You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
assignee=Noneclosed_at=Nonecreated_at=<Date2021-12-14.21:08:16.652>labels= ['type-bug', 'library', '3.10', '3.11']
title="CookieJar.extract_cookies doesn't process cookies form local domains when domain is explicitly set in header"updated_at=<Date2021-12-14.21:12:37.790>user='https://github.com/keddad'
Apparently, CookieJar.extract_cookies doesn't process cookies form local domains which explicitly set domain in Set-Cookie header. That means that headers with domain specified, like "Set-Cookie: foo=baz; Domain=localhost;", are ignored. As far as I can tell, this might be actually part of the standard: https://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain/32210291#32210291 . However, it looks like other HTTP clients, including modern versions of both Chrome and Firefox do accept cookies from localhost with explicit domain=localhost, and this change doesn't appear to break existing software in any way. (simple POC to test behavior in browsers: https://gist.github.com/keddad/e2ce034f68b77e59077cdb1e887fa4a1). Maybe it would be best to also allow this behavior in Python?
@JelleZijlstra
Could you help me with the problem? You said that the problem is fixed for 3.11, but I still can see it in 3.11.10. I described details here. Is it expected behavior to replace localhost with .localhost? As I know modern browsers and any http clients doesn't add leading dot. More over leading dot can not be used when we are using samesite attribute with Lax and Strict values. Is this problem planned to be fixed? Because of the issue it is not possible to use local environment for cookie based web tests and development.
It looks like the fix went into 3.11.0b1, so it should indeed be in 3.11.10. I don't remember the technical details of the change so I don't know if what you say would be covered. I'd recommend you create a new issue describing exactly what behavior you're seeing and how it's different from what you're expecting.
Note that Python 3.11 is by now in security fix-only mode. We would still fix any remaining bugs in 3.12 and 3.13 though.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: