-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie host-only-flag is not taken into account during storage #266
Comments
Thanks for pointing this out! It's been a while since we've done a thorough review of the code to ensure spec compliance, and it's on our roadmap. |
Awesome! I'd be happy to try to contribute a fix, but I'm a little unsure how to best contribute with the typescript rewrite in progress. Any advice on that front? |
We should be following the RFC 6265 definition. In 5.3.11:
We were just discussing this in a test for the typescript implementation; we should validate that we have the correct behavior (@colincasey); but I think we do. It looks like RFC6265bis hasn't been approved yet and will expire at the end of May: I'll create a Board to help us track proposed changes; would you want to work with us on that @max-stytch? We could use some help on stories to track there, as well as implementations on the test side are always a good way to start! |
I've created the following classic project for RFC 6265-bis: https://github.com/salesforce/tough-cookie/projects/7 I've just created the project, but I'll start adding stories as I get time. :) |
Thank you for the diff link. It will help us, but we really need to analyze the differences and create stories in order to get a tracking version. If you'd like to help, that would be a great spot to start! |
TL;DR
Cookies with different subdomain characteristics are clobbered during writes.
When setting two cookies with the same name, but one has
domain
specified and the other does not, I'd expect both to remain in the store. Instead, the second will always overwrite the first.Expected Behavior
I would expect this library to match the behavior found in the browser. Tested on https://example.com using
Actual Behavior
RFC 6265bis reads
This is different from the original RFC 6265, which reads
The text was updated successfully, but these errors were encountered: