From 18d5cfa2693040fd7ee7996d60bbb6694339599a Mon Sep 17 00:00:00 2001
From: Jih-Chi Lee <jihchi@users.noreply.github.com>
Date: Sat, 16 Dec 2017 17:17:20 +0800
Subject: [PATCH] fix(Cookies): disallow setting cookies in 'about:blank' page
 (#1567)

This patch asserts that no cookies are set on `about:blank` and `data:` urls.

References #1411
---
 lib/Page.js  | 15 +++++++++++---
 test/test.js | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/lib/Page.js b/lib/Page.js
index e2aa3290..ca7d37b9 100644
--- a/lib/Page.js
+++ b/lib/Page.js
@@ -255,11 +255,20 @@ class Page extends EventEmitter {
    * @param {Array<Network.CookieParam>} cookies
    */
   async setCookie(...cookies) {
+    const pageURL = this.url();
+    const startsWithHTTP = pageURL.startsWith('http');
     const items = cookies.map(cookie => {
       const item = Object.assign({}, cookie);
-      const pageURL = this.url();
-      if (!item.url && pageURL.startsWith('http'))
-        item.url = this.url();
+      if (!item.url && startsWithHTTP)
+        item.url = pageURL;
+      console.assert(
+          item.url !== 'about:blank',
+          `Blank page can not have cookie "${item.name}"`
+      );
+      console.assert(
+          !String.prototype.startsWith.call(item.url || '', 'data:'),
+          `Data URL page can not have cookie "${item.name}"`
+      );
       return item;
     });
     await this.deleteCookie(...items);
diff --git a/test/test.js b/test/test.js
index 5f215de6..f495d888 100644
--- a/test/test.js
+++ b/test/test.js
@@ -3126,6 +3126,61 @@ describe('Page', function() {
       expect(await page.evaluate('document.cookie')).toBe('cookie1=1; cookie3=3');
     });
 
+    it('should not set a cookie on a blank page', async function({page}) {
+      let error = null;
+      await page.goto('about:blank');
+      try {
+        await page.setCookie({name: 'example-cookie', value: 'best'});
+      } catch (e) {
+        error = e;
+      }
+      expect(error).toBeTruthy();
+      expect(error.message).toEqual('Protocol error (Network.deleteCookies): At least one of the url and domain needs to be specified undefined');
+    });
+
+    it('should not set a cookie with blank page URL', async function({page, server}) {
+      let error = null;
+      await page.goto(server.PREFIX + '/grid.html');
+      try {
+        await page.setCookie(
+            {name: 'example-cookie', value: 'best'},
+            {url: 'about:blank', name: 'example-cookie-blank', value: 'best'}
+        );
+      } catch (e) {
+        error = e;
+      }
+      expect(error).toBeTruthy();
+      expect(error.message).toEqual(
+          `Blank page can not have cookie "example-cookie-blank"`
+      );
+    });
+
+    it('should not set a cookie on a data URL page', async function({page}) {
+      let error = null;
+      await page.goto('data:,Hello%2C%20World!');
+      try {
+        await page.setCookie({name: 'example-cookie', value: 'best'});
+      } catch (e) {
+        error = e;
+      }
+      expect(error).toBeTruthy();
+      expect(error.message).toEqual(
+          'Protocol error (Network.deleteCookies): At least one of the url and domain needs to be specified undefined'
+      );
+    });
+
+    it('should not set a cookie with blank page URL', async function({page, server}) {
+      let error = null;
+      await page.goto(server.PREFIX + '/grid.html');
+      try {
+        await page.setCookie({name: 'example-cookie', value: 'best'}, {url: 'about:blank', name: 'example-cookie-blank', value: 'best'});
+      } catch (e) {
+        error = e;
+      }
+      expect(error).toBeTruthy();
+      expect(error.message).toEqual(`Blank page can not have cookie "example-cookie-blank"`);
+    });
+
     it('should set a cookie on a different domain', async({page, server}) => {
       await page.goto(server.PREFIX + '/grid.html');
       await page.setCookie({name: 'example-cookie', value: 'best',  url: 'https://www.example.com'});