317 lines
12 KiB
JavaScript
Executable file
317 lines
12 KiB
JavaScript
Executable file
'use strict'
|
|
|
|
const { maxNameValuePairSize, maxAttributeValueSize } = require('./constants')
|
|
const { isCTLExcludingHtab } = require('./util')
|
|
const { collectASequenceOfCodePointsFast } = require('../fetch/dataURL')
|
|
const assert = require('assert')
|
|
|
|
/**
|
|
* @description Parses the field-value attributes of a set-cookie header string.
|
|
* @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4
|
|
* @param {string} header
|
|
* @returns if the header is invalid, null will be returned
|
|
*/
|
|
function parseSetCookie (header) {
|
|
// 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F
|
|
// character (CTL characters excluding HTAB): Abort these steps and
|
|
// ignore the set-cookie-string entirely.
|
|
if (isCTLExcludingHtab(header)) {
|
|
return null
|
|
}
|
|
|
|
let nameValuePair = ''
|
|
let unparsedAttributes = ''
|
|
let name = ''
|
|
let value = ''
|
|
|
|
// 2. If the set-cookie-string contains a %x3B (";") character:
|
|
if (header.includes(';')) {
|
|
// 1. The name-value-pair string consists of the characters up to,
|
|
// but not including, the first %x3B (";"), and the unparsed-
|
|
// attributes consist of the remainder of the set-cookie-string
|
|
// (including the %x3B (";") in question).
|
|
const position = { position: 0 }
|
|
|
|
nameValuePair = collectASequenceOfCodePointsFast(';', header, position)
|
|
unparsedAttributes = header.slice(position.position)
|
|
} else {
|
|
// Otherwise:
|
|
|
|
// 1. The name-value-pair string consists of all the characters
|
|
// contained in the set-cookie-string, and the unparsed-
|
|
// attributes is the empty string.
|
|
nameValuePair = header
|
|
}
|
|
|
|
// 3. If the name-value-pair string lacks a %x3D ("=") character, then
|
|
// the name string is empty, and the value string is the value of
|
|
// name-value-pair.
|
|
if (!nameValuePair.includes('=')) {
|
|
value = nameValuePair
|
|
} else {
|
|
// Otherwise, the name string consists of the characters up to, but
|
|
// not including, the first %x3D ("=") character, and the (possibly
|
|
// empty) value string consists of the characters after the first
|
|
// %x3D ("=") character.
|
|
const position = { position: 0 }
|
|
name = collectASequenceOfCodePointsFast(
|
|
'=',
|
|
nameValuePair,
|
|
position
|
|
)
|
|
value = nameValuePair.slice(position.position + 1)
|
|
}
|
|
|
|
// 4. Remove any leading or trailing WSP characters from the name
|
|
// string and the value string.
|
|
name = name.trim()
|
|
value = value.trim()
|
|
|
|
// 5. If the sum of the lengths of the name string and the value string
|
|
// is more than 4096 octets, abort these steps and ignore the set-
|
|
// cookie-string entirely.
|
|
if (name.length + value.length > maxNameValuePairSize) {
|
|
return null
|
|
}
|
|
|
|
// 6. The cookie-name is the name string, and the cookie-value is the
|
|
// value string.
|
|
return {
|
|
name, value, ...parseUnparsedAttributes(unparsedAttributes)
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Parses the remaining attributes of a set-cookie header
|
|
* @see https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4
|
|
* @param {string} unparsedAttributes
|
|
* @param {[Object.<string, unknown>]={}} cookieAttributeList
|
|
*/
|
|
function parseUnparsedAttributes (unparsedAttributes, cookieAttributeList = {}) {
|
|
// 1. If the unparsed-attributes string is empty, skip the rest of
|
|
// these steps.
|
|
if (unparsedAttributes.length === 0) {
|
|
return cookieAttributeList
|
|
}
|
|
|
|
// 2. Discard the first character of the unparsed-attributes (which
|
|
// will be a %x3B (";") character).
|
|
assert(unparsedAttributes[0] === ';')
|
|
unparsedAttributes = unparsedAttributes.slice(1)
|
|
|
|
let cookieAv = ''
|
|
|
|
// 3. If the remaining unparsed-attributes contains a %x3B (";")
|
|
// character:
|
|
if (unparsedAttributes.includes(';')) {
|
|
// 1. Consume the characters of the unparsed-attributes up to, but
|
|
// not including, the first %x3B (";") character.
