Cookie Store: disallow '=' in cookies with empty names
Per the explainer[1] and tests: "Cookies with an empty name cannot be
set using values containing = as this would result in ambiguous
serializations in the majority of current browsers."
Also, fix a test glitch now that this restriction is implemented.
[1] https://github.com/WICG/cookie-store/blob/gh-pages/explainer.md
Bug: 729800
Change-Id: I9ed02885c217cbdb4c86d8fd236d49c6c56b6e96
Reviewed-on: https://chromium-review.googlesource.com/994145
Commit-Queue: Joshua Bell <jsbell@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548563}
diff --git a/cookie-store/resources/no_name_equals_in_value.js b/cookie-store/resources/no_name_equals_in_value.js
index 3dc73e8..b6cfab5 100644
--- a/cookie-store/resources/no_name_equals_in_value.js
+++ b/cookie-store/resources/no_name_equals_in_value.js
@@ -3,10 +3,10 @@
cookie_test(async t => {
let eventPromise = observeNextCookieChangeEvent();
await cookieStore.set('', 'first-value');
- const actual1 =
- (await cookieStore.getAll('')).map(({ value }) => value).join(';');
- const expected1 = 'first-value';
- assert_equals(actual1, expected1);
+ assert_equals(
+ (await cookieStore.getAll('')).map(({ value }) => value).join(';'),
+ 'first-value',
+ 'Cookie with no name and normal value should have been set');
await verifyCookieChangeEvent(
eventPromise, {changed: [{name: '', value: 'first-value'}]},
'Observed no-name change');
@@ -16,31 +16,26 @@
new TypeError(),
cookieStore.set('', 'suspicious-value=resembles-name-and-value'),
'Expected promise rejection when setting a cookie with' +
- ' no name and "=" in value');
+ ' no name and "=" in value (via arguments)');
- const actual2 =
- (await cookieStore.getAll('')).map(({ value }) => value).join(';');
- const expected2 = 'first-value';
- assert_equals(actual2, expected2);
+ await promise_rejects(
+ t,
+ new TypeError(),
+ cookieStore.set(
+ {name: '', value: 'suspicious-value=resembles-name-and-value'}),
+ 'Expected promise rejection when setting a cookie with' +
+ ' no name and "=" in value (via options)');
+
assert_equals(
- await getCookieString(),
+ (await cookieStore.getAll('')).map(({ value }) => value).join(';'),
'first-value',
- 'Earlier cookie jar after rejected');
+ 'Cookie with no name should still have previous value');
eventPromise = observeNextCookieChangeEvent();
await cookieStore.delete('');
await verifyCookieChangeEvent(
- eventPromise, {deleted: [{name: '', value: ''}]},
+ eventPromise, {deleted: [{name: ''}]},
'Observed no-name deletion');
- assert_equals(
- await getCookieString(),
- undefined,
- 'Empty cookie jar after cleanup');
- assert_equals(
- await getCookieStringHttp(),
- undefined,
- 'Empty HTTP cookie jar after cleanup');
-
}, "Verify that attempting to set a cookie with no name and with '=' in" +
" the value does not work.");