def test_session_no_secure(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-secure-flag',
result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
# https://github.com/mozilla/http-observatory/issues/97
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-secure-flag',
result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
def test_session_no_secure(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-secure-flag', result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
# https://github.com/mozilla/http-observatory/issues/97
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-secure-flag', result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
def test_session_no_httponly(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-httponly-flag', result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
def test_samesite_invalid(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Invalid'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-samesite-flag-invalid', result['result'])
self.assertFalse(result['pass'])
self.assertIsNone(result['sameSite'])
def test_anticsrf_without_samesite(self):
cookie = Cookie(name='CSRFTOKEN',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-anticsrf-without-samesite-flag', result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
def test_samesite_invalid(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Invalid'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-samesite-flag-invalid', result['result'])
self.assertFalse(result['pass'])
self.assertIsNone(result['sameSite'])
def test_session_no_httponly(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-httponly-flag',
result['result'])
self.assertFalse(result['pass'])
def test_session_cookie_no_secure_but_hsts(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': None},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
self.reqs['responses']['https'].headers[
'Strict-Transport-Security'] = 'max-age=15768000'
result = cookies(self.reqs)
self.assertEquals(
'cookies-session-without-secure-flag-but-protected-by-hsts',
result['result'])
self.assertFalse(result['pass'])
def test_session_cookie_no_secure_but_hsts(self):
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': None},
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
self.reqs['responses']['https'].headers['Strict-Transport-Security'] = 'max-age=15768000'
result = cookies(self.reqs)
self.assertEquals('cookies-session-without-secure-flag-but-protected-by-hsts', result['result'])
self.assertFalse(result['pass'])
def test_anticsrf_without_samesite(self):
cookie = Cookie(name='CSRFTOKEN',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-anticsrf-without-samesite-flag', result['result'])
self.assertFalse(result['pass'])
self.assertFalse(result['sameSite'])
def test_secure_with_httponly_sessions(self):
# Python cookies are the literal worst, seriously, the worst
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': None},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='foo',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions',
result['result'])
self.assertTrue(result['pass'])
def test_secure_with_httponly_sessions(self):
# Python cookies are the literal worst, seriously, the worst
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': None},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='foo',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions', result['result'])
self.assertTrue(result['pass'])
def test_secure_with_httponly_sessions(self):
# Python cookies are the literal worst, seriously, the worst
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='foo',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
# See: https://github.com/mozilla/http-observatory/issues/121 for the __cfduid insanity
cookie = Cookie(name='__cfduid',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rest={},
rfc2109=False,
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
# See: https://github.com/mozilla/http-observatory/issues/282 for the heroku-session-affinity insanity
cookie = Cookie(name='heroku-session-affinity',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rest={},
rfc2109=False,
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions', result['result'])
self.assertTrue(result['pass'])
self.assertFalse(result['sameSite'])
def test_missing(self):
result = cookies(self.reqs)
self.assertEquals('cookies-not-found', result['result'])
self.assertTrue(result['pass'])
def test_secure_with_httponly_sessions(self):
# Python cookies are the literal worst, seriously, the worst
cookie = Cookie(name='SESSIONID',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='foo',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
# See: https://github.com/mozilla/http-observatory/issues/121 for the __cfduid insanity
cookie = Cookie(name='__cfduid',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rest={},
rfc2109=False,
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
# See: https://github.com/mozilla/http-observatory/issues/282 for the heroku-session-affinity insanity
cookie = Cookie(name='heroku-session-affinity',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rest={},
rfc2109=False,
secure=False,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions',
result['result'])
self.assertTrue(result['pass'])
def test_missing(self):
result = cookies(self.reqs)
self.assertEquals('cookies-not-found', result['result'])
self.assertTrue(result['pass'])
def test_secure_with_httponly_sessions_and_samesite(self):
cookie = Cookie(name='SESSIONID_UNSET',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='SESSIONID_STRICT',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Strict'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='SESSIONID_LAX',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Lax'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions-and-samesite', result['result'])
self.assertEquals({
'SESSIONID_LAX': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Lax',
'secure': True
},
'SESSIONID_STRICT': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Strict',
'secure': True
},
'SESSIONID_UNSET': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Strict',
'secure': True}
},
result['data'])
self.assertTrue(result['pass'])
self.assertTrue(result['sameSite'])
def test_secure_with_httponly_sessions_and_samesite(self):
cookie = Cookie(name='SESSIONID_SAMESITE_STRICT',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Strict'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='SESSIONID_SAMESITE_LAX_TRUE',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': True},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='SESSIONID_SAMESITE_LAX',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': 'Lax'},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
cookie = Cookie(name='SESSIONID_SAMESITE_LAX_NONE',
comment=None,
comment_url=None,
discard=False,
domain='mozilla.com',
domain_initial_dot=False,
domain_specified='mozilla.com',
expires=None,
path='/',
path_specified='/',
port=443,
port_specified=443,
rfc2109=False,
rest={'HttpOnly': True, 'SameSite': None},
secure=True,
version=1,
value='bar')
self.reqs['session'].cookies.set_cookie(cookie)
result = cookies(self.reqs)
self.assertEquals('cookies-secure-with-httponly-sessions-and-samesite', result['result'])
self.assertEquals({
'SESSIONID_SAMESITE_STRICT': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Strict',
'secure': True
},
'SESSIONID_SAMESITE_LAX_TRUE': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Lax',
'secure': True},
'SESSIONID_SAMESITE_LAX': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Lax',
'secure': True
},
'SESSIONID_SAMESITE_LAX_NONE': {
'domain': 'mozilla.com',
'expires': None,
'httponly': True,
'max-age': None,
'path': '/',
'port': 443,
'samesite': 'Lax',
'secure': True}
},
result['data'])
self.assertTrue(result['pass'])
self.assertTrue(result['sameSite'])
