CookieJar.extract_cookies doesn't process cookies form local domains when domain is explicitly set in header

[keddad]

BPO	46075
Nosy	@keddad
PRs	bpo-46075: Allow for explicit domains in CookieJar #30108

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-12-14.21:08:16.652>
labels = ['type-bug', 'library', '3.10', '3.11']
title = "CookieJar.extract_cookies doesn't process cookies form local domains when domain is explicitly set in header"
updated_at = <Date 2021-12-14.21:12:37.790>
user = 'https://github.com/keddad'

bugs.python.org fields:

activity = <Date 2021-12-14.21:12:37.790>
actor = 'keddad'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2021-12-14.21:08:16.652>
creator = 'keddad'
dependencies = []
files = []
hgrepos = []
issue_num = 46075
keywords = ['patch']
message_count = 1.0
messages = ['408564']
nosy_count = 1.0
nosy_names = ['keddad']
pr_nums = ['30108']
priority = 'normal'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue46075'
versions = ['Python 3.10', 'Python 3.11']

[keddad]

Apparently, CookieJar.extract_cookies doesn't process cookies form local domains which explicitly set domain in Set-Cookie header. That means that headers with domain specified, like "Set-Cookie: foo=baz; Domain=localhost;", are ignored. As far as I can tell, this might be actually part of the standard: https://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain/32210291#32210291 . However, it looks like other HTTP clients, including modern versions of both Chrome and Firefox do accept cookies from localhost with explicit domain=localhost, and this change doesn't appear to break existing software in any way. (simple POC to test behavior in browsers: https://gist.github.com/keddad/e2ce034f68b77e59077cdb1e887fa4a1). Maybe it would be best to also allow this behavior in Python?

[JelleZijlstra]

Fixed in #30108 for 3.11. Thanks @keddad for your contributions!

I'm not planning to backport the change to 3.10, so I'm closing this issue.

[5er9e1]

Fixed in #30108 for 3.11

@JelleZijlstra
Could you help me with the problem? You said that the problem is fixed for 3.11, but I still can see it in 3.11.10. I described details here. Is it expected behavior to replace localhost with .localhost? As I know modern browsers and any http clients doesn't add leading dot. More over leading dot can not be used when we are using samesite attribute with Lax and Strict values. Is this problem planned to be fixed? Because of the issue it is not possible to use local environment for cookie based web tests and development.

[JelleZijlstra]

It looks like the fix went into 3.11.0b1, so it should indeed be in 3.11.10. I don't remember the technical details of the change so I don't know if what you say would be covered. I'd recommend you create a new issue describing exactly what behavior you're seeing and how it's different from what you're expecting.

Note that Python 3.11 is by now in security fix-only mode. We would still fix any remaining bugs in 3.12 and 3.13 though.