Skip to content

HttpOnly prefix appending feature of MozillaCookieJar almost never works #113775

New issue
New issue
Open
Open
HttpOnly prefix appending feature of MozillaCookieJar almost never works#113775
Labels
stdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error
@kairi003

Description

@kairi003
kairi003
opened on Jan 6, 2024

Bug report

Bug description:

Firstly, I apologize if I make any incorrect assertions, as I am not an expert in the HTTP protocol.

MozillaCookieJar recognizes and writes the #HttpOnly_ prefix, based on curl's specifications.
But it is rare for cookies obtained via HTTP to be written with the HttpOnly prefix.

This functionality was added in Issue #17471.

cpython/Lib/http/cookiejar.py

Line 54 in bb4c167

HTTPONLY_PREFIX = "#HttpOnly_"

cpython/Lib/http/cookiejar.py

Lines 2116 to 2117 in bb4c167

if cookie.has_nonstandard_attr(HTTPONLY_ATTR):
domain = HTTPONLY_PREFIX + domain

Cause:

In implementation, the HttpOnly attribute is written to the _rest dict.
The key for this is defined as a constant, HTTPONLY_ATTR = "HTTPOnly".

Typically, this attribute is "HttpOnly". According to HTTP and cookie specifications, attribute names are case-insensitive as per RFC6265, so transmitting a key as "HTTPOnly" should not be an issue. However, http.cookiejar.Cookie.has_nonstandard_attr() is case-sensitive, and thus cannot create a prefix from the "HttpOnly" key.

Proposed changes:

  • Change HTTPONLY_ATTR to "HttpOnly".
  • Add a case_insensitive option to the has_nonstandard_attr() method, or define a new method.

Bug example:

Confirmation of curl's operation

curl -c cookies_curl.txt https://www.google.com >/dev/null
cookies_curl.txt 
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_.google.com   TRUE    /       FALSE   1720370643      NID     511=dubU9NnkyvPy81Arm27NwT4dmRQb-2Bp26u_yqqpYIWLGrxDqmrvV4ohLKP_YHu8uN2ZL4KOxMzhiaIiMmO7NODRgqUcJqv4hofwCBNBF0ba6JISBYybEWhTO3IpU2haTzOPtZHg7U3Wr6o9iw8ChFTR4ZhN5Tsh9YrXEEJBowE
#HttpOnly_.google.com   TRUE    /       TRUE    1720111443      AEC     Ackid1R3qr8JQRcTH038et4qh_mcMm7d-9lKMQEK_L-5kIbuw9mpEGjajg
.google.com     TRUE    /       TRUE    1707151443      1P_JAR  2024-01-06-16

MozillaCookieJar's operation

It can understand curl's HttpOnly prefix, but cannot create the prefix from the http response.

from http.cookiejar import MozillaCookieJar
from urllib.request import build_opener, HTTPCookieProcessor

jar = MozillaCookieJar("cookies_curl.txt")
jar.load()

print(*[(cookie.name, cookie._rest) for cookie in jar])
# ('NID', {'HTTPOnly': ''}) ('AEC', {'HTTPOnly': ''}) ('1P_JAR', {})
# CookieJar read prefixes as "HTTPOnly"

opener = build_opener(HTTPCookieProcessor(jar))
opener.open("https://www.google.com")

print(*[(cookie.name, cookie._rest) for cookie in jar])
# ('NID', {'HttpOnly': None}) ('AEC', {'HTTPOnly': ''}) ('1P_JAR', {})
# the response updated "NID"

jar.save(filename="cookies_python.txt")
cookies_python.txt 
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This is a generated file!  Do not edit.

.google.com     TRUE    /       FALSE   1720370643      NID     511=QoMVKYl3KurjivLZCJDlSBuTB-FwYbV8Av0IAKJKOQWSsID-aMwPG1Dv7P9HUwy-SVZc_tpxJoBA5fGeinGGcxzpjvz7Rzt7X-_pJx8iv2ccKpQCnE4wpHPyAxQGlLObeoXb-627wEOtED82GUx9XiRiQDwGksML3usFANOTdUM
#HttpOnly_.google.com   TRUE    /       TRUE    1720111443      AEC     Ackid1R3qr8JQRcTH038et4qh_mcMm7d-9lKMQEK_L-5kIbuw9mpEGjajg
.google.com     TRUE    /       TRUE    1707151463      1P_JAR  2024-01-06-16

CPython versions tested on:

3.10, 3.11, 3.12

Operating systems tested on:

Linux, Windows

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    stdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error

    Projects

    Cookies issues 🍪

    Status

    In Progress

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions