net/http why drop the leading dot of cookie.Domain
1,628 views
Skip to first unread message
jk.lee....@gmail.com
Jan 26, 2015, 9:44:58 AM1/26/15
to golan...@googlegroups.com
Nigel Tao
Feb 8, 2015, 11:19:45 PM2/8/15
to jk.lee....@gmail.com, golang-nuts
On Tue, Jan 27, 2015 at 1:44 AM, <jk.lee....@gmail.com> wrote:
> https://github.com/golang/go/blob/master/src/net/http/cookie.go#L144-L151
It's been a while since I've looked at this, but the relevant spec for
HTTP Cookies is RFC 6265, and sections 4 and 5 deal with servers and
clients.
Section 4.1.2.3. The Domain Attribute says that:
Note that a leading %x2E ("."), if present, is ignored even though
that character is not permitted.
Section 5.2.3. The Domain Attribute says that:
If the first character of the attribute-value string is %x2E ("."):
Let cookie-domain be the attribute-value without the leading %x2E
(".") character.
> https://github.com/golang/go/blob/master/src/net/http/cookie.go#L144-L151
It's been a while since I've looked at this, but the relevant spec for
HTTP Cookies is RFC 6265, and sections 4 and 5 deal with servers and
clients.
Section 4.1.2.3. The Domain Attribute says that:
Note that a leading %x2E ("."), if present, is ignored even though
that character is not permitted.
Section 5.2.3. The Domain Attribute says that:
If the first character of the attribute-value string is %x2E ("."):
Let cookie-domain be the attribute-value without the leading %x2E
(".") character.
Žygimantas Stauga
Jul 16, 2015, 1:15:16 PM7/16/15
to golan...@googlegroups.com, jk.lee....@gmail.com
Any updates? Is it possible set domain with leading dot without hacks?
Matt Harden
Jul 16, 2015, 11:20:59 PM7/16/15
to Žygimantas Stauga, golan...@googlegroups.com, jk.lee....@gmail.com
Nigel answered the OP's question with quotes from the RFC showing that the package is implementing the correct behavior. So I don't think this will be changed.
On Thu, Jul 16, 2015 at 12:15 PM Žygimantas Stauga <z.st...@gmail.com> wrote:
Any updates? Is it possible set domain with leading dot without hacks?
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Volker Dobler
Jul 17, 2015, 4:15:13 AM7/17/15
to golan...@googlegroups.com, jk.lee....@gmail.com
Am Donnerstag, 16. Juli 2015 19:15:16 UTC+2 schrieb Žygimantas Stauga:
Any updates? Is it possible set domain with leading dot without hacks?
There are no valid domain names of the form .label.tld so there is
no real reason to set domain names with a leading dot. The leading
dot was an indication that the cookie should be a domain cookie
(instead of a host cookie). The switch from host to domain cookie is
done by providing a domain attribute in the Set-Cookie header. This
domain attribute may or may not have a leading dot, both version
generate a domain cookie.
What are you trying to do so that the "normal" ways of handling cookies
does not suffice and requires a hack?
V.
mara...@gmail.com
Dec 9, 2018, 9:40:59 PM12/9/18
to golang-nuts
I know this is an old question but it hasn't changed and I believe this was for compatibility with RFC 2109 (which is obsoleted by RFC 6265).
Section 4.2.2 states:
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.Reply all
Reply to author
Forward
0 new messages