curl-library
Re: Incorrect handling of subdomain cookies.
Date: Thu, 29 Sep 2016 23:32:21 -0700
What are the action points?
Chrome, Opera and Firefox seems to handle dup cookies in the same way
(FIFO). Safari seems to order cookies. Edge leaves last cookie and always
leave broader scope (with subdomains).
Do you agree to choose one of ways above? FIFO is more widely used but
Safari-style seems to be more concise. Probably worth aligning with 6265bis.
Issue
https://github.com/httpwg/http-extensions/issues/199
Should someone (me?) open an issue for the matter on curl github?
Sergei
On Wed, Sep 28, 2016 at 3:23 AM, Sergei Kuzmin <sergeikuzmin_at_gmail.com>
wrote:
> I've checked bunch of browsers:
> 1. Cookies are empty
> 2. Open http://httpbin.org/response-headers?Set-Cookie=%20foo=b
> ar;%20domain=.httpbin.org&Set-Cookie=%20foo=qux;
> 3. Check two cookies are set in browser with corresponding domains (.
> httpbin.org and httpbin.org)
> 4. Open http://httpbin.org/get
> 5. Check in dev-tools what is sent to server
> 6. Retry http://httpbin.org/response-headers?Set-Cookie=%20foo=
> qux;&Set-Cookie=%20foo=bar;%20domain=.httpbin.org
>
> Note what http://httpbin.org/cookies returns just one value per cookie.
>
> 1. Chrome (53.0.2785.116 (64-bit)), Mac OS.
> 3) Confirmed 4) "Cookie": "foo=bar; foo=qux" is sent. 6) Cookies
> are sent FIFO order: "Cookie": "foo=qux; foo=bar"
> 2. Opera 39.0.
> 3) Confirmed 4) Same as Chrome. Expected as same engine is used.
> 6) Same as Chrome
> 3. Safari 10.0 (10602.1.50.0.10)
> 3) Confirmed 4) Same as Chrome. 6) Cookies are sorted. "Cookie":
> "foo=bar; foo=qux"
> 4. Firefox 45.0.2.
> 3) Confirmed 4) Same as Chrome 6) Same as Chrome
> 5. Edge 38.14393.0.0, EdgeHTML 14.14393
> 3) Single cookie stored in browser: foo=qux, .httpbin.org 4) "Cookie":
> "foo=qux" 6) Single cookie stored in browser: foo=bar; domain=.httpbin.org
> Sent as "Cookie": "foo=bar";
>
> Extra checks for Edge:
> http://httpbin.org/response-headers?Set-Cookie=%20foo=bar;%20domain=.
> httpbin.org&Set-Cookie=%20foo=qux;%20domain=httpbin.org => foo=qux;
> domain: .httpbin.org
> http://httpbin.org/response-headers?Set-Cookie=%20foo=qux;%20domain=
> httpbin.org&Set-Cookie=%20foo=bar;%20domain=.httpbin.org => foo=bar;
> domain: .httpbin.org
>
> Sergei
>
> On Tue, Sep 27, 2016 at 11:27 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> On Tue, 27 Sep 2016, Sergei Kuzmin wrote:
>>
>> Thanks for extensive explanation. What do you thing would be the best? Is
>>> it asking IETF for comment? Eventually it would be nice to match browsers
>>> behavior but not at expense of missing RFC guidelines. It's unclear whether
>>> to fix curl or major browsers.
>>>
>>
>> The httpwg in the IETF will probably soon work on a "6265bis" document,
>> that is a revision and update of the RFC 6265 that we made a few years
>> back[1]. This, to make it more accurately describe how cookies are de-facto
>> used in the real world. Even if we didn't manage it 100% with RFC 6265, it
>> was still the first cookie spec that was close to describing how cookies
>> work on the web. (And those old enough may remember me struggling against
>> specifying some of the browser behaviors as mandated[2].)
>>
>> Web browsers will not change behavior due to RFC contents if they
>> think/know other browsers do it that way - web compatibility trumps
>> basically anything. I'd say it is much more likely that an updated spec
>> will use wording that makes the current browser behaviors compliant. Of
>> course this is my guess based on my many years working in the httpwg and
>> with the browser people.
>>
>> If there is more than one browser that works that way, it is best to just
>> admit defeat and switch over to behave like that...
>>
>> [1] = https://daniel.haxx.se/blog/2011/04/28/the-cookie-rfc-6265/
>> [2] = https://daniel.haxx.se/blog/2010/01/20/cookie-order/
>>
>> --
>>
>> / daniel.haxx.se
>>
>> -------------------------------------------------------------------
>> List admin: https://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: https://curl.haxx.se/mail/etiquette.html
>>
>
>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-30