1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
2
3 #include "test-utils.h"
4
5 typedef struct {
6 SoupURI *origin_uri;
7 SoupURI *cross_uri;
8 SoupCookieJar *jar;
9 GSList *cookies;
10 } SameSiteFixture;
11
12 static void
same_site_setup(SameSiteFixture * fixture,gconstpointer data)13 same_site_setup (SameSiteFixture *fixture,
14 gconstpointer data)
15 {
16 SoupCookie *cookie_none, *cookie_lax, *cookie_strict;
17
18 fixture->origin_uri = soup_uri_new ("http://127.0.0.1");
19 fixture->cross_uri = soup_uri_new ("http://localhost");
20 fixture->jar = soup_cookie_jar_new ();
21
22 cookie_none = soup_cookie_new ("none", "1", "127.0.0.1", "/", 1000);
23 cookie_lax = soup_cookie_new ("lax", "1", "127.0.0.1", "/", 1000);
24 soup_cookie_set_same_site_policy (cookie_lax, SOUP_SAME_SITE_POLICY_LAX);
25 cookie_strict = soup_cookie_new ("strict", "1", "127.0.0.1", "/", 1000);
26 soup_cookie_set_same_site_policy (cookie_strict, SOUP_SAME_SITE_POLICY_STRICT);
27
28 soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_none);
29 soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_lax);
30 soup_cookie_jar_add_cookie_with_first_party (fixture->jar, fixture->origin_uri, cookie_strict);
31 }
32
33 static void
same_site_teardown(SameSiteFixture * fixture,gconstpointer data)34 same_site_teardown (SameSiteFixture *fixture,
35 gconstpointer data)
36 {
37 g_object_unref (fixture->jar);
38 soup_uri_free (fixture->origin_uri);
39 soup_uri_free (fixture->cross_uri);
40 g_slist_free_full (fixture->cookies, (GDestroyNotify) soup_cookie_free);
41 }
42
43 static void
assert_highest_policy_visible(GSList * cookies,SoupSameSitePolicy policy)44 assert_highest_policy_visible (GSList *cookies, SoupSameSitePolicy policy)
45 {
46 GSList *l;
47 size_t size = 0, expected_count;
48 for (l = cookies; l; l = l->next) {
49 g_assert_cmpint (soup_cookie_get_same_site_policy (l->data), <=, policy);
50 ++size;
51 }
52
53 switch (policy) {
54 case SOUP_SAME_SITE_POLICY_STRICT:
55 expected_count = 3;
56 break;
57 case SOUP_SAME_SITE_POLICY_LAX:
58 expected_count = 2;
59 break;
60 case SOUP_SAME_SITE_POLICY_NONE:
61 expected_count = 1;
62 break;
63 }
64
65 g_assert_cmpuint (size, ==, expected_count);
66 }
67
68 typedef struct {
69 const char *name;
70 gboolean cross_origin;
71 gboolean cookie_uri_is_origin;
72 gboolean top_level_nav;
73 gboolean javascript;
74 gboolean unsafe_method;
75 SoupSameSitePolicy visible_policy;
76 } SameSiteTest;
77
78 static void
same_site_test(SameSiteFixture * fixture,gconstpointer user_data)79 same_site_test (SameSiteFixture *fixture, gconstpointer user_data)
80 {
81 const SameSiteTest *test = user_data;
82 fixture->cookies = soup_cookie_jar_get_cookie_list_with_same_site_info (fixture->jar, fixture->origin_uri,
83 test->cross_origin ? fixture->cross_uri : fixture->origin_uri,
84 test->cookie_uri_is_origin ? fixture->origin_uri : NULL,
85 test->javascript ? FALSE : TRUE,
86 !test->unsafe_method,
87 test->top_level_nav);
88 assert_highest_policy_visible (fixture->cookies, test->visible_policy);
89 }
90
91 int
main(int argc,char ** argv)92 main (int argc, char **argv)
93 {
94 int ret, i;
95 SameSiteTest same_site_tests[] = {
96 /* This does not necessarily cover all combinations since some make no sense in real use */
97
98 /* Situations where Strict are passed: */
99 { .name="/same-site/basic", .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
100 { .name="/same-site/basic-js", .javascript=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
101 { .name="/same-site/top-level-to-same-site", .top_level_nav=TRUE, .cookie_uri_is_origin=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
102 { .name="/same-site/top-level-to-same-site-js", .top_level_nav=TRUE, .cookie_uri_is_origin=TRUE, .javascript=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
103 { .name="/same-site/unsafe-method", .unsafe_method=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
104 { .name="/same-site/unsafe-method-js", .unsafe_method=TRUE, .javascript=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
105 { .name="/same-site/cross-top-level-to-same-site", .cross_origin=TRUE, .top_level_nav=TRUE, .cookie_uri_is_origin=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
106 { .name="/same-site/cross-top-level-to-same-site-js", .cross_origin=TRUE, .javascript=TRUE, .top_level_nav=TRUE, .cookie_uri_is_origin=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_STRICT },
107
108 /* Situations where Lax are passed: */
109 { .name="/same-site/top-level", .top_level_nav=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_LAX },
110 { .name="/same-site/top-level-js", .top_level_nav=TRUE, .javascript=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_LAX },
111 { .name="/same-site/cross-top-level", .cross_origin=TRUE, .top_level_nav=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_LAX },
112 { .name="/same-site/cross-top-level-js", .cross_origin=TRUE, .javascript=TRUE, .top_level_nav=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_LAX },
113 { .name="/same-site/cross-unsafe-method-top-level-js", .cross_origin=TRUE, .javascript=TRUE, .unsafe_method=TRUE, .top_level_nav=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_LAX },
114
115 /* All same-site blocked: */
116 { .name="/same-site/cross-basic", .cross_origin=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_NONE },
117 { .name="/same-site/cross-basic-js", .cross_origin=TRUE, .javascript=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_NONE },
118 { .name="/same-site/cross-unsafe-method", .cross_origin=TRUE, .unsafe_method=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_NONE },
119 { .name="/same-site/cross-unsafe-method-js", .cross_origin=TRUE, .javascript=TRUE, .unsafe_method=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_NONE },
120 { .name="/same-site/cross-unsafe-method-top-level", .cross_origin=TRUE, .unsafe_method=TRUE, .top_level_nav=TRUE, .visible_policy=SOUP_SAME_SITE_POLICY_NONE },
121 };
122
123 test_init (argc, argv, NULL);
124
125 for (i = 0; i < G_N_ELEMENTS (same_site_tests); ++i)
126 g_test_add (same_site_tests[i].name, SameSiteFixture, &same_site_tests[i],
127 same_site_setup, same_site_test, same_site_teardown);
128
129 ret = g_test_run ();
130 test_cleanup ();
131 return ret;
132 }
133