diff options
author | Jeremy Daer <jeremydaer@gmail.com> | 2015-12-04 19:07:53 -0700 |
---|---|---|
committer | Jeremy Daer <jeremydaer@gmail.com> | 2015-12-04 19:07:53 -0700 |
commit | 159eb9b6225951bd8f3380c16d784e4f1cf74349 (patch) | |
tree | 4458cfa05adec4b0de09c92571a9999ad8aeaaeb /test/spec_response.rb | |
parent | c393176b0edf3e5d06cabbb6eb9d9c7a07b2afa7 (diff) | |
download | rack-159eb9b6225951bd8f3380c16d784e4f1cf74349.tar.gz |
First-Party cookies, another line of CSRF defense
Set `first_party: true` to set the First-Party attribute telling
browsers to only send the cookie with legit first-party requests.
* https://tools.ietf.org/html/draft-west-first-party-cookies-00
* https://www.chromestatus.com/feature/4672634709082112
Diffstat (limited to 'test/spec_response.rb')
-rw-r--r-- | test/spec_response.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/test/spec_response.rb b/test/spec_response.rb index de0670da..f1028826 100644 --- a/test/spec_response.rb +++ b/test/spec_response.rb @@ -115,6 +115,20 @@ describe Rack::Response do response["Set-Cookie"].must_equal "foo=bar" end + it "can set First-Party cookies" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :first_party => true} + response["Set-Cookie"].must_equal "foo=bar; First-Party" + end + + [ nil, false ].each do |non_truthy| + it "omits First-Party attribute given a #{non_truthy.inspect} value" do + response = Rack::Response.new + response.set_cookie "foo", {:value => "bar", :first_party => non_truthy} + response["Set-Cookie"].must_equal "foo=bar" + end + end + it "can delete cookies" do response = Rack::Response.new response.set_cookie "foo", "bar" |