On Jul 18, 2013, at 1:54 PM, Marc Lehmann <[email protected]> wrote:
> On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov > <[email protected]> wrote: >> ​When AE::HTTP get header >> *Set-Cookie: name=data; Path=/; Domain=example.com* >> in jar appear a key '*.example.com*' (with leading point) >> And at the next http request cookies are not sent. > > Your mails are very confusing - I assume '* means a start quote and *' > means an end quote (using consistent quoting would help enourmously), so > the two strings are: > > example.com > .example.com > > And for this, yes, as per most of the specs and as used in the real world, > the cookie should not be send, as .example.com only matches subdomains of > example.com. Sending it unconditionally is a security risk. > > So, this is not a bug. > > Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's > entirely optional, and, as mentioned in the documentation, you can use > other implementations that might implement your take on how cookies should > work, or implement your own. > > Again, there is no official specification (or rather, there are many, but > no agreed-upon one) for how this should be done, so your idea is likely as > good as mine. AE::HTTP is designed to err on the conservative side. > FWIW, just about every browser I've seen behaves as Andrey describes. -- Lee _______________________________________________ anyevent mailing list [email protected] http://lists.schmorp.de/mailman/listinfo/anyevent
