diff --git a/components/net/http_loader.rs b/components/net/http_loader.rs index d1e0bef10687..3d231423f93a 100644 --- a/components/net/http_loader.rs +++ b/components/net/http_loader.rs @@ -513,6 +513,7 @@ fn request_must_be_secured(url: &Url, hsts_list: &Arc>) -> bool } pub fn modify_request_headers(headers: &mut Headers, + url: &Url, doc_url: &Url, user_agent: &str, cookie_jar: &Arc>, @@ -529,7 +530,7 @@ pub fn modify_request_headers(headers: &mut Headers, set_default_accept_encoding(headers); // https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch step 11 if load_data.credentials_flag { - set_request_cookies(doc_url.clone(), headers, cookie_jar); + set_request_cookies(url.clone(), headers, cookie_jar); // https://fetch.spec.whatwg.org/#http-network-or-cache-fetch step 12 if !headers.has::>() { @@ -725,7 +726,7 @@ pub fn load(load_data: LoadData, let request_id = uuid::Uuid::new_v4().to_simple_string(); - modify_request_headers(&mut request_headers, &doc_url, &user_agent, &cookie_jar, &load_data); + modify_request_headers(&mut request_headers, &url, &doc_url, &user_agent, &cookie_jar, &load_data); let response = try!(obtain_response(request_factory, &url, &method, &request_headers, &cancel_listener, &load_data.data, &load_data.method, diff --git a/tests/unit/net/http_loader.rs b/tests/unit/net/http_loader.rs index 70d4944b7ae1..c144e4bd3a8a 100644 --- a/tests/unit/net/http_loader.rs +++ b/tests/unit/net/http_loader.rs @@ -18,10 +18,10 @@ use hyper::status::StatusCode; use msg::constellation_msg::PipelineId; use net::cookie::Cookie; use net::cookie_storage::CookieStorage; -use net::hsts::{HSTSList}; +use net::hsts::{HSTSList, HSTSEntry}; use net::http_loader::{load, LoadError, HttpRequestFactory, HttpRequest, HttpResponse}; use net::resource_thread::CancellationListener; -use net_traits::{LoadData, CookieSource, LoadContext}; +use net_traits::{LoadData, CookieSource, LoadContext, IncludeSubdomains}; use std::borrow::Cow; use std::io::{self, Write, Read, Cursor}; use std::sync::mpsc::Receiver; @@ -813,6 +813,50 @@ fn test_load_sets_requests_cookies_header_for_url_by_getting_cookies_from_the_re &CancellationListener::new(None)); } +#[test] +fn test_load_sends_secure_cookie_if_http_changed_to_https_due_to_entry_in_hsts_store() { + let url = url!("http://mozilla.com"); + let secured_url = url!("https://mozilla.com"); + + let hsts_list = Arc::new(RwLock::new(HSTSList::new())); + let cookie_jar = Arc::new(RwLock::new(CookieStorage::new())); + + { + let mut hsts_list = hsts_list.write().unwrap(); + let entry = HSTSEntry::new( + "mozilla.com".to_owned(), IncludeSubdomains::Included, Some(1000000) + ).unwrap(); + hsts_list.push(entry); + } + + { + let mut cookie_jar = cookie_jar.write().unwrap(); + let cookie_url = secured_url.clone(); + let mut cookie_pair = CookiePair::new("mozillaIs".to_owned(), "theBest".to_owned()); + cookie_pair.secure = true; + + let cookie = Cookie::new_wrapped( + cookie_pair, + &cookie_url, + CookieSource::NonHTTP + ).unwrap(); + cookie_jar.push(cookie, CookieSource::HTTP); + } + + let mut load_data = LoadData::new(LoadContext::Browsing, url, None); + load_data.data = Some(<[_]>::to_vec("Yay!".as_bytes())); + + let mut headers = Headers::new(); + headers.set_raw("Cookie".to_owned(), vec![<[_]>::to_vec("mozillaIs=theBest".as_bytes())]); + + let _ = load::( + load_data.clone(), hsts_list, cookie_jar, None, + &AssertMustIncludeHeadersRequestFactory { + expected_headers: headers, + body: <[_]>::to_vec(&*load_data.data.unwrap()) + }, DEFAULT_USER_AGENT.to_owned(), &CancellationListener::new(None)); +} + #[test] fn test_load_sends_cookie_if_nonhttp() { let url = url!("http://mozilla.com");