|
|
cookieAv = collectASequenceOfCodePointsFast(
|
|
';',
|
|
unparsedAttributes,
|
|
{ position: 0 }
|
|
)
|
|
unparsedAttributes = unparsedAttributes.slice(cookieAv.length)
|
|
} else {
|
|
// Otherwise:
|
|
|
|
// 1. Consume the remainder of the unparsed-attributes.
|
|
cookieAv = unparsedAttributes
|
|
unparsedAttributes = ''
|
|
}
|
|
|
|
// Let the cookie-av string be the characters consumed in this step.
|
|
|
|
let attributeName = ''
|
|
let attributeValue = ''
|
|
|
|
// 4. If the cookie-av string contains a %x3D ("=") character:
|
|
if (cookieAv.includes('=')) {
|
|
// 1. The (possibly empty) attribute-name string consists of the
|
|
// characters up to, but not including, the first %x3D ("=")
|
|
// character, and the (possibly empty) attribute-value string
|
|
// consists of the characters after the first %x3D ("=")
|
|
// character.
|
|
const position = { position: 0 }
|
|
|
|
attributeName = collectASequenceOfCodePointsFast(
|
|
'=',
|
|
cookieAv,
|
|
position
|
|
)
|
|
attributeValue = cookieAv.slice(position.position + 1)
|
|
} else {
|
|
// Otherwise:
|
|
|
|
// 1. The attribute-name string consists of the entire cookie-av
|
|
// string, and the attribute-value string is empty.
|
|
attributeName = cookieAv
|
|
}
|
|
|
|
// 5. Remove any leading or trailing WSP characters from the attribute-
|
|
// name string and the attribute-value string.
|
|
attributeName = attributeName.trim()
|
|
attributeValue = attributeValue.trim()
|
|
|
|
// 6. If the attribute-value is longer than 1024 octets, ignore the
|
|
// cookie-av string and return to Step 1 of this algorithm.
|
|
if (attributeValue.length > maxAttributeValueSize) {
|
|
return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList)
|
|
}
|
|
|
|
// 7. Process the attribute-name and attribute-value according to the
|
|
// requirements in the following subsections. (Notice that
|
|
// attributes with unrecognized attribute-names are ignored.)
|
|
const attributeNameLowercase = attributeName.toLowerCase()
|
|
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.1
|
|
// If the attribute-name case-insensitively matches the string
|
|
// "Expires", the user agent MUST process the cookie-av as follows.
|
|
if (attributeNameLowercase === 'expires') {
|
|
// 1. Let the expiry-time be the result of parsing the attribute-value
|
|
// as cookie-date (see Section 5.1.1).
|
|
const expiryTime = new Date(attributeValue)
|
|
|
|
// 2. If the attribute-value failed to parse as a cookie date, ignore
|
|
// the cookie-av.
|
|
|
|
cookieAttributeList.expires = expiryTime
|
|
} else if (attributeNameLowercase === 'max-age') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.2
|
|
// If the attribute-name case-insensitively matches the string "Max-
|
|
// Age", the user agent MUST process the cookie-av as follows.
|
|
|
|
// 1. If the first character of the attribute-value is not a DIGIT or a
|
|
// "-" character, ignore the cookie-av.
|
|
const charCode = attributeValue.charCodeAt(0)
|
|
|
|
if ((charCode < 48 || charCode > 57) && attributeValue[0] !== '-') {
|
|
return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList)
|
|
}
|
|
|
|
// 2. If the remainder of attribute-value contains a non-DIGIT
|
|
// character, ignore the cookie-av.
|
|
if (!/^\d+$/.test(attributeValue)) {
|
|
return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList)
|
|
}
|
|
|
|
// 3. Let delta-seconds be the attribute-value converted to an integer.
|
|
const deltaSeconds = Number(attributeValue)
|
|
|
|
// 4. Let cookie-age-limit be the maximum age of the cookie (which
|
|
// SHOULD be 400 days or less, see Section 4.1.2.2).
|
|
|
|
// 5. Set delta-seconds to the smaller of its present value and cookie-
|
|
// age-limit.
|
|
// deltaSeconds = Math.min(deltaSeconds * 1000, maxExpiresMs)
|
|
|
|
// 6. If delta-seconds is less than or equal to zero (0), let expiry-
|
|
// time be the earliest representable date and time. Otherwise, let
|
|
// the expiry-time be the current date and time plus delta-seconds
|
|
// seconds.
|
|
// const expiryTime = deltaSeconds <= 0 ? Date.now() : Date.now() + deltaSeconds
|
|
|
|
// 7. Append an attribute to the cookie-attribute-list with an
|
|
// attribute-name of Max-Age and an attribute-value of expiry-time.
