diff options
| author | Daniel Gustafsson <daniel@yesql.se> | 2018-12-13 09:57:58 +0100 |
|---|---|---|
| committer | Daniel Gustafsson <daniel@yesql.se> | 2018-12-13 09:57:58 +0100 |
| commit | 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch) | |
| tree | 65ff353305bd1d837519f292bf934a498ae4ed13 /tests/data/test1561 | |
| parent | fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff) | |
cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.
Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Diffstat (limited to 'tests/data/test1561')
| -rw-r--r-- | tests/data/test1561 | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/tests/data/test1561 b/tests/data/test1561 new file mode 100644 index 000000000..356dc94e4 --- /dev/null +++ b/tests/data/test1561 @@ -0,0 +1,86 @@ +<testcase> +<info> +<keywords> +HTTPS +HTTP +HTTP GET +cookies +cookiejar +HTTP replaced headers +</keywords> +</info> + +# Server-side +<reply> +<data1> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Set-Cookie: super=secret; domain=example.com; path=/1561; secure; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login/; secure; +Content-Length: 7 + +nomnom +</data1> +<data2> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Set-Cookie: super=secret; domain=example.com; path=/1561; httponly; +Set-Cookie: super=secret; domain=example.com; path=/1561/; httponly; +Set-Cookie: super=secret; domain=example.com; path=/15; httponly; +Set-Cookie: public=yes; domain=example.com; path=/foo; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login/en; +Set-Cookie: supersuper=secret; domain=example.com; path=/1561/login; +Set-Cookie: secureoverhttp=yes; domain=example.com; path=/1561; secure; +Content-Length: 7 + +nomnom +</data2> +</reply> + +# Client-side +<client> +<features> +SSL +</features> +<server> +http +https +</server> +<name> +HTTP +</name> +<command> +-k https://%HOSTIP:%HTTPSPORT/15610001 -L -c log/jar1561.txt -H "Host: www.example.com" http://%HOSTIP:%HTTPPORT/15610002 -L -c log/jar1561.txt -H "Host: www.example.com" +</command> +</client> +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /15610001 HTTP/1.1
+Host: www.example.com
+User-Agent: curl/7.62.0-DEV
+Accept: */*
+
+GET /15610002 HTTP/1.1
+Host: www.example.com
+User-Agent: curl/7.62.0-DEV
+Accept: */*
+
+</protocol> +<file name="log/jar1561.txt" mode="text"> +# Netscape HTTP Cookie File +# https://curl.haxx.se/docs/http-cookies.html +# This file was generated by libcurl! Edit at your own risk. + +.example.com TRUE /foo FALSE 0 public yes +.example.com TRUE /1561/login/ TRUE 0 supersuper secret +#HttpOnly_.example.com TRUE /15 FALSE 0 super secret +</file> + +</verify> + +</testcase> |