Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests/test_cookiejar.py: add test #5652

Closed
wants to merge 1 commit into from
Closed

tests/test_cookiejar.py: add test #5652

wants to merge 1 commit into from

Conversation

DanielDewberry
Copy link

What do these changes do?

In accordance with #5571, this
commit adds a test to ensure secure cookies are not filtered from an unsafe
cookiejar when given an unsecured endpoint.

Rationale:

According to Mozilla documentation:

A cookie with the Secure attribute is sent to the server only with an
encrypted request over the HTTPS protocol, never with unsecured HTTP
(except on localhost), and therefore can't easily be accessed by a
man-in-the-middle attacker. Insecure sites (with http: in the URL) can't
set cookies with the Secure attribute

Note the "(except on localhost)". In addition, RFC 6265 section-4.1.2.5 states:

The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over Transport Layer Security (TLS)
[RFC2818]).
Although seemingly useful for protecting cookies from active network
attackers, the Secure attribute protects only the cookie's
confidentiality

Note "(where "secure" is defined by the user agent)". The behaviour
this commit tests for is therefore an engineer's decision, not an IETF
standard.

Are there changes in behavior for the user?

An addition to the test suite, adding a failing test

Related issue number

#5571

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt
    • The format is <Name> <Surname>.
    • Please keep alphabetical order, the file is sorted by names.
  • Add a new news fragment into the CHANGES folder
    • name it <issue_id>.<type> for example (588.bugfix)
    • if you don't have an issue_id change it to the pr id after creating the pr
    • ensure type is one of the following:
      • .feature: Signifying a new feature.
      • .bugfix: Signifying a bug fix.
      • .doc: Signifying a documentation improvement.
      • .removal: Signifying a deprecation or removal of public API.
      • .misc: A ticket has been closed, but it is not of interest to users.
    • Make sure to use full sentences with correct case and punctuation, for example: "Fix issue with non-ascii contents in doctest text files."

@DanielDewberry
tests/test_cookiejar.py: add test
52f9d92 
In accordance with #5571, this
commit adds a test to ensure secure cookies are not filtered from an unsafe
cookiejar when given an unsecured endpoint.

Rationale:

According to Mozilla documentation:
> A cookie with the Secure attribute is sent to the server only with an
> encrypted request over the HTTPS protocol, never with unsecured HTTP
> (except on localhost), and therefore can't easily be accessed by a
> man-in-the-middle attacker. Insecure sites (with http: in the URL) can't
> set cookies with the Secure attribute

Note the "(except on localhost)".  In addition, RFC 6265 section-4.1.2.5 states:

> The Secure attribute limits the scope of the cookie to "secure"
> channels (where "secure" is defined by the user agent). When a
> cookie has the Secure attribute, the user agent will include the
> cookie in an HTTP request only if the request is transmitted over a
> secure channel (typically HTTP over Transport Layer Security (TLS)
> [RFC2818]).
> Although seemingly useful for protecting cookies from active network
> attackers, the Secure attribute protects only the cookie's
> confidentiality

Note "(where "secure" is defined by the user agent)".  The behaviour
this commit tests for is therefore an engineer's decision, not an IETF
standard.
@DanielDewberry DanielDewberry mentioned this pull request Apr 26, 2021
Closed
Dreamsorcerer
Dreamsorcerer reviewed Apr 26, 2021
View reviewed changes
tests/test_cookiejar.py
@@ -756,3 +756,36 @@ async def test_cookie_jar_clear_domain() -> None:
assert morsel.value == "bar"
with pytest.raises(StopIteration):
next(iterator)


async def test_secure_cookie_not_filtered_from_unsafe_cookiejar_when_given_unsecured_endpoint() -> None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unsecured -> insecure

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose the word unsecured as it has the following meaning, which insecure seems not to

not made secure or safe.

Just letting you know that it was intentional :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but insecure is more standard. insecure means not secure, liable to risk or danger. HTTP connections are inherently insecure, not just unsecured.

@DanielDewberry DanielDewberry closed this by deleting the head repository Jan 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Dreamsorcerer Dreamsorcerer Dreamsorcerer left review comments

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

@webknjaz webknjaz Awaiting requested review from webknjaz webknjaz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DanielDewberry @Dreamsorcerer