[cookies] Correct utility function and tests #12835
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some tests which use the `credFetch` utility include assertions only for the absence of cookies. Because `fetch` does not reject the returned promise for valid HTTP responses outside of the 2XX range, these tests could be satisfied by querying non-existent URLs. This is not an issue in any existing tests, but it has the potential to hide problems in future patches. Update the `credFetch` function to report unsuccessful requests as failures.
The `cookie-helper.sub.js` utility script includes
`set_prefixed_cookie_via_http_test`, a function that defines sub-tests
using the `promise_test` API. Previously, it included the following
code:
promise_test(t => {
var postDelete = _ => {
// (elided)
};
if (!options.origin) {
return postDelete;
} else {
// (elided)
}
});
The `promise_test` function does not recognize return values which are
functions, so returning the `postDelete` method had no effect, and as a
result, the generated tests performed zero assertions. Because none of
the consumers of `set_prefixed_cookie_via_http_test` specified a value
for the `origin` option, all invocations were effected by this bug.
Correcting the problem surfaced a number of errors in the tests. In the
interest of atomicity, this patch attempts to address them all:
- The logic intended to defensively remove cookies prior to testing was
implemented using `document.cookie`. Because some tests create cookies
which include the `HttpOnly` attribute, the DOM API cannot remove
cookies in all cases. This patch refactors the solution to remove
such cookies via an HTTP request. It also assumes the environment is
initially clean and instead expresses the concern via an asynchronous
"cleanup" function. (This change necessitated an extension to the
`set.py` script so that it could be used to expire cookies.)
- The test name `__secure.header.html` incorrectly asserted that a
cookie set with the `Secure` attribute could be observed in a
non-secure context. This patch corrects the expectation.
- The test named `__secure.header.https.html` incorrectly asserted that
a cookie set with a foreign `Origin` attribute could be observed from
the current origin. This patch corrects the expectation.
mikewest
approved these changes
Sep 5, 2018
jugglinmike
added a commit
to bocoup/wpt
that referenced
this pull request
Sep 7, 2018
Previously, tests defined via the `promise_test` API would fail immediately if their body returned the value `undefined`. The tests would *not* fail if they returned any other value. Because the motivation for using `promise_test` is to track resolution with a "thenable" value (i.e. an object with a "then" method), this was overly permissive and allowed contributors to write tests which spuriously passed [1]. Update testharness.js to enforce more stringent criteria on the value return by `promise_test` bodies: that it is a "thenable" value. This change is incompatible with an exiting functional test, but it does not effect any tests in WPT (as verified by a survey using both the Chrome and Firefox browsers). Update the functional test accordingly. [1] web-platform-tests#12835
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
cookie-helper.sub.jsutility script includesset_prefixed_cookie_via_http_test, a function that defines sub-testsusing the
promise_testAPI. Previously, it included the followingcode:
The
promise_testfunction does not recognize return values which arefunctions, so returning the
postDeletemethod had no effect, and as aresult, the generated tests performed zero assertions. Because none of
the consumers of
set_prefixed_cookie_via_http_testspecified a valuefor the
originoption, all invocations were effected by this bug.Correcting the problem surfaced a number of errors in the tests. In the
interest of atomicity, this patch attempts to address them all:
implemented using
document.cookie. Because some tests create cookieswhich include the
HttpOnlyattribute, the DOM API cannot removecookies in all cases. This patch refactors the solution to remove
such cookies via an HTTP request. It also assumes the environment is
initially clean and instead expresses the concern via an asynchronous
"cleanup" function. (This change necessitated an extension to the
set.pyscript so that it could be used to expire cookies.)__secure.header.htmlincorrectly asserted that acookie set with the
Secureattribute could be observed in anon-secure context. This patch corrects the expectation.
__secure.header.https.htmlincorrectly asserted thata cookie set with a foreign
Originattribute could be observed fromthe current origin. This patch corrects the expectation.
This patch does not affect the test results in Firefox or Chrome. The commands:
...both continue to report the following: