Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use cookie_store crate instead of cookie::CookieJar #169

Merged
merged 5 commits into from
Oct 4, 2020
Merged

Use cookie_store crate instead of cookie::CookieJar #169

merged 5 commits into from
Oct 4, 2020

Conversation

jsha
Copy link
Collaborator

@jsha jsha commented Sep 29, 2020

CookieJar doesn't support the path-match and domain-match algorithms from RFC 6265, while cookie_store does.

This fixes some issues with the cookie matching algorithm currently in ureq. For instance,
the domain-match uses substring matching rather than the RFC 6265 algorithm.

This deletes two tests:

match_cookies_returns_nothing_when_no_cookies didn't test much
agent_cookies was failing because cookie_store rejects cookies on the test: scheme. The way around this is to set up a testserver - but it turns out cookies_on_redirect already does that, and covers the same cases and more.

algesten
algesten approved these changes Sep 29, 2020
View reviewed changes
Copy link
Owner

@algesten algesten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does subtly change out behavior which could be a breaking change. However being more correct might be worth it.

Cargo.toml Outdated
@@ -39,6 +39,7 @@ serde = { version = "1", optional = true }
serde_json = { version = "1", optional = true }
encoding = { version = "0.2", optional = true }
native-tls = { version = "0.2", optional = true }
cookie_store = "0.12.0"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be optional on the cookie feature or we pull in the deps for all features.

@jsha
Copy link
Collaborator Author

jsha commented Sep 29, 2020

I agree it's a bit of a breaking change depending on use cases. To enumerate the changes:

  • Cookies could previously be sent to a wrong domain - e.g. a cookie set on example.com could go to example.com.evil.com or evilexample.com. Probably no one was relying on this, since it's quite broken.
  • A cookie with a path of /foo could be sent on a request to /foobar, but now it can't.
  • Cookies could previously be set on IP addresses, but now they can't.
  • Cookies could previously be set for domains other than the one on the request (or its parents), but now they can't.
  • When a cookie had no domain attribute, it would previously get the domain from the request, and subsequently be sent to that domain and all subdomains. Now, it will only be sent to that exact domain (host-only).

That last one is probably the most likely to break people, since someone could depend on it without realizing it was broken behavior.

@algesten
Copy link
Owner

algesten commented Oct 3, 2020

I say let's merge it.

@jsha jsha merged commit 2d4b42e into algesten:master Oct 4, 2020
@jsha jsha deleted the cookie_store branch October 4, 2020 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@algesten algesten algesten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsha @algesten