New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ResponseCookie to allow leading dot in domain name again #23924
Comments
Fair point that for a It makes sense to separate validation from the building of a cookie, so that a client response. Perhaps we can add a |
I think both make sense, depending on where it's more used, if client or server. What are your thoughts regarding an alternative |
After opening a support ticket with our CDN provider we received the following response:
This indeed seems to point at your implementation being a bit too strict for pretty common input. Hope this can be made more liberal soon :) |
@JorritSalverda that quote is from section 5.2.3 which is for "User Agent Requirements". The server requirements in 4.1 however point to https://tools.ietf.org/html/rfc1034#section-3.5. As far as "soon" is concerned, the ticket has a target milestone and a backport scheduled. |
@rubasace regarding That said I am also considering just dropping the rejection of a leading ".". It seems to have caused quite a bit of disruption and clients are instructed to ignore it by the RFC. |
@rstoyanchev definitely agree on the affirmative API. Regarding the |
ResponseCookie
was changed and now applies Rfc6265Utils to validate attributes. As stated on issue #23776, we should be strict with output and lenient with input. Reality is thatReactorClientHttpResponse
andJettyClientHttpResponse
are usingResponseCookie
to propagate cookies received. This scenario is cleary input and yet it's still failing when hitting endpoints behind Cloudflare, as they add the HttpOnly cookie withdomain=.domain.com
as stated here.Regarding possible solutions, I think the builder itself could have some kind of flag to disable validation, allowing both
ReactorClientHttpResponse
andJettyClientHttpResponse
use it when just propagating cookies from the cookie header.The text was updated successfully, but these errors were encountered: