aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller
diff options
context:
space:
mode:
authorDavid Heinemeier Hansson <david@loudthinking.com>2007-09-21 15:05:49 +0000
committerDavid Heinemeier Hansson <david@loudthinking.com>2007-09-21 15:05:49 +0000
commiteede82ccb980d9d1c67cddc6972a7125ddab1949 (patch)
tree58a454089b3c9d28c477a27f3ba7f0c061fc4668 /actionpack/test/controller
parent26238ac1731208949312f4f91d75011a2da30d49 (diff)
downloadrails-eede82ccb980d9d1c67cddc6972a7125ddab1949.tar.gz
rails-eede82ccb980d9d1c67cddc6972a7125ddab1949.tar.bz2
rails-eede82ccb980d9d1c67cddc6972a7125ddab1949.zip
Added support for HTTP Only cookies (works in IE6+ and FF 2.0.5+) as an improvement for XSS attacks (closes #8895) [lifo/Spakman]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7525 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/controller')
-rw-r--r--actionpack/test/controller/cookie_test.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/test/controller/cookie_test.rb b/actionpack/test/controller/cookie_test.rb
index cb6c21ad43..f3366619dd 100644
--- a/actionpack/test/controller/cookie_test.rb
+++ b/actionpack/test/controller/cookie_test.rb
@@ -32,6 +32,10 @@ class CookieTest < Test::Unit::TestCase
render :text => "hello world"
end
+ def authenticate_with_http_only
+ cookies["user_name"] = { :value => "david", :http_only => true }
+ end
+
def rescue_action(e)
raise unless ActionController::MissingTemplate # No templates here, and we don't care about the output
end
@@ -60,6 +64,12 @@ class CookieTest < Test::Unit::TestCase
assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "expires" => Time.local(2005, 10, 10)) ], @response.headers["cookie"]
end
+ def test_setting_cookie_with_http_only
+ get :authenticate_with_http_only
+ assert_equal [ CGI::Cookie::new("name" => "user_name", "value" => "david", "http_only" => true) ], @response.headers["cookie"]
+ assert_equal CGI::Cookie::new("name" => "user_name", "value" => "david", "path" => "/", "http_only" => true).to_s, @response.headers["cookie"].to_s
+ end
+
def test_multiple_cookies
get :set_multiple_cookies
assert_equal 2, @response.cookies.size