Open thePanz opened 21 hours ago
jcamiel
commented
11 hours ago Hi @thePanz
According to RFC6265, attribute name should be treated case-insensitively:
If the attribute-name case-insensitively matches the string "Secure", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of Secure and an empty attribute-value.
I think we should follow the spec and fix the actual behavior. Thanks for the issue!
fabricereix
commented
2 hours ago Yes @thePanz, you are right, our cookie attribute query should be case-incentive to match the spec above and to be consistent with the browser.
I have tested the following response headers in Firefox
Set-Cookie: CamelCase=Value; Max-Age=1000; HttpOnly
Set-Cookie: lowercase=value; max-age=1000; httponly
Set-Cookie: UPPERCASE=VALUE; MAX-AGE-age=1000; HTTPONLYThe 3 of them have the same expiration and the HttpOnly attribute set to true.
fabricereix
commented
2 hours ago We can also note that we have already supported the case-insensitivity of the cookie attribute in the Hurl file:
The 2 queries below are equivalent:
cookie "CamelCase[HttpOnly]" exists
cookie "CamelCase[httponly]" exists
What is the current bug behavior?
My server answers with the following:
But the assertions
fails with:
What is the expected correct behavior?
Allow to match on the
secureattribute too (case insensitive)Execution context
hurl --version): hurl 5.0.1 (x86_64-pc-linux-gnu) libcurl/8.10.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libssh2/1.11.0 nghttp2/1.63.0 quic/nghttp3/1.5.0 Features (libcurl): alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 IDN IPv6 Largefile libz NTLM SPNEGO SSL TLS-SRP UnixSockets zstd Features (built-in): brotliPossible fixes
Allow of case-insnsitive maches on the attribues? :shrug:
Not sure if the HTTP specs require to handle the attributes in a case-sensitive way, could not find any precise documentation for that