Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0.7.0 no longer supports .localhost domain value #173

Closed
EvHaus opened this issue Oct 3, 2024 · 7 comments · Fixed by #174
Closed

0.7.0 no longer supports .localhost domain value #173

EvHaus opened this issue Oct 3, 2024 · 7 comments · Fixed by #174

Comments

@EvHaus
Copy link

EvHaus commented Oct 3, 2024

After upgrading from 0.6.0 to 0.7.0 this code no longer works:

cookie.serialize('myCookie', 'some content', {
  domain: '.localhost',
  httpOnly: true,
  maxAge: 2147483647,
  path: '/',
  sameSite: 'lax',
  secure: true
});

This now throws option domain is invalid.

According RFC6265 Section 4.1.2.3 a leading . (dot) should be allowed for targeting subdomains. Am I doing something wrong, or is this a possible 0.7.0 bug?
@rdenman
Copy link

rdenman commented Oct 3, 2024

I'm running into this same issue, reverting back to 0.6.0 for now

@robsterlini
Copy link

We're running into a similar issue where our leading . is needed to support subdomains.

@blakeembrey
Copy link
Member

RFC 6265 4.1.2.3:

(Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

@EvHaus Is that the language you are reading that the leading dot should be allowed, since I don't see your specific phrasing?

And then 5.2.3:

Let cookie-domain be the attribute-value without the leading %x2E (".") character.

So it looks like the dot isn't required and isn't permitted in the spec for Set-Cookie, but I'm happy to be a bit looser with the spec here and allow the leading dot.

@EvHaus
Copy link
Author

EvHaus commented Oct 3, 2024

Is that the language you are reading that the leading dot should be allowed, since I don't see your specific phrasing?

Correct.

So it looks like the dot isn't required and isn't permitted in the spec for Set-Cookie

That's surprising to me. How would a cookie target all subdomains with it?

@blakeembrey
Copy link
Member

blakeembrey commented Oct 3, 2024
edited
Loading

How would a cookie target all subdomains with it?

If you specify the domain, they automatically target all subdomains. It surprised me too. It's part of the domain-match part of the spec.

@blakeembrey
Copy link
Member

Domain match: 5.1.3. Building the cookie header is specified here: 5.4. TL;DR: no domain = host-only, domain = send for this domain and any subdomain.

The leading dot behavior is from the earlier spec: https://datatracker.ietf.org/doc/html/rfc2109.

@blakeembrey blakeembrey mentioned this issue Oct 3, 2024
Merged
@blakeembrey
Copy link
Member

Released a fix in https://github.com/jshttp/cookie/releases/tag/v0.7.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow leading dot for domain jshttp/cookie
4 participants
@EvHaus @blakeembrey @robsterlini @rdenman