search

jshttp / cookie

HTTP server cookie parsing and serialization
MIT License
1.36k stars 159 forks source link

0.7.0 no longer supports `.localhost` domain value #173

Closed EvHaus closed 1 month ago

EvHaus commented 1 month ago

After upgrading from 0.6.0 to 0.7.0 this code no longer works:

cookie.serialize('myCookie', 'some content', {
  domain: '.localhost',
  httpOnly: true,
  maxAge: 2147483647,
  path: '/',
  sameSite: 'lax',
  secure: true
});

This now throws option domain is invalid.

According RFC6265 Section 4.1.2.3 a leading . (dot) should be allowed for targeting subdomains. Am I doing something wrong, or is this a possible 0.7.0 bug?

rdenman commented 1 month ago

I'm running into this same issue, reverting back to 0.6.0 for now

robsterlini commented 1 month ago

We're running into a similar issue where our leading . is needed to support subdomains.

blakeembrey commented 1 month ago

RFC 6265 4.1.2.3:

(Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

@EvHaus Is that the language you are reading that the leading dot should be allowed, since I don't see your specific phrasing?

And then 5.2.3:

Let cookie-domain be the attribute-value without the leading %x2E (".") character.

So it looks like the dot isn't required and isn't permitted in the spec for Set-Cookie, but I'm happy to be a bit looser with the spec here and allow the leading dot.

EvHaus commented 1 month ago

Is that the language you are reading that the leading dot should be allowed, since I don't see your specific phrasing?

Correct.

So it looks like the dot isn't required and isn't permitted in the spec for Set-Cookie

That's surprising to me. How would a cookie target all subdomains with it?

blakeembrey commented 1 month ago

How would a cookie target all subdomains with it?

If you specify the domain, they automatically target all subdomains. It surprised me too. It's part of the domain-match part of the spec.

blakeembrey commented 1 month ago

Domain match: 5.1.3. Building the cookie header is specified here: 5.4. TL;DR: no domain = host-only, domain = send for this domain and any subdomain.

The leading dot behavior is from the earlier spec: https://datatracker.ietf.org/doc/html/rfc2109.

blakeembrey commented 1 month ago

Released a fix in https://github.com/jshttp/cookie/releases/tag/v0.7.1.