-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a warning when a cookie's length exceeds 4096 bytes #5959
Conversation
Codecov Report
@@ Coverage Diff @@
## master #5959 +/- ##
===========================================
+ Coverage 0 33.12% +33.12%
===========================================
Files 0 44 +44
Lines 0 9863 +9863
Branches 0 1594 +1594
===========================================
+ Hits 0 3267 +3267
- Misses 0 6514 +6514
- Partials 0 82 +82
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
cc @panagiks |
So, in Firefox it only counts key + value, limited to 4096. But, in Chromium it counts the length of the raw cookie header, regardless of how much data is actually stored. So, to be on the safe side, we should limit the total output to 4096 bytes. A good test might be roughly: async def test_warn_large_cookie(buf: Any, writer: Any) -> None:
resp = Response()
resp.set_cookie("foo", "8"*4070, max_age=2600)
req = make_request("GET", "/", writer=writer)
await resp.prepare(req) # No warning
await resp.write_eof()
cookie = re.search(b"Set-Cookie: (.*?)\r\n", buf).group(1)
assert len(cookie) == 4096
buf[:] = b""
resp = Response()
resp.set_cookie("foo", "8"*4071, max_age=2600)
req = make_request("GET", "/", writer=writer)
with pytest.warns(UserWarning, match="size of the cookie"):
await resp.prepare(req)
await resp.write_eof()
cookie = re.search(b"Set-Cookie: (.*?)\r\n", buf).group(1)
assert len(cookie) == 4097 I think this would also need a new way to run tests with dev mode. I don't see any examples online about how to do this, but maybe just marking tests which need dev mode would work, then we can add an extra pytest invocation which only runs the dev mode tests with something like |
Although, if the check becomes trivial at runtime, then maybe we don't need dev mode after all. |
We should be RFC-compliant. Deviating from the standards leads to chaos: https://xkcd.com/927/. |
The RFC isn't that clear on precisely what counts. But, Chrome has the most pessimistic approach, so if we warn on this case, we can be sure to catch all possible issues. i.e. No browser is going to drop cookies that are smaller than what Chrome is accepting (and if they did, it would definitely be violating the RFC, whereas Chrome is more of a grey-area due to the imprecise explanation in the RFC). On this occasion, I think it makes more sense to take the pessimistic approach and play it safe. Maybe to avoid confusion to users, we shouldn't mention the 4096 bytes in the warning and just say something like "Sending a large cookie. Some browsers may ignore this." |
Thanks, everyone! I've set it to auto-merge on CI success. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This change cannot be backported to |
I don't see why, the code just needs to be added to the |
Maybe. But my point is that it wouldn't be the same thing exactly. But if anybody wants to make a manual effort, feel free to do so. |
What do these changes do?
Add warning when a cookie's length exceeds the RFC 6265 minimum client support.
Are there changes in behavior for the user?
The user might see a warning if a cookie size exceeds the RFC 6265 minimum client support.
Related issue number
Fixes #5634
Checklist
CONTRIBUTORS.txt
CHANGES
folder<issue_id>.<type>
for example (588.bugfix)issue_id
change it to the pr id after creating the pr.feature
: Signifying a new feature..bugfix
: Signifying a bug fix..doc
: Signifying a documentation improvement..removal
: Signifying a deprecation or removal of public API..misc
: A ticket has been closed, but it is not of interest to users.