AG-35484 Fix 'trusted-set-cookie' — cannot set cookie if name has '__…

…Secure-' prefix. #448 Squashed commit of the following: commit 9953375 Author: Adam Wróblewski <adam@adguard.com> Date: Thu Sep 5 17:44:07 2024 +0200 Add a test for case with specified "domain" Log a message if "domainValue" is specified and cookie name has "__Host-" prefix commit 563a36f Author: Slava Leleka <v.leleka@adguard.com> Date: Thu Sep 5 18:16:38 2024 +0300 CHANGELOG.md edited online with Bitbucket commit 1b151e5 Author: Adam Wróblewski <adam@adguard.com> Date: Thu Sep 5 16:21:45 2024 +0200 Add tests to cookie utils Get rid of else statement commit f19ad00 Author: Adam Wróblewski <adam@adguard.com> Date: Thu Sep 5 15:23:16 2024 +0200 Fix 'trusted-set-cookie' — cannot set cookie if name has '__Secure-' or '__Host-' prefix
AdguardTeam · Sep 10, 2024 · b50bfa1 · b50bfa1
1 parent 673d484
commit b50bfa1
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,16 @@ The format is based on [Keep a Changelog], and this project adheres to [Semantic
 <!-- TODO: change `@added unknown` tag due to the actual version -->
 <!--       during new scriptlets or redirects releasing -->
 
+## [Unreleased]
+
+### Fixed
+
+- setting cookie which name has special prefix `__Host-` or `__Secure-` by
+  `trusted-set-cookie` and `trusted-set-cookie-reload` scriptlets [#448]
+
+[Unreleased]: https://github.com/AdguardTeam/Scriptlets/compare/v1.11.27...HEAD
+[#448]: https://github.com/AdguardTeam/Scriptlets/issues/448
+
 ## [v1.11.27] - 2024-08-29
 
 ### Added

diff --git a/src/helpers/cookie-utils.ts b/src/helpers/cookie-utils.ts
@@ -42,6 +42,8 @@ export const serializeCookie = (
     domainValue = '',
     shouldEncodeValue = true,
 ) => {
+    const HOST_PREFIX = '__Host-';
+    const SECURE_PREFIX = '__Secure-';
     const COOKIE_BREAKER = ';';
 
     // semicolon will cause the cookie to break
@@ -54,11 +56,30 @@ export const serializeCookie = (
 
     let resultCookie = `${name}=${value}`;
 
+    if (name.startsWith(HOST_PREFIX)) {
+        // Cookie with "__Host-" prefix requires "secure" flag, path must be "/",
+        // and must not have a domain specified
+        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
+        // https://github.com/AdguardTeam/Scriptlets/issues/448
+        resultCookie += '; path=/; secure';
+        if (domainValue) {
+            // eslint-disable-next-line no-console
+            console.debug(
+                `Domain value: "${domainValue}" has been ignored, because is not allowed for __Host- prefixed cookies`,
+            );
+        }
+        return resultCookie;
+    }
     const path = getCookiePath(rawPath);
     if (path) {
         resultCookie += `; ${path}`;
     }
 
+    if (name.startsWith(SECURE_PREFIX)) {
+        // Cookie with "__Secure-" prefix requires "secure" flag
+        resultCookie += '; secure';
+    }
+
     if (domainValue) {
         resultCookie += `; domain=${domainValue}`;
     }

diff --git a/tests/helpers/cookie-utils.spec.js b/tests/helpers/cookie-utils.spec.js
@@ -42,6 +42,18 @@ describe('serializeCookie', () => {
                 actual: ['test', '1', '', 'example.com'],
                 expected: 'test=1; domain=example.com',
             },
+            {
+                actual: ['__Host-prefix', 'host_prefix', ''],
+                expected: '__Host-prefix=host_prefix; path=/; secure',
+            },
+            {
+                actual: ['__Host-prefix_domain', 'host_prefix_domain', '', 'example.com'],
+                expected: '__Host-prefix_domain=host_prefix_domain; path=/; secure',
+            },
+            {
+                actual: ['__Secure-prefix', 'secure_prefix', ''],
+                expected: '__Secure-prefix=secure_prefix; secure',
+            },
         ])('$actual -> $expected', ({ actual, expected }) => {
             expect(serializeCookie(...actual)).toBe(expected);
         });