Skip to content

Commit

Permalink
Merge pull request #1905 from fmarier/issue3443
Browse files Browse the repository at this point in the history
Set a limit on cookie expiration (fixes brave/brave-browser#3443)
  • Loading branch information
fmarier authored Mar 14, 2019
2 parents 02bc956 + 4d222df commit 4ffe50d
Show file tree
Hide file tree
Showing 4 changed files with 144 additions and 0 deletions.
97 changes: 97 additions & 0 deletions chromium_src/net/cookies/brave_canonical_cookie_unittest.cc
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/* Copyright (c) 2019 The Brave Authors. All rights reserved.
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at https://mozilla.org/MPL/2.0/. */

#include "net/cookies/canonical_cookie.h"

#include "net/cookies/cookie_constants.h"
#include "net/cookies/cookie_options.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "url/gurl.h"

static const std::string cookie_line1 =
"test1=yes; expires=Fri, 31 Dec 9999 23:59:59 GMT";
static const std::string cookie_line2 =
"test2=yes; max-age=630720000"; // 20 years
static const std::string cookie_line3 =
"test3=yes; max-age=630720000; expires=Fri, 31 Dec 9999 23:59:59 GMT";
static const std::string cookie_line4 =
"test4=yes; max-age=172800"; // 2 days
static const std::string cookie_line5 =
"test5=yes; httponly; expires=Fri, 31 Dec 9999 23:59:59 GMT";

namespace net {

TEST(BraveCanonicalCookieTest, ClientSide) {
using base::TimeDelta;

GURL url("https://www.example.com/test");
base::Time creation_time = base::Time::Now();
CookieOptions options;

std::unique_ptr<CanonicalCookie> cookie(
CanonicalCookie::Create(url, cookie_line1, creation_time, options));
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(8));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(6));

cookie = CanonicalCookie::Create(url, cookie_line2, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(8));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(6));

cookie = CanonicalCookie::Create(url, cookie_line3, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(8));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(6));

// Short-lived cookies get to keep their shorter expiration.
cookie = CanonicalCookie::Create(url, cookie_line4, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(3));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(1));

// Cookies with 'httponly' can't be set using the document.cookie API.
cookie = CanonicalCookie::Create(url, cookie_line5, creation_time, options);
EXPECT_FALSE(cookie.get());
}

TEST(BraveCanonicalCookieTest, ServerSide) {
using base::TimeDelta;

GURL url("https://www.example.com/test");
base::Time creation_time = base::Time::Now();
CookieOptions options;
options.set_include_httponly();

std::unique_ptr<CanonicalCookie> cookie(
CanonicalCookie::Create(url, cookie_line1, creation_time, options));
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*7));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*5));

cookie = CanonicalCookie::Create(url, cookie_line2, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*7));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*5));

cookie = CanonicalCookie::Create(url, cookie_line3, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*7));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*5));

// Short-lived cookies get to keep their shorter expiration.
cookie = CanonicalCookie::Create(url, cookie_line4, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(3));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(1));

// HTTP cookies with 'httponly' work as expected.
cookie = CanonicalCookie::Create(url, cookie_line5, creation_time, options);
EXPECT_TRUE(cookie.get());
EXPECT_LT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*7));
EXPECT_GT(cookie->ExpiryDate(), creation_time + TimeDelta::FromDays(30*5));
}

} // namespace
28 changes: 28 additions & 0 deletions chromium_src/net/cookies/canonical_cookie.cc
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/* Copyright (c) 2019 The Brave Authors. All rights reserved.
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at https://mozilla.org/MPL/2.0/. */

#include "net/cookies/canonical_cookie.h"
#include "net/cookies/parsed_cookie.h"

namespace {

const base::TimeDelta kMaxClientSideExpiration = base::TimeDelta::FromDays(7);
const base::TimeDelta kMaxServerSideExpiration =
base::TimeDelta::FromDays(30*6); // 6 months

base::Time BraveCanonExpiration(const net::ParsedCookie& pc,
const base::Time& current,
const base::Time& server_time,
const bool is_from_http) {
const base::Time max_expiration = current +
(is_from_http ? kMaxServerSideExpiration : kMaxClientSideExpiration);

return std::min(net::CanonicalCookie::CanonExpiration(pc, current, server_time),
max_expiration);
}

} // namespace

#include "../../../../net/cookies/canonical_cookie.cc"
18 changes: 18 additions & 0 deletions patches/net-cookies-canonical_cookie.cc.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
diff --git a/net/cookies/canonical_cookie.cc b/net/cookies/canonical_cookie.cc
index 91611ac4171c19a031044ae6b1459acce246d427..c0636088e332f61c9ee8e6ed07f210fa8e47de58 100644
--- a/net/cookies/canonical_cookie.cc
+++ b/net/cookies/canonical_cookie.cc
@@ -228,9 +228,10 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
server_time = options.server_time();

DCHECK(!creation_time.is_null());
- Time cookie_expires = CanonicalCookie::CanonExpiration(parsed_cookie,
- creation_time,
- server_time);
+ Time cookie_expires = BraveCanonExpiration(parsed_cookie,
+ creation_time,
+ server_time,
+ !options.exclude_httponly());

CookiePrefix prefix = GetCookiePrefix(parsed_cookie.Name());
bool is_cookie_valid = IsCookiePrefixValid(prefix, url, parsed_cookie);
1 change: 1 addition & 0 deletions test/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ test("brave_unit_tests") {
"//brave/chromium_src/components/search_engines/brave_template_url_prepopulate_data_unittest.cc",
"//brave/chromium_src/components/search_engines/brave_template_url_service_util_unittest.cc",
"//brave/chromium_src/components/version_info/brave_version_info_unittest.cc",
"//brave/chromium_src/net/cookies/brave_canonical_cookie_unittest.cc",
"//brave/common/brave_content_client_unittest.cc",
"//brave/common/importer/brave_mock_importer_bridge.cc",
"//brave/common/importer/brave_mock_importer_bridge.h",
Expand Down

0 comments on commit 4ffe50d

Please sign in to comment.