Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: (*http.Response).Cookies have different behaviour compared with web browser #66118

Open
ii64 opened this issue Mar 5, 2024 · 5 comments
Open

net/http: (*http.Response).Cookies have different behaviour compared with web browser #66118

ii64 opened this issue Mar 5, 2024 · 5 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@ii64
Copy link

ii64 commented Mar 5, 2024

Go version

go version go1.22.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/ii64/.cache/go-build'
GOENV='/home/ii64/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/ii64/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/ii64/go'
GOPRIVATE=''
GOPROXY='https://goproxy.cn,https://gocenter.io,https://goproxy.io,direct'
GOROOT='/usr/lib/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.0'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4219600399=/tmp/go-build -gno-record-gcc-switches'

What did you do?

I was trying to get any valid cookies given in HTTP response header specifically via Set-Cookie header entry. https://go.dev/play/p/M8hiEzF_n97

What did you see happen?

In the example code, the Cookies method exclude utid because it has quotation mark chars inside cookie-value. Looking at the RFC in the comment, https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1

Quotation mark " OR in hex 0x22 is excluded, which is already expected behaviour:

 set-cookie-header = "Set-Cookie:" SP set-cookie-string
 set-cookie-string = cookie-pair *( ";" SP cookie-av )
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

However, for web browsers that behaviour is totally fine.

What did you expect to see?

Interface for custom validation for valid cookies
@bcmills
Copy link
Contributor

bcmills commented Mar 5, 2024

(attn @neild)

@mknyszek mknyszek added this to the Backlog milestone Mar 5, 2024
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 5, 2024
@ii64
Copy link
Author

ii64 commented Mar 5, 2024

Just adding an extra context here of what Chromium did, is basically allowing " and some others:

Expand 
  // IsValidCookieValue() returns whether a string matches the following
  // grammar:
  //
  // cookie-value       = *cookie-value-octet
  // cookie-value-octet = %x20-3A / %x3C-7E / %x80-FF
  //                       ; octets excluding CTLs and ";"
  //
  // This can be used to determine whether cookie values contain any invalid
  // characters.
  //
  // Note that RFC6265bis section 4.1.1 suggests a stricter grammar for
  // parsing cookie values, but we choose to allow a wider range of characters
  // than what's allowed by that grammar (while still conforming to the
  // requirements of the parsing algorithm defined in section 5.2).
  //
  // For reference, see:
  //  - https://crbug.com/238041

Effectivly changing the grammar to:

cookie-value       = *cookie-value-octet
cookie-value-octet = %x20-3A / %x3C-7E / %x80-FF
                       ; octets excluding CTLs and ";"

@Zxilly
Copy link
Contributor

Zxilly commented Mar 5, 2024

https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cookies/parsed_cookie.cc

a reference to the chromium implementation

@AlexanderYastrebov
Copy link
Contributor

AlexanderYastrebov commented Mar 6, 2024
edited

Is this a duplicate of #46443 ?

@ii64
Copy link
Author

ii64 commented Mar 6, 2024

Is this a duplicate of #46443 ?

No, this one is expecting an interface for cookie validation for cookie-value grammar customability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
5 participants
@AlexanderYastrebov @mknyszek @bcmills @ii64 @Zxilly