__HostHttp- cookie prefix

Similar to [1], this adds an __HostHttp- prefix that ensures that a
cookies is both Host-scoped and httpOnly.

Specified in [2]

[1] https://chromium-review.googlesource.com/c/chromium/src/+/6638647
[2] httpwg/http-extensions#3110

Bug: 426096760
Change-Id: Id1637331eaa3035443d005450c022b326378aeed
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6650996
Commit-Queue: Yoav Weiss (@Shopify) <[email protected]>
Reviewed-by: Maks Orlovich <[email protected]>
Reviewed-by: Chris Fredrickson <[email protected]>
Reviewed-by: Dylan Cutler <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1478697}

Author: Yoav Weiss

cookie-store/cookieStore_special_names.https.any.js

@@ -54,7 +54,7 @@
   }, `cookieStore.set with ${prefix} prefix a path option`);
 });
 
-['__Http-', '__http-'].forEach(prefix => {
+['__HostHttp-', '__hosthttp-', '__Http-', '__http-'].forEach(prefix => {
   promise_test(async testCase => {
     await promise_rejects_js(testCase, TypeError,
         cookieStore.set({ name: `${prefix}cookie-name`, value: 'cookie-value'}));

cookies/prefix/__HostHttp.https.tentative.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__HostHttp: Does not set via DOM 'Secure; Path=/'"
+  });
+
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/; Domain=" + document.location.hostname,
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__HostHttp: Does not set via DOM with Domain attribute 'Secure; Path=/; Domain=" +
+           document.location.hostname + "'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/",
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__HostHttp: Does not set via HTTP with 'Secure; Path=/'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/;httponly",
+    shouldExistViaHTTP: true,
+    origin: self.origin,
+    title: "__HostHttp: Set via HTTP with 'Secure; Path=/; httponly'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/cookies/;httponly",
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__HostHttp: Does not set via HTTP with 'Secure; Path=/cookies/; httponly'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__HostHttp-",
+    params: "Path=/",
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__HostHttp: Does not set via HTTP with 'Path=/;' (without Secure)"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__HostHttp-",
+    params: "Secure; Path=/; Domain=" + document.location.hostname,
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__HostHttp: Does not set via HTTP with Domain attribute 'Secure; Path=/; Domain=" +
+           document.location.hostname + "'"
+  });
+</script>