diff options
author | David Heinemeier Hansson <david@loudthinking.com> | 2007-09-21 15:05:49 +0000 |
---|---|---|
committer | David Heinemeier Hansson <david@loudthinking.com> | 2007-09-21 15:05:49 +0000 |
commit | eede82ccb980d9d1c67cddc6972a7125ddab1949 (patch) | |
tree | 58a454089b3c9d28c477a27f3ba7f0c061fc4668 /actionpack/test/controller | |
parent | 26238ac1731208949312f4f91d75011a2da30d49 (diff) | |
download | rails-eede82ccb980d9d1c67cddc6972a7125ddab1949.tar.gz rails-eede82ccb980d9d1c67cddc6972a7125ddab1949.tar.bz2 rails-eede82ccb980d9d1c67cddc6972a7125ddab1949.zip |
Added support for HTTP Only cookies (works in IE6+ and FF 2.0.5+) as an improvement for XSS attacks (closes #8895) [lifo/Spakman]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7525 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/controller')
-rw-r--r-- | actionpack/test/controller/cookie_test.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/test/controller/cookie_test.rb b/actionpack/test/controller/cookie_test.rb index cb6c21ad43..f3366619dd 100644 --- a/actionpack/test/controller/cookie_test.rb +++ b/actionpack/test/controller/cookie_test.rb @@ -32,6 +32,10 @@ class CookieTest < Test::Unit::TestCase render :text => "hello world" end + def authenticate_with_http_only + cookies["user_name"] = { :value => "david", :http_only => true } + end + def rescue_action(e) raise unless ActionController::MissingTemplate # No templates here, and we don't care about the output end @@ -60,6 +64,12 @@ class CookieTest < Test::Unit::TestCase assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "expires" => Time.local(2005, 10, 10)) ], @response.headers["cookie"] end + def test_setting_cookie_with_http_only + get :authenticate_with_http_only + assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "http_only" => true) ], @response.headers["cookie"] + assert_equal CGI::Cookie::new("name" => "user_name", "value" => "david", "path" => "/", "http_only" => true).to_s, @response.headers["cookie"].to_s + end + def test_multiple_cookies get :set_multiple_cookies assert_equal 2, @response.cookies.size |