1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "base/auto_reset.h"
6#include "base/message_loop/message_loop.h"
7#include "base/prefs/pref_service.h"
8#include "chrome/browser/content_settings/cookie_settings.h"
9#include "chrome/common/pref_names.h"
10#include "chrome/test/base/testing_profile.h"
11#include "components/content_settings/core/common/content_settings_pattern.h"
12#include "content/public/test/test_browser_thread.h"
13#include "net/base/static_cookie_policy.h"
14#include "testing/gtest/include/gtest/gtest.h"
15#include "url/gurl.h"
16
17using content::BrowserThread;
18
19namespace {
20
21class CookieSettingsTest : public testing::Test {
22 public:
23  CookieSettingsTest()
24      : ui_thread_(BrowserThread::UI, &message_loop_),
25        cookie_settings_(CookieSettings::Factory::GetForProfile(&profile_)
26                             .get()),
27        kBlockedSite("http://ads.thirdparty.com"),
28        kAllowedSite("http://good.allays.com"),
29        kFirstPartySite("http://cool.things.com"),
30        kBlockedFirstPartySite("http://no.thirdparties.com"),
31        kExtensionURL("chrome-extension://deadbeef"),
32        kHttpsSite("https://example.com"),
33        kAllHttpsSitesPattern(ContentSettingsPattern::FromString("https://*")) {
34  }
35
36 protected:
37  base::MessageLoop message_loop_;
38  content::TestBrowserThread ui_thread_;
39  TestingProfile profile_;
40  CookieSettings* cookie_settings_;
41  const GURL kBlockedSite;
42  const GURL kAllowedSite;
43  const GURL kFirstPartySite;
44  const GURL kBlockedFirstPartySite;
45  const GURL kExtensionURL;
46  const GURL kHttpsSite;
47  ContentSettingsPattern kAllHttpsSitesPattern;
48};
49
50TEST_F(CookieSettingsTest, CookiesBlockSingle) {
51  cookie_settings_->SetCookieSetting(
52      ContentSettingsPattern::FromURL(kBlockedSite),
53      ContentSettingsPattern::Wildcard(),
54      CONTENT_SETTING_BLOCK);
55  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
56      kBlockedSite, kBlockedSite));
57}
58
59TEST_F(CookieSettingsTest, CookiesBlockThirdParty) {
60  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
61  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
62      kBlockedSite, kFirstPartySite));
63  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kBlockedSite));
64  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
65      kBlockedSite, kFirstPartySite));
66}
67
68TEST_F(CookieSettingsTest, CookiesAllowThirdParty) {
69  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
70      kBlockedSite, kFirstPartySite));
71  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
72      kBlockedSite, kFirstPartySite));
73  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kBlockedSite));
74}
75
76TEST_F(CookieSettingsTest, CookiesExplicitBlockSingleThirdParty) {
77  cookie_settings_->SetCookieSetting(
78      ContentSettingsPattern::FromURL(kBlockedSite),
79      ContentSettingsPattern::Wildcard(),
80      CONTENT_SETTING_BLOCK);
81  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
82      kBlockedSite, kFirstPartySite));
83  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
84      kBlockedSite, kFirstPartySite));
85  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
86      kAllowedSite, kFirstPartySite));
87}
88
89TEST_F(CookieSettingsTest, CookiesExplicitSessionOnly) {
90  cookie_settings_->SetCookieSetting(
91      ContentSettingsPattern::FromURL(kBlockedSite),
92      ContentSettingsPattern::Wildcard(),
93      CONTENT_SETTING_SESSION_ONLY);
94  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
95      kBlockedSite, kFirstPartySite));
96  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
97      kBlockedSite, kFirstPartySite));
98  EXPECT_TRUE(cookie_settings_->IsCookieSessionOnly(kBlockedSite));
99
100  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
101  EXPECT_TRUE(cookie_settings_->
102              IsReadingCookieAllowed(kBlockedSite, kFirstPartySite));
103  EXPECT_TRUE(cookie_settings_->
104              IsSettingCookieAllowed(kBlockedSite, kFirstPartySite));
105  EXPECT_TRUE(cookie_settings_->IsCookieSessionOnly(kBlockedSite));
106}
107
108TEST_F(CookieSettingsTest, CookiesThirdPartyBlockedExplicitAllow) {
109  cookie_settings_->SetCookieSetting(
110      ContentSettingsPattern::FromURL(kAllowedSite),
111      ContentSettingsPattern::Wildcard(),
112      CONTENT_SETTING_ALLOW);
113  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
114  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
115      kAllowedSite, kFirstPartySite));
116  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
117      kAllowedSite, kFirstPartySite));
118  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
119
120  // Extensions should always be allowed to use cookies.
121  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
122      kAllowedSite, kExtensionURL));
123  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
124      kAllowedSite, kExtensionURL));
125}
126
127TEST_F(CookieSettingsTest, CookiesThirdPartyBlockedAllSitesAllowed) {
128  cookie_settings_->SetCookieSetting(
129      ContentSettingsPattern::FromURL(kAllowedSite),
130      ContentSettingsPattern::Wildcard(),
131      CONTENT_SETTING_ALLOW);
132  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
133  // As an example for a pattern that matches all hosts but not all origins,
134  // match all HTTPS sites.
135  cookie_settings_->SetCookieSetting(
136      kAllHttpsSitesPattern,
137      ContentSettingsPattern::Wildcard(),
138      CONTENT_SETTING_ALLOW);
139  cookie_settings_->SetDefaultCookieSetting(CONTENT_SETTING_SESSION_ONLY);
140
141  // |kAllowedSite| should be allowed.
142  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
143      kAllowedSite, kBlockedSite));
144  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
145      kAllowedSite, kBlockedSite));
146  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
147
148  // HTTPS sites should be allowed in a first-party context.
149  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
150      kHttpsSite, kHttpsSite));
151  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
152      kHttpsSite, kHttpsSite));
153  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
154
155  // HTTP sites should be allowed, but session-only.
156  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
157      kFirstPartySite, kFirstPartySite));
158  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
159      kFirstPartySite, kFirstPartySite));
160  EXPECT_TRUE(cookie_settings_->IsCookieSessionOnly(kFirstPartySite));
161
162  // Third-party cookies should be blocked.
163  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
164      kFirstPartySite, kBlockedSite));
165  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
166      kFirstPartySite, kBlockedSite));
167  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
168      kHttpsSite, kBlockedSite));
169  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
170      kHttpsSite, kBlockedSite));
171}
172
173TEST_F(CookieSettingsTest, CookiesBlockEverything) {
174  cookie_settings_->SetDefaultCookieSetting(CONTENT_SETTING_BLOCK);
175
176  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
177      kFirstPartySite, kFirstPartySite));
178  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
179      kFirstPartySite, kFirstPartySite));
180  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
181      kAllowedSite, kFirstPartySite));
182}
183
184TEST_F(CookieSettingsTest, CookiesBlockEverythingExceptAllowed) {
185  cookie_settings_->SetDefaultCookieSetting(CONTENT_SETTING_BLOCK);
186  cookie_settings_->SetCookieSetting(
187      ContentSettingsPattern::FromURL(kAllowedSite),
188      ContentSettingsPattern::Wildcard(),
189      CONTENT_SETTING_ALLOW);
190  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
191      kFirstPartySite, kFirstPartySite));
192  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
193      kFirstPartySite, kFirstPartySite));
194  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
195      kAllowedSite, kFirstPartySite));
196  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
197      kAllowedSite, kFirstPartySite));
198  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
199      kAllowedSite, kAllowedSite));
200  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
201      kAllowedSite, kAllowedSite));
202  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
203}
204
205TEST_F(CookieSettingsTest, CookiesBlockSingleFirstParty) {
206  cookie_settings_->SetCookieSetting(
207      ContentSettingsPattern::FromURL(kAllowedSite),
208      ContentSettingsPattern::FromURL(kFirstPartySite),
209      CONTENT_SETTING_ALLOW);
210  cookie_settings_->SetCookieSetting(
211      ContentSettingsPattern::FromURL(kAllowedSite),
212      ContentSettingsPattern::FromURL(kBlockedFirstPartySite),
213      CONTENT_SETTING_BLOCK);
214
215  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
216      kAllowedSite, kFirstPartySite));
217  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
218      kAllowedSite, kFirstPartySite));
219  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
220
221  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
222      kAllowedSite, kBlockedFirstPartySite));
223  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
224      kAllowedSite, kBlockedFirstPartySite));
225
226  cookie_settings_->SetDefaultCookieSetting(CONTENT_SETTING_BLOCK);
227
228  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
229      kAllowedSite, kFirstPartySite));
230  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
231      kAllowedSite, kFirstPartySite));
232  EXPECT_FALSE(cookie_settings_->IsCookieSessionOnly(kAllowedSite));
233
234  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
235      kAllowedSite, kBlockedFirstPartySite));
236  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
237      kAllowedSite, kBlockedFirstPartySite));
238
239  cookie_settings_->ResetCookieSetting(
240      ContentSettingsPattern::FromURL(kAllowedSite),
241      ContentSettingsPattern::FromURL(kFirstPartySite));
242
243  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
244      kAllowedSite, kFirstPartySite));
245  EXPECT_FALSE(cookie_settings_->IsSettingCookieAllowed(
246      kAllowedSite, kFirstPartySite));
247}
248
249TEST_F(CookieSettingsTest, ExtensionsRegularSettings) {
250  cookie_settings_->SetCookieSetting(
251      ContentSettingsPattern::FromURL(kBlockedSite),
252      ContentSettingsPattern::Wildcard(),
253      CONTENT_SETTING_BLOCK);
254
255  // Regular cookie settings also apply to extensions.
256  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
257      kBlockedSite, kExtensionURL));
258}
259
260TEST_F(CookieSettingsTest, ExtensionsOwnCookies) {
261  cookie_settings_->SetDefaultCookieSetting(CONTENT_SETTING_BLOCK);
262
263#if defined(ENABLE_EXTENSIONS)
264  // Extensions can always use cookies (and site data) in their own origin.
265  EXPECT_TRUE(cookie_settings_->IsReadingCookieAllowed(
266      kExtensionURL, kExtensionURL));
267#else
268  // Except if extensions are disabled. Then the extension-specific checks do
269  // not exist and the default setting is to block.
270  EXPECT_FALSE(cookie_settings_->IsReadingCookieAllowed(
271      kExtensionURL, kExtensionURL));
272#endif
273}
274
275TEST_F(CookieSettingsTest, ExtensionsThirdParty) {
276  profile_.GetPrefs()->SetBoolean(prefs::kBlockThirdPartyCookies, true);
277
278  // XHRs stemming from extensions are exempt from third-party cookie blocking
279  // rules (as the first party is always the extension's security origin).
280  EXPECT_TRUE(cookie_settings_->IsSettingCookieAllowed(
281      kBlockedSite, kExtensionURL));
282}
283
284}  // namespace
285