spec/cookie_spec: Add tests for tough cookies

Author: daurnimator

spec/cookie_spec.lua

@@ -170,6 +170,28 @@ describe("cookie module", function()
 		assert.same("", s:lookup("example.com", "/", true, false))
 		assert.same("foo=bar", s:lookup("example.com", "/", true, true))
 	end)
+	describe("tough cookies", function()
+		it("enforces __Secure- prefix", function()
+			local s = http_cookie.new_store()
+			assert.falsy(s:store("example.com", "/", true, false, nil, http_cookie.parse_setcookie("__Secure-foo=bar; Secure")))
+			assert.falsy(s:store("example.com", "/", true, false, nil, http_cookie.parse_setcookie("__Secure-foo=bar")))
+			assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Secure-foo=bar;")))
+			assert.truthy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Secure-foo=bar; Secure")))
+		end)
+		it("enforces __Host- prefix", function()
+			local s = http_cookie.new_store()
+			-- Checks secure flag
+			assert.falsy(s:store("example.com", "/", true, false, nil, http_cookie.parse_setcookie("__Host-foo=bar; Secure")))
+			assert.falsy(s:store("example.com", "/", true, false, nil, http_cookie.parse_setcookie("__Host-foo=bar")))
+			assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Host-foo=bar;")))
+			-- Checks for host only flag
+			assert.falsy(s:store("sub.example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Host-foo=bar; Secure; Domain=example.com")))
+			-- Checks that path is /
+			assert.falsy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Host-foo=bar; Secure; Path=/path")))
+			-- Success case
+			assert.truthy(s:store("example.com", "/", true, true, nil, http_cookie.parse_setcookie("__Host-foo=bar; Secure")))
+		end)
+	end)
 	describe("cookie fixing mitigation", function()
 		it("ignores already existing path", function()
 			local s = http_cookie.new_store()