IABTechLab · ChristianPavilonis · Apr 24, 2026 · aram356 · Apr 30, 2026 · aram356
diff --git a/crates/trusted-server-core/src/cookies.rs b/crates/trusted-server-core/src/cookies.rs
@@ -268,6 +268,9 @@ pub fn expire_ec_cookie(settings: &Settings, response: &mut fastly::Response) {
 
 #[cfg(test)]
 mod tests {
+    use fastly::http::HeaderValue;
+
+    use crate::error::TrustedServerError;
     use crate::test_support::tests::create_test_settings;
 
     use super::*;
@@ -338,7 +341,7 @@ mod tests {
     }
 
     #[test]
-    fn test_handle_request_cookies_invalid_cookie_header() {
+    fn test_handle_request_cookies_malformed_cookie_string() {
         let req = Request::get("http://example.com").with_header(header::COOKIE, "invalid");
         let jar = handle_request_cookies(&req)
             .expect("should parse cookies")
@@ -347,6 +350,26 @@ mod tests {
         assert!(jar.iter().count() == 0);
     }
 
+    #[test]
+    fn test_handle_request_cookies_invalid_utf8_cookie_header() {
+        let invalid_cookie_value = HeaderValue::from_bytes(b"ts-ec=valid-prefix\xF0\x90\x80")
+            .expect("should build header value");
+        let req =
+            Request::get("http://example.com").with_header(header::COOKIE, invalid_cookie_value);
+
+        let err =
+            handle_request_cookies(&req).expect_err("should reject invalid UTF-8 cookie header");
+
+        assert!(
+            matches!(
+                err.current_context(),
+                TrustedServerError::InvalidHeaderValue { message }
+                    if message.contains("invalid UTF-8")
+            ),
+            "should return invalid header value error for non-UTF-8 cookie header"
+        );
+    }
+
     #[test]
     fn test_set_ec_cookie() {
         let settings = create_test_settings();

diff --git a/crates/trusted-server-core/src/models.rs b/crates/trusted-server-core/src/models.rs
@@ -67,20 +67,6 @@ mod tests {
         assert_eq!(callback.url, "https://example.com/track/impression");
     }
 
-    #[test]
-    fn test_callback_type_field_rename() {
-        // Test that "type" is correctly renamed to callback_type
-        let json_str = r#"{
-            "type": "click",
-            "url": "https://example.com/track/click"
-        }"#;
-
-        let callback: Callback =
-            serde_json::from_str(json_str).expect("should deserialize callback from str");
-        assert_eq!(callback.callback_type, "click");
-        assert_eq!(callback.url, "https://example.com/track/click");
-    }
-
     #[test]
     fn test_ad_response_full_deserialization() {
         let json_data = json!({