cookies: leave secure cookies alone (draft-ietf-httpbis-cookie-alone-01)#2956
cookies: leave secure cookies alone (draft-ietf-httpbis-cookie-alone-01)#2956danielgustafsson wants to merge 1 commit intocurl:masterfrom
Conversation
|
But yes, a test case that also verifies that it works as intended would be really good! |
|
Do you think this should be added to an existing test, or should a new test be added? |
|
I'm fine with either way. Whatever you find easiest. |
danielgustafsson
force-pushed
the
dg-httpbis-cookie-alone
branch
from
dac8ee2 to
a377072
Compare
|
Rebased, test added and bugs fixed |
danielgustafsson
force-pushed
the
dg-httpbis-cookie-alone
branch
2 times, most recently
from
56f757b to
a322771
Compare
danielgustafsson
changed the title
|
The Appveyor redness comes from 1506 failing which I believe is unrelated |
|
Regarding the replacement policy for when a non-secure cookie is allowed to replace a secure cookie, the document states this for path comparisons:
This leaves some room for implementation details IMHO. I have interpreted it in the most conservative way. The code implementing this could definitely need a set of eyes to ensure it's sane. |
tests/data/test31
Outdated
There was a problem hiding this comment.
The reason for these large sections removed is that they are setting secure cookies over HTTP, which with this patch is no longer allowed.
danielgustafsson
added
the
feature-window
|
As a reminder to myself for when the window opens: this patch also needs to remove item 5.8 from the TODO list. Will add that before this is pushed. |
danielgustafsson
force-pushed
the
dg-httpbis-cookie-alone
branch
from
a322771 to
a7a483a
Compare
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes curl#2956
danielgustafsson
force-pushed
the
dg-httpbis-cookie-alone
branch
from
a7a483a to
739deca
Compare
2 participants
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265.
This is an old patch I dusted off which I wouldn't mind eyes on.
There needs to be tests added of course which is on my TODO.Update: this used to be marked WIP as it lacked the required tests. These have now been added and the PR title is updated to reflect this.