Adds filters for request cookies, per HTTP standards #8
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
HTTP::Cookies
, in the standard library, appears to be a relatively dumb collection ofHTTP::Cookie
objects and does not appear to do any filtering based on HTTP standards. The library seems to rely on the developer having prior knowledge of whether or not to send any given cookie.Not everyone may understand there even should be filtering, but it makes sense when put in another context: not sending my Facebook login cookie to Github even though I have visited both sites in the same browsing session.
This change applies the necessary filtering for security reasons:
HTTP::Cookie#secure
limits the cookie to only HTTPS requestsHTTP::Cookie#path
limits the cookie to be used only if the request path starts with the given value on the cookieHTTP::Cookie#domain
limits the cookie to be used only if the request's domain is either the cookie's domain or subdomain (or somewhere down the chain of sub-sub-domains)Ignored attributes of
HTTP::Cookie
:HTTP::Cookie#http_only
limits usage of the cookie by javascript to prevent the browser from XSS attacks leaking the cookies to an unauthorized destinationHTTP::Cookie#extension
??? (frankly, I'm not sure what this is for. Haven't found anything online about it in the HTTP standards)Note: Until #7 is merged in, Travis will say this build is broken. I wanted this PR to be independent of it. The current form should work just fine in prior versions of Crystal.