Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow secure cookies to be set for http localhost #281

Closed
wants to merge 11 commits into from
Closed

Allow secure cookies to be set for http localhost #281

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
06cf256
Fix incorrect string validation for URL
coditva Jan 6, 2023
a8f3fa3
Update package.json
codenirvana Jan 19, 2023
ade957e
4.1.2-postman.1
codenirvana Jan 19, 2023
8d84002
[RUNTIME-6689] handle the error thrown by permuteDomain function and …
dev-sharma-08 Apr 14, 2023
e827ea9
[RUNTIME-6689] unchange the package name, and remove the addition err…
dev-sharma-08 Apr 20, 2023
fd67c50
updated version in package.json file
dev-sharma-08 Apr 25, 2023
a769d2b
Treat localhost as a special use case secure domain
saket-ranjan-010 May 2, 2023
0570975
Fix failing test
saket-ranjan-010 May 2, 2023
3bad804
Fix lint errors
saket-ranjan-010 May 2, 2023
7862951
Address PR comments
saket-ranjan-010 May 5, 2023
c25d049
Remove version update diff
saket-ranjan-010 May 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 32 additions & 3 deletions lib/cookie.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -791,6 +791,28 @@ function getCookieContext(url) {
return urlParse(url);
}

/**
* This is a method which determines if the top level domain associated with a cookie
* is special use domain.
* @param {string} domain - The cannonical domain which is associated with the cookie
* @returns {boolean}
*/
function isSpecialDomain(domain) {
if (!domain || typeof domain !== "string") {
return false;
}

const SPECIAL_TREATMENT_DOMAINS = ["localhost"],
domainParts = domain.split("."),
topLevelDomain = domainParts.pop();

if (SPECIAL_TREATMENT_DOMAINS.includes(topLevelDomain)) {
return true;
}

return false;
}

const cookieDefaults = {
// the order in which the RFC has them:
key: "",
Expand Down Expand Up @@ -1116,7 +1138,8 @@ class CookieJar {
}

setCookie(cookie, url, options, cb) {
validators.validate(validators.isNonEmptyString(url), cb, options);
validators.validate(validators.isUrlStringOrObject(url), cb, options);

let err;

if (validators.isFunction(url)) {
Expand Down Expand Up @@ -1314,7 +1337,8 @@ class CookieJar {

// RFC6365 S5.4
getCookies(url, options, cb) {
validators.validate(validators.isNonEmptyString(url), cb, url);
validators.validate(validators.isUrlStringOrObject(url), cb, url);

const context = getCookieContext(url);
if (validators.isFunction(options)) {
cb = options;
Expand All @@ -1327,10 +1351,15 @@ class CookieJar {
const path = context.pathname || "/";

let secure = options.secure;

// Additional check for special domain as per RFC 6265 to treat localhost as secure channel
// https://www.rfc-editor.org/rfc/rfc6265#page-21
if (
secure == null &&
context.protocol &&
(context.protocol == "https:" || context.protocol == "wss:")
(context.protocol == "https:" ||
context.protocol == "wss:" ||
isSpecialDomain(host))
) {
secure = true;
}
Expand Down
6 changes: 5 additions & 1 deletion lib/pubsuffix-psl.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,11 @@ function getPublicSuffix(domain, options = {}) {
}
}

if (!ignoreError && SPECIAL_USE_DOMAINS.includes(topLevelDomain)) {
if (
!ignoreError &&
!allowSpecialUseDomain &&
SPECIAL_USE_DOMAINS.includes(topLevelDomain)
) {
throw new Error(
`Cookie has domain set to the public suffix "${topLevelDomain}" which is a special use domain. To allow this, configure your CookieJar with {allowSpecialUseDomain:true, rejectPublicSuffixes: false}.`
);
Expand Down
9 changes: 9 additions & 0 deletions lib/validators.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,14 @@ function isInstanceStrict(data, prototype) {
}
}

function isUrlStringOrObject(data) {
return (
isNonEmptyString(data) ||
isObject(data) || // TODO: Check for URL properties that are used.
isInstanceStrict(data, URL)
);
}

function isInteger(data) {
return typeof data === "number" && data % 1 === 0;
}
Expand Down Expand Up @@ -92,4 +100,5 @@ exports.isDate = isDate;
exports.isEmptyString = isEmptyString;
exports.isString = isString;
exports.isObject = isObject;
exports.isUrlStringOrObject = isUrlStringOrObject;
exports.validate = validate;
2 changes: 1 addition & 1 deletion lib/version.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
// generated by genversion
module.exports = '4.1.2'
module.exports = '4.1.2-postman.1'
10 changes: 5 additions & 5 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@
}
],
"license": "BSD-3-Clause",
"name": "tough-cookie",
"name": "@postman/tough-cookie",
"description": "RFC6265 Cookies and Cookie Jar for node.js",
"keywords": [
"HTTP",
Expand All @@ -67,14 +67,14 @@
"RFC6265",
"RFC2965"
],
"version": "4.1.2",
"homepage": "https://github.com/salesforce/tough-cookie",
"version": "4.1.2-postman.2",
"homepage": "https://github.com/postmanlabs/tough-cookie",
"repository": {
"type": "git",
"url": "git://github.com/salesforce/tough-cookie.git"
"url": "git://github.com/postmanlabs/tough-cookie.git"
},
"bugs": {
"url": "https://github.com/salesforce/tough-cookie/issues"
"url": "https://github.com/postmanlabs/tough-cookie/issues"
},
"main": "./lib/cookie",
"files": [
Expand Down