[go] net/http/cookiejar: allow cookies with an IP address in the domain attribute

Volker Dobler (Gerrit)

unread,

Jun 10, 2021, 8:08:16 AM6/10/21

to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com

Volker Dobler has uploaded this change for review.

net/http/cookiejar: allow cookies with an IP address in the domain attribute

A set domain attribute in a cookie in a Set-Cookie header is intended to
create a domain cookie, i.e. a cookie that is not only sent back to the
domain the Set-Cookie was received from, but to all subdomains thereof
too. Sometimes people set this domain attribute to an IP address. This
seems to be allowed by RFC 6265 albeit it's not really sensible as there
are no "subdomains" of an IP address.
Contemporary browsers allow such cookies, currently Jar forbids them.

This CL allows to persist such cookies in the Jar and send them back
again in subsequent requests. Jar allows those cookies that all
contemporary browsers allow (not all browsers behave the same and none
seems to conform to RFC 6265 in regards to these cookies, see below).

The following browsers in current version) were tested:
  - Chrome (Mac and Windows)
  - Firefox (Mac and Windows)
  - Safari (Mac)
  - Opera (Mac)
  - Edge (Windows)
  - Internet Explorer (Windows)
  - curl (Mac, Linux)

All of them allow a cookie to be set via the following HTTP header if
the request was made to e.g. http://35.206.97.83/ :

    Set-Cookie: a=1; domain=35.206.97.83

They differ in handling a leading dot "." before the IP address as in

    Set-Cookie: a=1; domain=.35.206.97.83

sets a=1 only in curl and in Internet Explorer, the other browsers just
reject such cookies.

As far as these internals can be observed the browsers do not treat such
cookies as domain cookies but as host cookies. RFC 6265 would require to
treat them as domain cookies; this is a) nonsensical and b) doesn't make
an observable difference. As we do not expose Jar entries and their
HostOnly flag it probably is still okay to claim that Jar implements a
RFC 6265 cookie jar.

RFC 6265 would allow cookies with dot-prefixed domains like
domain=.35.206.97.83 but it seems as if this feature of RFC 6265 is not
used in real life and not requested by users of package cookiejar (probably
because it doesn't work in browsers) so we refrain from documenting this
detail.

Fixes #12610

Change-Id: Ibd883d85bde6b958b732cbc3618a1238ac4fc84a
---
M src/net/http/cookiejar/jar.go
M src/net/http/cookiejar/jar_test.go
2 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
index e6583da..eff23b3 100644
--- a/src/net/http/cookiejar/jar.go
+++ b/src/net/http/cookiejar/jar.go
@@ -457,10 +457,36 @@
 	}
 
 	if isIP(host) {
-		// According to RFC 6265 domain-matching includes not being
-		// an IP address.
-		// TODO: This might be relaxed as in common browsers.
-		return "", false, errNoHostname
+		// RFC 6265 is not super clear here, a sensible interpretation
+		// is that cookies with an IP address in the domain-attribute
+		// are allowed.
+
+		// RFC 6265 section 5.2.3 mandates to strip an optional leading
+		// dot in the domain-attribute before processing the cookie.
+		//
+		// Most browsers don't do that for IP addresses, only curl
+		// version 7.54) and and IE (version 11) do not reject a
+		//     Set-Cookie: a=1; domain=.127.0.0.1
+		// This leading dot is optional and serves only as hint for
+		// humans to indicate that a cookie with "domain=.bbc.co.uk"
+		// would be sent to every subdomain of bbc.co.uk.
+		// It just doesn't make sense on IP addresses.
+		// The other processing and validation steps in RFC 6265 just
+		// collaps to:
+		if host != domain {
+			return "", false, errIllegalDomain
+		}
+
+		// According to RFC 6265 shuch cookies should be treated as
+		// domain cookies.
+		// As there are no subdomains of an IP address the treatment
+		// according to RFC 6265 would be exactly the same as that of
+		// a host-only cookie. Contemporary browsers (and curl) do
+		// allows such cookies but treat them as host-only cookies.
+		// So do we as it just doesn't make sense to label them as
+		// domain cookies when there is no domain; the whole notion of
+		// domain cookies requires a domain name to be well defined.
+		return host, true, nil
 	}
 
 	// From here on: If the cookie is valid, it is a domain cookie (with
diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
index 47fb1ab..57415d9 100644
--- a/src/net/http/cookiejar/jar_test.go
+++ b/src/net/http/cookiejar/jar_test.go
@@ -305,8 +305,8 @@
 	{"foo.sso.example.com", "sso.example.com", "sso.example.com", false, nil},
 	{"bar.co.uk", "bar.co.uk", "bar.co.uk", false, nil},
 	{"foo.bar.co.uk", ".bar.co.uk", "bar.co.uk", false, nil},
-	{"127.0.0.1", "127.0.0.1", "", false, errNoHostname},
-	{"2001:4860:0:2001::68", "2001:4860:0:2001::68", "2001:4860:0:2001::68", false, errNoHostname},
+	{"127.0.0.1", "127.0.0.1", "127.0.0.1", true, nil},
+	{"2001:4860:0:2001::68", "2001:4860:0:2001::68", "2001:4860:0:2001::68", true, nil},
 	{"www.example.com", ".", "", false, errMalformedDomain},
 	{"www.example.com", "..", "", false, errMalformedDomain},
 	{"www.example.com", "other.com", "", false, errIllegalDomain},
@@ -327,7 +327,7 @@
 	for _, tc := range domainAndTypeTests {
 		domain, hostOnly, err := jar.domainAndType(tc.host, tc.domain)
 		if err != tc.wantErr {
-			t.Errorf("%q/%q: got %q error, want %q",
+			t.Errorf("%q/%q: got %q error, want %v",
 				tc.host, tc.domain, err, tc.wantErr)
 			continue
 		}
@@ -593,6 +593,21 @@
 		[]query{{"http://192.168.0.10", "a=1"}},
 	},
 	{
+		"Domain cookies on IP.",
+		"http://192.168.0.10",
+		[]string{
+			"a=1; domain=192.168.0.10",  // allowed
+			"b=2; domain=172.31.9.9",    // rejected, can't set cookie for other IP
+			"c=3; domain=.192.168.0.10", // rejected like in most browsers
+		},
+		"a=1",
+		[]query{
+			{"http://192.168.0.10", "a=1"},
+			{"http://172.31.9.9", ""},
+			{"http://www.fancy.192.168.0.10", ""},
+		},
+	},
+	{
 		"Port is ignored #1.",
 		"http://www.host.test/",
 		[]string{"a=1"},
@@ -926,11 +941,18 @@
 	{
 		"TestIpAddress #3.",
 		"http://1.2.3.4/foo",
-		[]string{"a=1; domain=1.2.3.4"},
+		[]string{"a=1; domain=1.2.3.3"},
 		"",
 		[]query{{"http://1.2.3.4/foo", ""}},
 	},
 	{
+		"TestIpAddress #4.",
+		"http://1.2.3.4/foo",
+		[]string{"a=1; domain=1.2.3.4"},
+		"a=1",
+		[]query{{"http://1.2.3.4/foo", "a=1"}},
+	},
+	{
 		"TestNonDottedAndTLD #2.",
 		"http://com./index.html",
 		[]string{"a=1"},

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Damien Neil (Gerrit)

unread,

Jun 28, 2021, 4:48:39 PM6/28/21

to Volker Dobler, goph...@pubsubhelper.golang.org, Russ Cox, Go Bot, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

Patch set 2:Code-Review +2

View Change

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Dmitri Shuralyov (Gerrit)

unread,

Jun 28, 2021, 6:52:48 PM6/28/21

to Volker Dobler, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Damien Neil, Russ Cox, Go Bot, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

Patch set 2:Run-TryBot +1Trust +1

View Change

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Michael Knyszek (Gerrit)

unread,

May 17, 2022, 4:00:03 PM5/17/22

to Volker Dobler, goph...@pubsubhelper.golang.org, Gopher Robot, Dmitri Shuralyov, Damien Neil, Russ Cox, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

Patch set 2:Code-Review +1

View Change

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Ian Lance Taylor (Gerrit)

unread,

May 17, 2022, 5:41:26 PM5/17/22

to Volker Dobler, goph...@pubsubhelper.golang.org, Gopher Robot, Dmitri Shuralyov, Damien Neil, Russ Cox, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

View Change

1 comment:

Patchset:
- Patch Set #2:
  Ping dneil: this is ready to submit if you update your +2. Thanks.

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Damien Neil (Gerrit)

unread,

May 18, 2022, 2:13:58 PM5/18/22

to Volker Dobler, goph...@pubsubhelper.golang.org, Gopher Robot, Dmitri Shuralyov, Russ Cox, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

View Change

1 comment:

Patchset:
- Patch Set #2:
  Attempting to update my +2. (Just clicking "send" without a message didn't work.)

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Damien Neil (Gerrit)

unread,

May 18, 2022, 2:15:17 PM5/18/22

to Volker Dobler, goph...@pubsubhelper.golang.org, Gopher Robot, Dmitri Shuralyov, Russ Cox, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

Patch set 2:-Code-Review

View Change

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Damien Neil (Gerrit)

unread,

May 18, 2022, 2:15:21 PM5/18/22

to Volker Dobler, goph...@pubsubhelper.golang.org, Gopher Robot, Dmitri Shuralyov, Russ Cox, golang-co...@googlegroups.com

Attention is currently required from: Volker Dobler.

Patch set 2:Code-Review +2

View Change

To view, visit change 326689. To unsubscribe, or for help writing mail filters, visit settings.

Reply all

Reply to author

Forward