New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IDN names for domain attributes #1707
Comments
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.1.2 step 2 refers to punycode, but I don't see anywhere that actually refers to a "a canonicalized host name" to do that work. However, there is a reference to "canonicalized request-host"s... that just magically exist I guess (in steps 8 and 9 of https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.5). |
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4 defines the parser and doesn't reject non-ASCII bytes outright. https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.3 doesn't appear to deal with them either. And then in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.5 it assumes the value given is a domain... So yeah, that does raise the question what ought to happen. And not just with non-ASCII bytes, but with regards to IP addresses as well. |
Trying to write a WPT test for this right now and it looks like Firefox is the only browser not accepting unicode domains (and only accepts punycode). The other two seem to be able to deal with the unicode well enough. |
Are you testing |
Did you mean |
Yeah I did. |
This is for httpwg/http-extensions#1707 I took some inspiration from web-platform-tests#26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window.
I added a test in web-platform-tests/wpt#32620 which assumes that UTF-8 would be supported and it looks like the current behavior is:
Personally I'm not a fan of what Safari does here, but I do think either the Chrome or Firefox behaviors (if changed to be explicit rejection on non-ASCII) could be agreed upon. Talking to @sbingler on Chrome side we have a weak preference for keeping UTF-8 support but would be very interested in hearing concerns about it. We're also going to try and add measurements for the existence of non-ASCII chars in domain attributes, but getting results from that will take several months, so I don't want to block the discussion on it. @martinthomson wrote in web-platform-tests/wpt#32620 (review)
Can you elaborate more on what your concerns are with supporting UTF-8 overall and specifically in the domain attribute? |
My concern was rooted in the fact that HTTP was (at some time in the past) defined as using ISO-8859-1 encoding. Interpreting content as UTF-8 really is taking liberties. We've gradually moved to avoiding saying anything about anything other than a very narrow set of octet values. In particular, octets with the high bit set are basically regarded as dangerous, if not totally unusable. Many implementations pass arbitrary octets, but how they are interpreted varies. Your test results really confirm that handling is inconsistent. It's not merely sufficient to fix/align three implementations. There are more clients than these three that might deal with cookies. Also, I fear that security (or policy) checks would be inconsistently applied if there are multiple ways to spell a domain name: UTF-8 or punycode. |
I've filed this bug as rdar://88349235 (Apple-internal link). |
Discussed today: proposal is to reject a cookie (name-value pair) if it contains non-ASCII characters in the domain attribute and instead mandate the use of A-labels (punycode encoded names) for domain. Rationale being the above comments. |
Thanks Martin! Given that the above seemed to be consensus on the call yesterday I'll update the tests to check for rejection of non-ASCII characters instead. |
This is for httpwg/http-extensions#1707. I took some inspiration from #26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window.
This is for httpwg/http-extensions#1707. I took some inspiration from web-platform-tests#26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window.
…tributes, a=testonly Automatic update from web-platform-tests Cookies: Test IDN/non-ASCII in domain attributes This is for httpwg/http-extensions#1707. I took some inspiration from #26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window. -- wpt-commits: 48d28a82aa28f3491e525b7c32b8bb1cdfdaf6f6 wpt-pr: 32620
This is for httpwg/http-extensions#1707. I took some inspiration from web-platform-tests#26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window.
…tributes, a=testonly Automatic update from web-platform-tests Cookies: Test IDN/non-ASCII in domain attributes This is for httpwg/http-extensions#1707. I took some inspiration from #26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window. -- wpt-commits: 48d28a82aa28f3491e525b7c32b8bb1cdfdaf6f6 wpt-pr: 32620
…tributes, a=testonly Automatic update from web-platform-tests Cookies: Test IDN/non-ASCII in domain attributes This is for httpwg/http-extensions#1707. I took some inspiration from #26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window. -- wpt-commits: 48d28a82aa28f3491e525b7c32b8bb1cdfdaf6f6 wpt-pr: 32620
…tributes, a=testonly Automatic update from web-platform-tests Cookies: Test IDN/non-ASCII in domain attributes This is for httpwg/http-extensions#1707. I took some inspiration from #26170 and used a python server instead of a header file in order to better control which bytes are served as part of the header. The test runs exclusively on the élève. subdomain through opening a new window that then runs all test and reports back to the main test window. -- wpt-commits: 48d28a82aa28f3491e525b7c32b8bb1cdfdaf6f6 wpt-pr: 32620
We should specify what to do if the domain attribute in a cookie is:
I think that the right behaviour here is to only accept punycode, but we should ensure that this is what people do.
(This is a small piece of #1073 that might just be tractable.)
The text was updated successfully, but these errors were encountered: