mirror of
https://github.com/roytam1/UXP.git
synced 2026-05-26 13:58:49 +00:00
Moonchild
c95a802078
This implements a plain interpretations of RFC 6797, which says to only consider the first HSTS header. This slightly conflicts with RFC 7230, which says that sending multiple headers which can't be merged is illegal (except for a specific whitelist which HSTS isn't in), so this situation should never occur in the first place (and would therefore not need the explicit entry in RFC 6797). It improves HSTS robustness dealing with non-compliant servers. Resolves #2070
30 lines
977 B
C++
30 lines
977 B
C++
#include "gtest/gtest.h"
|
|
|
|
#include "nsHttpHeaderArray.h"
|
|
|
|
|
|
TEST(TestHeaders, DuplicateHSTS) {
|
|
// When the Strict-Transport-Security header is sent multiple times, its
|
|
// effective value is the value of the first item. It is not coalesced like
|
|
// other headers are.
|
|
mozilla::net::nsHttpHeaderArray headers;
|
|
nsresult rv = headers.SetHeaderFromNet(
|
|
mozilla::net::nsHttp::Strict_Transport_Security, NS_LITERAL_CSTRING("max-age=360"), true
|
|
);
|
|
ASSERT_EQ(rv, NS_OK);
|
|
|
|
nsAutoCString h;
|
|
rv = headers.GetHeader(mozilla::net::nsHttp::Strict_Transport_Security, h);
|
|
ASSERT_EQ(rv, NS_OK);
|
|
ASSERT_EQ(h.get(), "max-age=360");
|
|
|
|
rv = headers.SetHeaderFromNet(
|
|
mozilla::net::nsHttp::Strict_Transport_Security, NS_LITERAL_CSTRING("max-age=720"), true
|
|
);
|
|
ASSERT_EQ(rv, NS_OK);
|
|
|
|
rv = headers.GetHeader(mozilla::net::nsHttp::Strict_Transport_Security, h);
|
|
ASSERT_EQ(rv, NS_OK);
|
|
ASSERT_EQ(h.get(), "max-age=360");
|
|
}
|