New submission from greob :
Youtube sends cookies with some non-standard attributes. For example:
```
Secure-1PSID=XX; Domain=.youtube.com; Path=/; Expires=Tue, 03-Oct-2023
16:26:27 GMT; Secure; HttpOnly; Priority=HIGH; SameParty
```
Notice the Priority and SameParty attributes.
In the case above, the cookie is entirely discarded because of the unexpected
SameParty attribute. I have not read the specifications, but I would prefer to
keep the cookie instead of discarding it.
These unusual attributes are clearly used by Chromium. Firefox ignore these
attributes and does not discard the cookies.
In another case, the "Priority" key/value attribute is present, which may or
may not be followed by any other (valid) attributes.
An extra cookie is then generated by http.cookies.BaseCookie.__parse_string()
(cpython/Lib/http/cookies.py:539):
```
Set-Cookie: priority=high; Domain=www.youtube.com; Path=/; SameSite=none
```
There may even be duplicate cookies generated if the case changes (ie.
"Priority=HIGH" would be yet another bogus cookie).
The reason for this is as follows:
The "priority=high" is seen as a key/value pair, and added to the parsed_items
list with type TYPE_KEYVALUE, which is now the _second_ TYPE_KEYVALUE in the
list. To my understanding, there should be only _one_ TYPE_KEYVALUE in this
list, that is the actual cookie key/value pair. Any other item added to that
list should be a TYPE_ATTRIBUTE.
In the for loop below (cpython/Lib/http/cookies.py:590), a new Morsel is
created with key=Priority and value=HIGH, which is not what we want at all.
I have been working on a patch, but I keep pulling my hair over the fact that
multiple key=value pairs can be found in the same string, which is expected by
the test suite to result in multiple separate cookies.
An easy workaround would be to justadd "priority" to _reserved keys, and
"sameparty" to known flags. Basically catching up with Google's "extensions".
Thoughts?
--
components: Library (Lib)
messages: 403114
nosy: greob
priority: normal
severity: normal
status: open
title: Bogus cookie generated after invalid cookie attribute is input
type: behavior
versions: Python 3.11
___
Python tracker
<https://bugs.python.org/issue45358>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
