Skip to content

CookieJar.extract_cookies doesn't process cookies form local domains when domain is explicitly set in header #90233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
keddad mannequin opened this issue Dec 14, 2021 · 4 comments
Labels
3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@keddad
Copy link
Mannequin

keddad mannequin commented Dec 14, 2021

BPO 46075
Nosy @keddad
PRs
  • bpo-46075: Allow for explicit domains in CookieJar #30108
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = None
    created_at = <Date 2021-12-14.21:08:16.652>
    labels = ['type-bug', 'library', '3.10', '3.11']
    title = "CookieJar.extract_cookies doesn't process cookies form local domains when domain is explicitly set in header"
    updated_at = <Date 2021-12-14.21:12:37.790>
    user = 'https://github.com/keddad'

    bugs.python.org fields:

    activity = <Date 2021-12-14.21:12:37.790>
    actor = 'keddad'
    assignee = 'none'
    closed = False
    closed_date = None
    closer = None
    components = ['Library (Lib)']
    creation = <Date 2021-12-14.21:08:16.652>
    creator = 'keddad'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 46075
    keywords = ['patch']
    message_count = 1.0
    messages = ['408564']
    nosy_count = 1.0
    nosy_names = ['keddad']
    pr_nums = ['30108']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue46075'
    versions = ['Python 3.10', 'Python 3.11']

    @keddad
    Copy link
    Mannequin Author

    keddad mannequin commented Dec 14, 2021

    Apparently, CookieJar.extract_cookies doesn't process cookies form local domains which explicitly set domain in Set-Cookie header. That means that headers with domain specified, like "Set-Cookie: foo=baz; Domain=localhost;", are ignored. As far as I can tell, this might be actually part of the standard: https://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain/32210291#32210291 . However, it looks like other HTTP clients, including modern versions of both Chrome and Firefox do accept cookies from localhost with explicit domain=localhost, and this change doesn't appear to break existing software in any way. (simple POC to test behavior in browsers: https://gist.github.com/keddad/e2ce034f68b77e59077cdb1e887fa4a1). Maybe it would be best to also allow this behavior in Python?

    @keddad keddad mannequin added 3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error labels Dec 14, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @JelleZijlstra
    Copy link
    Member

    Fixed in #30108 for 3.11. Thanks @keddad for your contributions!

    I'm not planning to backport the change to 3.10, so I'm closing this issue.

    @5er9e1
    Copy link

    5er9e1 commented Dec 1, 2024

    Fixed in #30108 for 3.11

    @JelleZijlstra
    Could you help me with the problem? You said that the problem is fixed for 3.11, but I still can see it in 3.11.10. I described details here. Is it expected behavior to replace localhost with .localhost? As I know modern browsers and any http clients doesn't add leading dot. More over leading dot can not be used when we are using samesite attribute with Lax and Strict values. Is this problem planned to be fixed? Because of the issue it is not possible to use local environment for cookie based web tests and development.

    @JelleZijlstra
    Copy link
    Member

    It looks like the fix went into 3.11.0b1, so it should indeed be in 3.11.10. I don't remember the technical details of the change so I don't know if what you say would be covered. I'd recommend you create a new issue describing exactly what behavior you're seeing and how it's different from what you're expecting.

    Note that Python 3.11 is by now in security fix-only mode. We would still fix any remaining bugs in 3.12 and 3.13 though.

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.10 only security fixes 3.11 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants