Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies with empty domain are not stored, this is contrary to RFC and standard browser practice #9164

Closed
gwenshap opened this issue Jul 15, 2022 · 0 comments
Closed

Cookies with empty domain are not stored, this is contrary to RFC and standard browser practice #9164

gwenshap opened this issue Jul 15, 2022 · 0 comments
Assignees
@bagder
Labels
cookies HTTP

Comments

@gwenshap
Copy link

I did this

curl -v -c cookies.txt -X POST http://prod.thenile.dev:8080/auth/login --header 'Content-Type: application/json' --data-raw $'{\n    "email": "blahblah",\n    "password": "xxx"\n}' -i

Part of the result was a cookie:

Set-Cookie: token=eyJhbGciblahblah;Version=1;Domain=;Path=/;Max-Age=86400;HttpOnly

Note that the Domain is an empty string.

I expected the following

Expected curl to store the cookie using the hostname as a domain (i.e. treat it the same as if the field was completely missing).

RFC 6265 has this behavior as "client should", and most browsers support it (Chrome: https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/cookie_util.cc;l=290)

curl/libcurl version

curl 7.79.1 (x86_64-apple-darwin21.0) libcurl/7.79.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.45.1
Release-Date: 2021-09-22
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

operating system

MacOS Monterey 12.4

Darwin Gwens-MBP.attlocal.net 21.5.0 Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:37 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T6000 arm64
@bagder bagder self-assigned this Jul 18, 2022
@bagder bagder added the HTTP label Jul 18, 2022
bagder added a commit that referenced this issue Jul 18, 2022
@bagder
cookie: treat a blank domain in Set-Cookie: as non-existing
0910b5c 
This matches what RFC 6265 section 5.2.3 says.

Extended test 31 to verify.

Fixes #9164
Reported-by: Gwen Shapira
@bagder bagder mentioned this issue Jul 18, 2022
Closed
@bagder bagder closed this as completed in 4c0ac2a Jul 19, 2022
@bagder bagder added the cookies label Nov 17, 2022
@fcastells fcastells mentioned this issue Mar 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
cookies HTTP
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cookie: treat a blank domain in Set-Cookie: as non-existing curl/curl
2 participants
@bagder @gwenshap