Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
net/http: Client should scope cookie to Request.Host before Request.URL #38988
What version of Go are you using (
@colinclerk Thanks for this bug report. There might be a real issue here.
According to https://tools.ietf.org/html/rfc6265#section-5.4 domain matching works on the request-host (with the unclear definition above).
On the other hand: curl seems to use the Host header....
@vdobler What is the intended purpose of allowing outbound requests where r.Host != r.URL.Host?
When I issue outbound requests where r.Host != r.URL.Host, my intent is to mimic DNS resolution:
Having this separation allows me to mimic a server that has multiple hosts pointed at it, and generate different responses depending on the Host.
Since I'm imagining r.Host is what my user has in their address bar, it's also where I'm expecting cookies to be set. But maybe I'm thinking about this all wrong?
Another exercise that might be helpful is to think about things from the server's perspective. r.URL.Host doesn't exist on the server, so when it issues SetCookie it expects the cookie to be set on the incoming request's r.Host.
That's not what happens when using Client and setting r.Host manually: