Merge pull request #593 from magento-extensibility/MAGETWO-41967-http…

…only-cookies

[Extensibility] Magetwo 41967 httponly cookies

app/code/Magento/MediaStorage/Model/File/Storage/Response.php

@@ -6,6 +6,7 @@
 namespace Magento\MediaStorage\Model\File\Storage;
 
 use Magento\Framework\App\Response\Http;
+use Magento\Framework\App\Request\Http as HttpRequest;
 use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 use Magento\Framework\Stdlib\CookieManagerInterface;
 
@@ -26,20 +27,22 @@ class Response extends Http implements \Magento\Framework\App\Response\FileInter
     /**
      * Constructor
      *
+     * @param HttpRequest $request
      * @param CookieManagerInterface $cookieManager
      * @param CookieMetadataFactory $cookieMetadataFactory
      * @param \Magento\Framework\App\Http\Context $context
      * @param \Magento\Framework\Stdlib\DateTime $dateTime
      * @param \Magento\Framework\File\Transfer\Adapter\Http $transferAdapter
      */
     public function __construct(
+        HttpRequest $request,
         CookieManagerInterface $cookieManager,
         CookieMetadataFactory $cookieMetadataFactory,
         \Magento\Framework\App\Http\Context $context,
         \Magento\Framework\Stdlib\DateTime $dateTime,
         \Magento\Framework\File\Transfer\Adapter\Http $transferAdapter
     ) {
-        parent::__construct($cookieManager, $cookieMetadataFactory, $context, $dateTime);
+        parent::__construct($request, $cookieManager, $cookieMetadataFactory, $context, $dateTime);
         $this->_transferAdapter = $transferAdapter;
     }
 

lib/internal/Magento/Framework/App/Response/Http.php

@@ -12,6 +12,7 @@
 use Magento\Framework\Stdlib\Cookie\CookieMetadataFactory;
 use Magento\Framework\Stdlib\CookieManagerInterface;
 use Magento\Framework\Stdlib\DateTime;
+use Magento\Framework\App\Request\Http as HttpRequest;
 
 class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response
 {
@@ -24,6 +25,9 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response
     /** X-FRAME-OPTIONS Header name */
     const HEADER_X_FRAME_OPT = 'X-Frame-Options';
 
+    /** @var \Magento\Framework\App\Request\Http */
+    protected $request;
+
     /** @var \Magento\Framework\Stdlib\CookieManagerInterface */
     protected $cookieManager;
 
@@ -37,17 +41,20 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response
     protected $dateTime;
 
     /**
+     * @param HttpRequest $request
      * @param CookieManagerInterface $cookieManager
      * @param CookieMetadataFactory $cookieMetadataFactory
      * @param Context $context
      * @param DateTime $dateTime
      */
     public function __construct(
+        HttpRequest $request,
         CookieManagerInterface $cookieManager,
         CookieMetadataFactory $cookieMetadataFactory,
         Context $context,
         DateTime $dateTime
     ) {
+        $this->request = $request;
         $this->cookieManager = $cookieManager;
         $this->cookieMetadataFactory = $cookieMetadataFactory;
         $this->context = $context;
@@ -76,8 +83,8 @@ public function sendVary()
         if ($varyString) {
             $sensitiveCookMetadata = $this->cookieMetadataFactory->createSensitiveCookieMetadata()->setPath('/');
             $this->cookieManager->setSensitiveCookie(self::COOKIE_VARY_STRING, $varyString, $sensitiveCookMetadata);
-        } else {
-            $cookieMetadata = $this->cookieMetadataFactory->createCookieMetadata()->setPath('/');
+        } elseif ($this->request->get(self::COOKIE_VARY_STRING)) {
+            $cookieMetadata = $this->cookieMetadataFactory->createSensitiveCookieMetadata()->setPath('/');
             $this->cookieManager->deleteCookie(self::COOKIE_VARY_STRING, $cookieMetadata);
         }
     }
@@ -163,6 +170,7 @@ public function __wakeup()
         $objectManager = ObjectManager::getInstance();
         $this->cookieManager = $objectManager->create('Magento\Framework\Stdlib\CookieManagerInterface');
         $this->cookieMetadataFactory = $objectManager->get('Magento\Framework\Stdlib\Cookie\CookieMetadataFactory');
+        $this->request = $objectManager->get('Magento\Framework\App\Request\Http');
     }
 
