MC-36809: Secure flag is not set for frontend cookies on https

bubasuma · bubasuma · commit d04e4d505ace · 2020-08-20T16:43:34.000-05:00
- Fix secure cookie JS config is missing on frontend
diff --git a/app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifySecureCookieTest.xml b/app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifySecureCookieTest.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="StorefrontVerifySecureCookieTest">
+        <annotations>
+            <features value="Cookie"/>
+            <stories value="Storefront Secure Cookie"/>
+            <title value="Verify Storefront Cookie Secure Config over https"/>
+            <description value="Verify that cookie are secure on storefront over https"/>
+            <severity value="MAJOR"/>
+            <testCaseId value="MC-36900"/>
+            <useCaseId value="MC-36809"/>
+            <group value="cookie"/>
+            <group value="configuration"/>
+            <group value="secure_storefront_url"/>
+        </annotations>
+        <before>
+            <amOnPage url="/" stepKey="goToHomePage"/>
+            <executeJS function="return window.location.host" stepKey="hostname"/>
+            <magentoCLI command="config:set web/unsecure/base_url https://{$hostname}/" stepKey="setUnsecureBaseURL"/>
+            <magentoCLI command="config:set web/secure/base_url https://{$hostname}/" stepKey="setSecureBaseURL"/>
+            <magentoCLI command="config:set web/secure/use_in_frontend 1" stepKey="useSecureURLsOnStorefront"/>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache">
+                <argument name="tags" value=""/>
+            </actionGroup>
+        </before>
+        <after>
+            <amOnPage url="/" stepKey="goToHomePage"/>
+            <executeJS function="return window.location.host" stepKey="hostname"/>
+            <magentoCLI command="config:set web/unsecure/base_url http://{$hostname}/" stepKey="setUnsecureBaseURL"/>
+            <magentoCLI command="config:set web/secure/base_url http://{$hostname}/" stepKey="setSecureBaseURL"/>
+            <magentoCLI command="config:set web/secure/use_in_frontend 0" stepKey="useSecureURLsOnStorefront"/>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache">
+                <argument name="tags" value=""/>
+            </actionGroup>
+        </after>
+        <amOnPage url="/" stepKey="goToHomePage"/>
+        <executeJS function="return window.cookiesConfig.secure ? 'true' : 'false'" stepKey="isCookieSecure"/>
+        <assertEquals stepKey="assertCookieIsSecure">
+            <actualResult type="variable">isCookieSecure</actualResult>
+            <expectedResult type="string">true</expectedResult>
+        </assertEquals>
+    </test>
+</tests>
diff --git a/app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifyUnsecureCookieTest.xml b/app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifyUnsecureCookieTest.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="StorefrontVerifyUnsecureCookieTest">
+        <annotations>
+            <features value="Cookie"/>
+            <stories value="Storefront Secure Cookie"/>
+            <title value="Verify Storefront Cookie Secure Config over http"/>
+            <description value="Verify that cookie are not secure on storefront over http"/>
+            <severity value="MAJOR"/>
+            <testCaseId value="MC-36899"/>
+            <useCaseId value="MC-36809"/>
+            <group value="cookie"/>
+            <group value="configuration"/>
+        </annotations>
+        <before>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache">
+                <argument name="tags" value=""/>
+            </actionGroup>
+        </before>
+        <after>
+            <actionGroup ref="CliCacheFlushActionGroup" stepKey="flushCache">
+                <argument name="tags" value=""/>
+            </actionGroup>
+        </after>
+        <amOnPage url="/" stepKey="goToHomePage"/>
+        <executeJS function="return window.cookiesConfig.secure ? 'true' : 'false'" stepKey="isCookieSecure"/>
+        <assertEquals stepKey="assertCookieIsUnsecure">
+            <actualResult type="variable">isCookieSecure</actualResult>
+            <expectedResult type="string">false</expectedResult>
+        </assertEquals>
+    </test>
+</tests>
diff --git a/app/code/Magento/Cookie/view/base/templates/html/cookie.phtml b/app/code/Magento/Cookie/view/base/templates/html/cookie.phtml
@@ -10,9 +10,11 @@
  * @var $block \Magento\Framework\View\Element\Js\Cookie
  * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
  */
-
-$scriptString = '
+$isCookieSecure = $block->getSessionConfig()->getCookieSecure() ? 'true' : 'false';
+$scriptString = "
     window.cookiesConfig = window.cookiesConfig || {};
-    window.cookiesConfig.secure = ' . /* @noEscape */ $block->getSessionConfig()->getCookieSecure() ? 'true' : 'false';
+    window.cookiesConfig.secure = $isCookieSecure;
+";
+?>
 
-echo /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false);
+<?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false) ?>
