You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The cookie download middleware will discard the cookie because b.example does not match¹ a.example. The cookie will not only be ignored for the purpose of sending this specific request, which is OK, but it will not be added to the cookie jar either, meaning that if a.example redirects to b.example, the follow-up request to b.example is not going to include this cookie either.
I think we need to make it so that domain-based filtering does not keep a cookie out of the cookie jar, so that we can set a cookie for a different domain on a request with the goal of having that cookie reach the right domain in a redirect scenario.
But we need to make sure that we keep applying the domain filtering to cookies that come in the Set-Cookie header in a response, as doing otherwise would be a security issue.
¹ Understanding by “match” what the cookie specification understands when it defines how user agents must handle Set-Cookie headers.
The text was updated successfully, but these errors were encountered:
Given a request like:
The cookie download middleware will discard the cookie because
b.example
does not match¹a.example
. The cookie will not only be ignored for the purpose of sending this specific request, which is OK, but it will not be added to the cookie jar either, meaning that ifa.example
redirects tob.example
, the follow-up request tob.example
is not going to include this cookie either.I think we need to make it so that domain-based filtering does not keep a cookie out of the cookie jar, so that we can set a cookie for a different domain on a request with the goal of having that cookie reach the right domain in a redirect scenario.
But we need to make sure that we keep applying the domain filtering to cookies that come in the
Set-Cookie
header in a response, as doing otherwise would be a security issue.¹ Understanding by “match” what the cookie specification understands when it defines how user agents must handle
Set-Cookie
headers.The text was updated successfully, but these errors were encountered: