[Django] #36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler

Django

unread,

Jun 17, 2025, 5:10:42 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: lukas- | Owner: lukas-komischke-
komischke-ameos | ameos
Type: | Status: assigned
Uncategorized |
Component: HTTP | Version: 5.1
handling |
Severity: Normal | Keywords:
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Currently, response headers in handlers/wsgi.py are generated with their
value component starting with a whitespace character.

Although these whitespaces should be cleaned up by clients, if I
understand RFC 6265 correctly, this causes an issue when using ''tornado''
> 6.5.0, as they have implemented stricter checks for headers:

{{{
tornado.httputil.HTTPInputError: Invalid header value '
csrftoken=7pFTUEBo24KFj9cKhWfeuTPSXmWYmYuQ; expires=Tue, 09 Jun 2026
14:27:44 GMT; Max-Age=31449600; Path=/; SameSite=Lax'
}}}

Django already properly strips those whitespaces in handlers/asgi.py, so
I'd suggest also stripping them in handlers/wsgi.py in order to restore
compatibility with ''tornado''.
--
Ticket URL: <https://code.djangoproject.com/ticket/36467>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,

Jun 17, 2025, 5:53:29 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Lukas Komischke):

* type: Uncategorized => Cleanup/optimization

--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:1>

Django

unread,

Jun 17, 2025, 6:21:36 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke

Cleanup/optimization | Status: closed

Component: HTTP handling | Version: 5.1

Severity: Normal | Resolution: needsinfo

Changes (by Sarah Boyce):

* resolution: => needsinfo
* status: assigned => closed

Comment:

Hi Lucas, can you share a test project or some tests so that we can
replicate and validate the issue?
--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:2>

Django

unread,

Jun 17, 2025, 7:00:37 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke
Cleanup/optimization | Status: closed
Component: HTTP handling | Version: 5.1
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage:
| Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Lukas Komischke):

Replying to [comment:2 Sarah Boyce]:

> Hi Lucas, can you share a test project or some tests so that we can
replicate and validate the issue?

Hi!

Sure! I've created a simple test project demonstrating the issue here:
https://github.com/lukas-komischke-ameos/django_36467
--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:3>

Django

unread,

Jun 17, 2025, 8:03:52 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke

Cleanup/optimization | Status: new
Component: HTTP handling | Version: 5.2
Severity: Normal | Resolution:

Changes (by Lukas Komischke):

* resolution: needsinfo =>
* status: closed => new
* version: 5.1 => 5.2

--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:4>

Django

unread,

Jun 17, 2025, 10:31:25 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke
Cleanup/optimization | Status: new

Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Sarah Boyce):

* stage: Unreviewed => Accepted
* version: 5.2 => dev

--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:5>

Django

unread,

Jun 17, 2025, 10:36:45 AM6/17/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke
Cleanup/optimization | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:

Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:6>

Django

unread,

Jun 18, 2025, 5:25:24 AM6/18/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke
Cleanup/optimization | Status: new
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Sarah Boyce <42296566+sarahboyce@…>):

In [changeset:"1cd91d5d4bfb65ea7b5c7177310f849d05037609" 1cd91d5]:
{{{#!CommitTicketReference repository=""
revision="1cd91d5d4bfb65ea7b5c7177310f849d05037609"
Refs #36467 -- Added test for Set-Cookie header values in ASGIHandler.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:7>

Django

unread,

Jun 18, 2025, 5:25:25 AM6/18/25

to django-...@googlegroups.com

#36467: Remove leading whitespace in value of Set-Cookie header in wsgi handler
-------------------------------------+-------------------------------------
Reporter: Lukas Komischke | Owner: Lukas
Type: | Komischke

Cleanup/optimization | Status: closed

Component: HTTP handling | Version: dev

Severity: Normal | Resolution: fixed

Changes (by Sarah Boyce <42296566+sarahboyce@…>):

* resolution: => fixed
* status: new => closed

Comment:

In [changeset:"db4d65f8be1627223707185edac7181584425149" db4d65f]:
{{{#!CommitTicketReference repository=""
revision="db4d65f8be1627223707185edac7181584425149"
Fixed #36467 -- Removed leading whitespaces from Set-Cookie header values
in WSGIHandler.

This also aligned the Set-Cookie logic in the WSGIHandler and ASGIHandler.

Co-authored-by: Sarah Boyce <42296566+...@users.noreply.github.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36467#comment:8>

Reply all

Reply to author

Forward