| 453 | } |
| 454 | |
| 455 | func Test_CookieJar_SetRejectUnrelatedDomain(t *testing.T) { |
| 456 | t.Parallel() |
| 457 | |
| 458 | jar := &CookieJar{} |
| 459 | origin := fasthttp.AcquireURI() |
| 460 | defer fasthttp.ReleaseURI(origin) |
| 461 | require.NoError(t, origin.Parse(nil, []byte("http://attacker.example/"))) |
| 462 | |
| 463 | c := &fasthttp.Cookie{} |
| 464 | c.SetKey("sess") |
| 465 | c.SetValue("evil") |
| 466 | c.SetDomain("victim.example") |
| 467 | |
| 468 | jar.Set(origin, c) |
| 469 | |
| 470 | target := fasthttp.AcquireURI() |
| 471 | defer fasthttp.ReleaseURI(target) |
| 472 | require.NoError(t, target.Parse(nil, []byte("http://victim.example/"))) |
| 473 | require.Empty(t, jar.Get(target)) |
| 474 | } |
| 475 | |
| 476 | func Test_CookieJar_RejectPublicSuffixResponseDomain(t *testing.T) { |
| 477 | t.Parallel() |