New submission from Karthikeyan Singaravelan <tir.kar...@gmail.com>:
cookiejar has a fixed set of public suffixes [0] on which cookies cannot be set when strict_domain is enabled. rfc6265 recommends rejecting cookies being set directly on domain which are public suffixes. The current list was last updated at issue1483395 (2006). Given the proliferation of public suffixes and new ones released by IANA it's not feasible for Python to be always updated with this list. It would be good if the suffix list can be supplied during constructing the cookiejar policy so that users can supply updated entries and Python can default to the current set that might be updated with more common ones. Outdated list causes someone to set cookie on a public suffix which is sent along with all the requests to the domain with the suffix causing problems. The algorithm is also assumes suffixes to be of two parts like .co.uk which is not the case today and can be improved. But that require more work and increases the scope of the ticket. The current list is hardcoded as part of the code and it's not available for extension at https://github.com/python/cpython/blob/3f5fc70c6213008243e7d605f7d8a2d8f94cf919/Lib/http/cookiejar.py#L1020 . The default policy can be extended to override this but I think it's good to allow users to set this and to document a place if any where users can find updated lists. rfc6265 recommends http://publicsuffix.org/ that has a data file. Looking at other popular implementations like go [1] and okhttp (java) [2] follow similar approach where users can specify a suffix list and resort to defaults. [0] https://en.wikipedia.org/wiki/Public_Suffix_List [1] https://godoc.org/golang.org/x/net/publicsuffix [2] https://github.com/square/okhttp/blob/81d702c62d92d7dbd83c1daf620a4588b7d8e785/okhttp/src/main/java/okhttp3/internal/publicsuffix/PublicSuffixDatabase.java#L36 https://tools.ietf.org/html/rfc6265#section-5.3 If the user agent is configured to reject "public suffixes" and the domain-attribute is a public suffix: If the domain-attribute is identical to the canonicalized request-host: Let the domain-attribute be the empty string. Otherwise: Ignore the cookie entirely and abort these steps. NOTE: A "public suffix" is a domain that is controlled by a public registry, such as "com", "co.uk", and "pvt.k12.wy.us". This step is essential for preventing attacker.com from disrupting the integrity of example.com by setting a cookie with a Domain attribute of "com". Unfortunately, the set of public suffixes (also known as "registry controlled domains") changes over time. If feasible, user agents SHOULD use an up-to-date public suffix list, such as the one maintained by the Mozilla project at <http://publicsuffix.org/>. ---------- components: Library (Lib) messages: 332752 nosy: xtreak priority: normal severity: normal status: open title: Allow users to set suffix list in cookiejar policy type: enhancement versions: Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35618> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
