tests/test_cookiejar.py: add test #5652
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In accordance with #5571, this commit adds a test to ensure secure cookies are not filtered from an unsafe cookiejar when given an unsecured endpoint. Rationale: According to Mozilla documentation: > A cookie with the Secure attribute is sent to the server only with an > encrypted request over the HTTPS protocol, never with unsecured HTTP > (except on localhost), and therefore can't easily be accessed by a > man-in-the-middle attacker. Insecure sites (with http: in the URL) can't > set cookies with the Secure attribute Note the "(except on localhost)". In addition, RFC 6265 section-4.1.2.5 states: > The Secure attribute limits the scope of the cookie to "secure" > channels (where "secure" is defined by the user agent). When a > cookie has the Secure attribute, the user agent will include the > cookie in an HTTP request only if the request is transmitted over a > secure channel (typically HTTP over Transport Layer Security (TLS) > [RFC2818]). > Although seemingly useful for protecting cookies from active network > attackers, the Secure attribute protects only the cookie's > confidentiality Note "(where "secure" is defined by the user agent)". The behaviour this commit tests for is therefore an engineer's decision, not an IETF standard.
| @@ -756,3 +756,36 @@ async def test_cookie_jar_clear_domain() -> None: | |||
| assert morsel.value == "bar" | |||
| with pytest.raises(StopIteration): | |||
| next(iterator) | |||
|
|
|||
|
|
|||
| async def test_secure_cookie_not_filtered_from_unsafe_cookiejar_when_given_unsecured_endpoint() -> None: | |||
There was a problem hiding this comment.
I chose the word unsecured as it has the following meaning, which insecure seems not to
not made secure or safe.
Just letting you know that it was intentional :)
There was a problem hiding this comment.
Yeah, but insecure is more standard. insecure means not secure, liable to risk or danger. HTTP connections are inherently insecure, not just unsecured.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What do these changes do?
In accordance with #5571, this
commit adds a test to ensure secure cookies are not filtered from an unsafe
cookiejar when given an unsecured endpoint.
Rationale:
According to Mozilla documentation:
Note the "(except on localhost)". In addition, RFC 6265 section-4.1.2.5 states:
Note "(where "secure" is defined by the user agent)". The behaviour
this commit tests for is therefore an engineer's decision, not an IETF
standard.
Are there changes in behavior for the user?
An addition to the test suite, adding a failing test
Related issue number
#5571
Checklist
CONTRIBUTORS.txtCHANGESfolder<issue_id>.<type>for example (588.bugfix)issue_idchange it to the pr id after creating the pr.feature: Signifying a new feature..bugfix: Signifying a bug fix..doc: Signifying a documentation improvement..removal: Signifying a deprecation or removal of public API..misc: A ticket has been closed, but it is not of interest to users.