     /**

lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php

@@ -35,9 +35,15 @@ class HttpTest extends \PHPUnit_Framework_TestCase
     /** @var \PHPUnit_Framework_MockObject_MockObject|\Magento\Framework\App\Http\Context */
     protected $dateTimeMock;
 
+    /** @var \Magento\Framework\TestFramework\Unit\Helper\ObjectManager */
+    protected $objectManager;
+
     protected function setUp()
     {
-        $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+        $this->requestMock = $this->getMockBuilder('\Magento\Framework\App\Request\Http')
+            ->disableOriginalConstructor()
+            ->getMock();
         $this->cookieMetadataFactoryMock = $this->getMockBuilder(
             'Magento\Framework\Stdlib\Cookie\CookieMetadataFactory'
         )->disableOriginalConstructor()->getMock();
@@ -49,9 +55,10 @@ protected function setUp()
             ->disableOriginalConstructor()
             ->getMock();
 
-        $this->model = $objectManager->getObject(
+        $this->model = $this->objectManager->getObject(
             'Magento\Framework\App\Response\Http',
             [
+                'request' => $this->requestMock,
                 'cookieManager' => $this->cookieManagerMock,
                 'cookieMetadataFactory' => $this->cookieMetadataFactoryMock,
                 'context' => $this->contextMock,
@@ -85,12 +92,10 @@ public function testSendVary()
 
         $this->contextMock->expects($this->once())
             ->method('getVaryString')
-            ->with()
             ->will($this->returnValue($expectedCookieValue));
 
         $this->cookieMetadataFactoryMock->expects($this->once())
             ->method('createSensitiveCookieMetadata')
-            ->with()
             ->will($this->returnValue($sensitiveCookieMetadataMock));
 
         $this->cookieManagerMock->expects($this->once())
@@ -99,7 +104,7 @@ public function testSendVary()
         $this->model->sendVary();
     }
 
-    public function testSendVaryEmptyData()
+    public function testSendVaryEmptyDataDeleteCookie()
     {
         $expectedCookieName = Http::COOKIE_VARY_STRING;
         $cookieMetadataMock = $this->getMock('Magento\Framework\Stdlib\Cookie\CookieMetadata');
@@ -109,15 +114,29 @@ public function testSendVaryEmptyData()
             ->will($this->returnSelf());
         $this->contextMock->expects($this->once())
             ->method('getVaryString')
-            ->with()
-            ->will($this->returnValue(null));
+            ->willReturn(null);
         $this->cookieMetadataFactoryMock->expects($this->once())
-            ->method('createCookieMetadata')
-            ->with()
-            ->will($this->returnValue($cookieMetadataMock));
+            ->method('createSensitiveCookieMetadata')
+            ->willReturn($cookieMetadataMock);
         $this->cookieManagerMock->expects($this->once())
             ->method('deleteCookie')
             ->with($expectedCookieName, $cookieMetadataMock);
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->willReturn('value');
+        $this->model->sendVary();
+    }
+
+    public function testSendVaryEmptyData()
+    {
+        $this->contextMock->expects($this->once())
+            ->method('getVaryString')
+            ->willReturn(null);
+        $this->cookieMetadataFactoryMock->expects($this->never())
+            ->method('createSensitiveCookieMetadata');
+        $this->requestMock->expects($this->once())
+            ->method('get')
+            ->willReturn(null);
         $this->model->sendVary();
     }