Cookie Management #117
Cookie Management #117
Conversation
http/cookies.lua
Outdated
| cmp_cookie.secure | ||
| -- 3. Their domain domain-matches the domain of the newly-created | ||
| -- cookie, or vice-versa. | ||
| and domain_match(cookie.domain, cmp_cookie.domain) |
There was a problem hiding this comment.
Move this to the outer loop.
http/cookies.lua
Outdated
| local now = self.time() | ||
| local list = {} | ||
| local n = 0 | ||
| for domain, domain_cookies in pairs(self.domains) do |
There was a problem hiding this comment.
Needs optimising: can index by each req_domain domain+superdomain?
|
Need to add libpsl to travis-ci. |
This comment has been minimized.
This comment has been minimized.
daurnimator
force-pushed
the
cookies
branch
4 times, most recently
from
4a9d3a4
to
f422407
Compare
daurnimator
force-pushed
the
cookies
branch
3 times, most recently
from
01da506
to
5ca16d0
Compare
daurnimator
force-pushed
the
cookies
branch
8 times, most recently
from
b000e2a
to
1e3d101
Compare
| canonicalise_host = function(str) | ||
| -- fail on non-ascii chars | ||
| if str:find("[^%p%w]") then | ||
| return nil |
There was a problem hiding this comment.
add error string on why failed?
There was a problem hiding this comment.
Sadly libpsl doesn't tell us why we failed; so can't do :(
| -- If the cookie store contains a cookie with the same name, | ||
| -- domain, and path as the newly created cookie: | ||
| if old_cookie then | ||
| -- If the newly created cookie was received from a "non-HTTP" |
There was a problem hiding this comment.
what is a non-HTTP API? AFAICT this just meant that the cookie is not exposed to JavaScript.
There was a problem hiding this comment.
I looked a bit more into it, I think it could be that "non-HTTP" means that, for example, JavaScript couldn't overwrite the cookie.
There was a problem hiding this comment.
Correct. e.g. if it was set with document.cookie.
Think of it as a flag that decides if the user can change it vs only transport
http/cookie.lua
Outdated
| end | ||
|
|
||
| -- Convert the cookie-domain to lower case. | ||
| domain = domain:lower() |
There was a problem hiding this comment.
should this not be the canonicalized URL instead?
There was a problem hiding this comment.
I'm not sure.... the specs seem quiet on the issue?
http/cookie.lua
Outdated
|
|
||
| local function cookie_match(cookie, req_domain, req_is_http, req_is_secure, req_is_safe_method, req_site_for_cookies, req_is_top_level) | ||
| if cookie.host_only then -- Either: | ||
| -- The cookie's host-only-flag is true and the canonicalized |
There was a problem hiding this comment.
req_domain in this case isn't canonicalized
There was a problem hiding this comment.
How so? It's canonicalized at the call site. (and cookie_match isn't public)
There was a problem hiding this comment.
That would make sense then, but it's not obvious it's canonicalized elsewhere. Perhaps add a comment on that?
The lua compiler will turn it into a constant
Fixes #6
Closes #79
I took a few pieces out of #79, but the initial version of this is based on code I wrote on a plane in January 2017. It tries to keep close to RFC 6265. The later revisions are cribbing from https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Brings in two new dependencies: lua-psl and binaryheap