From 159eb9b6225951bd8f3380c16d784e4f1cf74349 Mon Sep 17 00:00:00 2001
From: Jeremy Daer <jeremydaer@gmail.com>
Date: Fri, 4 Dec 2015 19:07:53 -0700
Subject: First-Party cookies, another line of CSRF defense

Set `first_party: true` to set the First-Party attribute telling
browsers to only send the cookie with legit first-party requests.

* https://tools.ietf.org/html/draft-west-first-party-cookies-00
* https://www.chromestatus.com/feature/4672634709082112
---
 test/spec_response.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'test/spec_response.rb')

diff --git a/test/spec_response.rb b/test/spec_response.rb
index de0670da..f1028826 100644
--- a/test/spec_response.rb
+++ b/test/spec_response.rb
@@ -115,6 +115,20 @@ describe Rack::Response do
     response["Set-Cookie"].must_equal "foo=bar"
   end
 
+  it "can set First-Party cookies" do
+    response = Rack::Response.new
+    response.set_cookie "foo", {:value => "bar", :first_party => true}
+    response["Set-Cookie"].must_equal "foo=bar; First-Party"
+  end
+
+  [ nil, false ].each do |non_truthy|
+    it "omits First-Party attribute given a #{non_truthy.inspect} value" do
+      response = Rack::Response.new
+      response.set_cookie "foo", {:value => "bar", :first_party => non_truthy}
+      response["Set-Cookie"].must_equal "foo=bar"
+    end
+  end
+
   it "can delete cookies" do
     response = Rack::Response.new
     response.set_cookie "foo", "bar"
-- 
cgit v1.2.1