 @@
     new TypeError(),
     cookieStore.set('', 'suspicious-value=resembles-name-and-value'),
     'Expected promise rejection when setting a cookie with' +
-      ' no name and "=" in value');
+      ' no name and "=" in value (via arguments)');
 
-  const actual2 =
-        (await cookieStore.getAll('')).map(({ value }) => value).join(';');
-  const expected2 = 'first-value';
-  assert_equals(actual2, expected2);
+  await promise_rejects(
+    t,
+    new TypeError(),
+    cookieStore.set(
+      {name: '', value: 'suspicious-value=resembles-name-and-value'}),
+    'Expected promise rejection when setting a cookie with' +
+      ' no name and "=" in value (via options)');
+
   assert_equals(
-    await getCookieString(),
+    (await cookieStore.getAll('')).map(({ value }) => value).join(';'),
     'first-value',
-    'Earlier cookie jar after rejected');
+    'Cookie with no name should still have previous value');
 
   eventPromise = observeNextCookieChangeEvent();
   await cookieStore.delete('');
   await verifyCookieChangeEvent(
-    eventPromise, {deleted: [{name: '', value: ''}]},
+    eventPromise, {deleted: [{name: ''}]},
     'Observed no-name deletion');
 
-  assert_equals(
-    await getCookieString(),
-    undefined,
-    'Empty cookie jar after cleanup');
-  assert_equals(
-    await getCookieStringHttp(),
-    undefined,
-    'Empty HTTP cookie jar after cleanup');
-
 }, "Verify that attempting to set a cookie with no name and with '=' in" +
              " the value does not work.");