Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upSet-Cookie - violating rfc6265 #2576
Comments
|
So the code that handles cookies for us in the standard library. We rely on the With that information, I think I'm comfortable saying that we should start providing a way for users to enable a stricter policy. I don't think we can start doing that by default, though, until 3.0 since it will be a breaking change. Does that sound reasonable? |
|
Also, I wasn't previously aware of this so I'd like to sincerely thank you for bringing this to our attention. |
|
@sigmavirus24 Can users not provide a stricter policy by replacing the cookiejar on the |
|
@Lukasa they can. I'm proposing that we provide a stricter policy by default in the near future to make requests comply better with 6265 |
I very agree. I am not sure how many people this change could break and whether the behavior should be configurable. I'm also wondering how this is handled in requests analogues. |
|
Yeah, I want to know what browsers do and what curl does. I'll test this at some stage. |
|
I'm pretty sure we can use the script in @henadzit's original report to test browsers and curl both. It's well done. |
|
I updated the test script to test curl and wget. I also tried to use Ruby httpclient but it failed on my server answers. Probably, it requires some headers or something like that. I will look into it later. Anyway, the script is at https://github.com/henadzit/henadzit-various/blob/master/requests-show-rfc6265.py Its output
As you can see, both wget and curl follow the RFC and don't store the cookie. I still want to test browser behavior. |
|
So I've had this bug nagging at me for no particular reason. I started digging into it tonight and I found that the problem is that the standard library's cookie handling library actually always adds a domain if it's absent to a cookie. It also, helpfully (and I literally just realized this while writing this comment) adds |
Hey,
I found that requests (version 2.6.0) violates one paragraph of rfc6265 - http://tools.ietf.org/html/rfc6265#section-4.1.2.3
"If the server omits the Domain attribute, the user agent will return the cookie only to the origin server."
It means that if Set-Cookie is set without domain at test.com, the cookie shouldn't be visible at subdomain.test.com.
However, the RFC warns that some user agents behave that way. Have this been discussed before? I haven't found anything. I encountered that issue when I was requesting endpoint which sent me 301 to subdomain of the initial endpoint. The service didn't handle that properly.
Below the code that shows the issue.
The code outputs