-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't bother pattern matching existing set-cookie for deletion. #1844
Conversation
829785a
to
e717518
Compare
I'm honestly not sure what these tests were trying to achieve. Our deletion logic doesn't matter at all if browsers don't implement it correctly. Because I imagine 99% of people trying to delete cookies would be doing so after the fact it was set in a prior request, so the tests really don't reflect reality. |
Please don't commit .DS_Store files.. One use case could be to have middle-ware that removes cookies from some other layer, but I'm not sure how useful that is. |
Oh lol, I don't even know how that happened, I was committing from Linux, but I think I copied the entire repo from my old development laptop haha. Thanks for pointing it out! 😊
Cookie deletion still works even in this case, but we depend on the browser to do the right thing, which I tested and it appears to work as expected (and according to relevant RFCs). I discussed this with @tenderlove and he said there is a potential security angle which would be someone adding a cookie with a sensitive value and then later deleting it. With this change we send the creation (with sensitive data) and then follow with a deletion cookie. This would all go to the browser which would in all likelihood add then remove the cookie. But I think the consensus here was that this is a poorly implemented app. The other angle is performance. If someone added a huge cookie and then later deleted it in the same request, expecting the entire overhead to be gone... Yes there is some impact. But again, I'm not sure this is well-formed behaviour/app. |
b1dc03d
to
e487244
Compare
It seems only benefit of removing the scanning is for performance in the general case. Do we have any indication that this is actually a performance issue worth fixing? It seems both the security (remove secret data) and size (remove large data) issues, even if they do not affect most applications, are reasonable reasons against this change. Looking at the code, the only reason for @tenderlove merged this as I was typing this, but I think this should be reverted. |
If you're sending sensitive information, and then relying on this to delete it, I think your app has bigger problems. Specifically adding sensitive info, then trying to remove it later seems like a "your app problem" not a "rack should deal with this" problem. Additionally, the regex match used for detecting if it's the right cookie could be problematic. Since the app developer has access to the array and can mutate it themselves, why is it our responsibility to try and parse their strings? (My main gripe with this method are the regular expressions. If we kept the cookies in a more structured format like objects, I think removing existing ones would be fine) |
I agree the method implementation is ugly. However, the only reason for |
I'm happy to revert this PR and just deprecate the entire method if we all agree to that, I'll do it today. |
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Multiple response header values are encoded using an Array instead of newlines: https://github.com/rack/rack/blob/v3.0.3/UPGRADE-GUIDE.md#multiple-response-header-values-are-encoded-using-an-array Rack 3 does not remove cookies from the internal storage (because it doesn't make much sense), see rack/rack#1844, rack/rack#1840
Fixes #1840