Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests/test_cookiejar.py: add test #5652

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CONTRIBUTORS.txt
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ Colin Dunklau
Cong Xu
Damien Nadé
Dan Xu
Daniel Dewberry
Daniel García
Daniel Grossmann-Kavanagh
Daniel Nelson
Expand Down
33 changes: 33 additions & 0 deletions tests/test_cookiejar.py
Original file line number Diff line number Diff line change
Expand Up @@ -756,3 +756,36 @@ async def test_cookie_jar_clear_domain() -> None:
assert morsel.value == "bar"
with pytest.raises(StopIteration):
next(iterator)


async def test_secure_cookie_not_filtered_from_unsafe_cookiejar_when_given_unsecured_endpoint() -> None:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unsecured -> insecure

Copy link
Author

@DanielDewberry DanielDewberry Apr 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose the word unsecured as it has the following meaning, which insecure seems not to

not made secure or safe.

Just letting you know that it was intentional :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but insecure is more standard. insecure means not secure, liable to risk or danger. HTTP connections are inherently insecure, not just unsecured.

"""Secure SimpleCookie should not be filtered from unsafe CookieJar when given an unsecured endpoint.

There are times when sending a secure cookie to an unsecured endpoint is desireable. Such an
occasion is during testing. RFC 6265 section-4.1.2.5 states that this behaviour is a decision
based on the trust of a network by the user agent.
"""
endpoint = 'http://127.0.0.1/'

secure_cookie = SimpleCookie(
"cookie-key=cookie-value; HttpOnly; Path=/; Secure",
)

jar = CookieJar(unsafe=True)

# Confirm the jar is empty
assert len(jar) == 0

jar.update_cookies(
secure_cookie,
URL(endpoint),
)

# Confirm the jar contains the cookie
assert len(jar) == 1

filtered_cookies = jar.filter_cookies(request_url=endpoint)

# Confirm the filtered results contain the cookie
assert len(filtered_cookies) == 1