|
|
cookieAttributeList.maxAge = deltaSeconds
|
|
} else if (attributeNameLowercase === 'domain') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3
|
|
// If the attribute-name case-insensitively matches the string "Domain",
|
|
// the user agent MUST process the cookie-av as follows.
|
|
|
|
// 1. Let cookie-domain be the attribute-value.
|
|
let cookieDomain = attributeValue
|
|
|
|
// 2. If cookie-domain starts with %x2E ("."), let cookie-domain be
|
|
// cookie-domain without its leading %x2E (".").
|
|
if (cookieDomain[0] === '.') {
|
|
cookieDomain = cookieDomain.slice(1)
|
|
}
|
|
|
|
// 3. Convert the cookie-domain to lower case.
|
|
cookieDomain = cookieDomain.toLowerCase()
|
|
|
|
// 4. Append an attribute to the cookie-attribute-list with an
|
|
// attribute-name of Domain and an attribute-value of cookie-domain.
|
|
cookieAttributeList.domain = cookieDomain
|
|
} else if (attributeNameLowercase === 'path') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.4
|
|
// If the attribute-name case-insensitively matches the string "Path",
|
|
// the user agent MUST process the cookie-av as follows.
|
|
|
|
// 1. If the attribute-value is empty or if the first character of the
|
|
// attribute-value is not %x2F ("/"):
|
|
let cookiePath = ''
|
|
if (attributeValue.length === 0 || attributeValue[0] !== '/') {
|
|
// 1. Let cookie-path be the default-path.
|
|
cookiePath = '/'
|
|
} else {
|
|
// Otherwise:
|
|
|
|
// 1. Let cookie-path be the attribute-value.
|
|
cookiePath = attributeValue
|
|
}
|
|
|
|
// 2. Append an attribute to the cookie-attribute-list with an
|
|
// attribute-name of Path and an attribute-value of cookie-path.
|
|
cookieAttributeList.path = cookiePath
|
|
} else if (attributeNameLowercase === 'secure') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.5
|
|
// If the attribute-name case-insensitively matches the string "Secure",
|
|
// the user agent MUST append an attribute to the cookie-attribute-list
|
|
// with an attribute-name of Secure and an empty attribute-value.
|
|
|
|
cookieAttributeList.secure = true
|
|
} else if (attributeNameLowercase === 'httponly') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.6
|
|
// If the attribute-name case-insensitively matches the string
|
|
// "HttpOnly", the user agent MUST append an attribute to the cookie-
|
|
// attribute-list with an attribute-name of HttpOnly and an empty
|
|
// attribute-value.
|
|
|
|
cookieAttributeList.httpOnly = true
|
|
} else if (attributeNameLowercase === 'samesite') {
|
|
// https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7
|
|
// If the attribute-name case-insensitively matches the string
|
|
// "SameSite", the user agent MUST process the cookie-av as follows:
|
|
|
|
// 1. Let enforcement be "Default".
|
|
let enforcement = 'Default'
|
|
|
|
const attributeValueLowercase = attributeValue.toLowerCase()
|
|
// 2. If cookie-av's attribute-value is a case-insensitive match for
|
|
// "None", set enforcement to "None".
|
|
if (attributeValueLowercase.includes('none')) {
|
|
enforcement = 'None'
|
|
}
|
|
|
|
// 3. If cookie-av's attribute-value is a case-insensitive match for
|
|
// "Strict", set enforcement to "Strict".
|
|
if (attributeValueLowercase.includes('strict')) {
|
|
enforcement = 'Strict'
|
|
}
|
|
|
|
// 4. If cookie-av's attribute-value is a case-insensitive match for
|
|
// "Lax", set enforcement to "Lax".
|
|
if (attributeValueLowercase.includes('lax')) {
|
|
enforcement = 'Lax'
|
|
}
|
|
|
|
// 5. Append an attribute to the cookie-attribute-list with an
|
|
// attribute-name of "SameSite" and an attribute-value of
|
|
// enforcement.
|
|
cookieAttributeList.sameSite = enforcement
|
|
} else {
|
|
cookieAttributeList.unparsed ??= []
|
|
|
|
cookieAttributeList.unparsed.push(`${attributeName}=${attributeValue}`)
|
|
}
|
|
|
|
// 8. Return to Step 1 of this algorithm.
|
|
return parseUnparsedAttributes(unparsedAttributes, cookieAttributeList)
|
|
}
|
|
|
|
module.exports = {
|
|
parseSetCookie,
|
|
parseUnparsedAttributes
|
|
}
|