rfc6265bis UA requirements and WPT mismatch #1136
Comments
|
Thanks for this. That WPT directory is a straight port from the original test repository at https://github.com/abarth/http-state, and I still need to do a pass through them to sanity check them against the spec (and vice-versa). I appreciate you going through the tests and spec, and I'll try to honor that work by investing some time in cleaning up the repository this week. |
|
A few of these seem easy:
I'll look at the remainder after lunch. |
Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98
|
About |
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98
Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128135 Reviewed-by: Lily Chen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#755255}
Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128135 Reviewed-by: Lily Chen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#755255}
Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128135 Reviewed-by: Lily Chen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#755255}
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2129528 Commit-Queue: Mike West <[email protected]> Reviewed-by: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#755289}
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2129528 Commit-Queue: Mike West <[email protected]> Reviewed-by: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#755289}
We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2129528 Commit-Queue: Mike West <[email protected]> Reviewed-by: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#755289}
…0031 and name0032., a=testonly Automatic update from web-platform-tests Adjusting //cookie/http-state tests name0031 and name0032. Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128135 Reviewed-by: Lily Chen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#755255} -- wpt-commits: e8a7e4174ec563392b909d5103585a0f8f578e21 wpt-pr: 22559
…nameless cookies., a=testonly Automatic update from web-platform-tests Adjusting //cookie/http-state to accept nameless cookies. We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2129528 Commit-Queue: Mike West <[email protected]> Reviewed-by: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#755289} -- wpt-commits: a2b6b1e00220c3aa1d021b1a914bf134f59f3586 wpt-pr: 22560
…0031 and name0032., a=testonly Automatic update from web-platform-tests Adjusting //cookie/http-state tests name0031 and name0032. Chrome and Firefox aligned on treating `"foo;bar"=baz` as a nameless cookie with a value of `"foo`, and `"foo\"bar;baz"=qux` as a nameless cookie with a value of `"foo\"bar`. That is, they both stop parsing the name/value pair when they hit a `;`. This seems aligned with step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3, which defines the `name-value-pair` as everything up to but not including the first `;`. Adjusting these tests accordingly, as discussed in httpwg/http-extensions#1136. Change-Id: I6930f8e18a8c573b21eaea5614e14c3b957ea0bb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128135 Reviewed-by: Lily Chen <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#755255} -- wpt-commits: e8a7e4174ec563392b909d5103585a0f8f578e21 wpt-pr: 22559
…nameless cookies., a=testonly Automatic update from web-platform-tests Adjusting //cookie/http-state to accept nameless cookies. We missed a few tests in [1], which were helpfully pointed out in httpwg/http-extensions#1136. [1]: https://chromium.googlesource.com/chromium/src.git/+/77df41c01dc3c89253eae90080ff37cf05dfa1a1 Bug: 1037996 Change-Id: I9674bb8cb66b0989bc77c3cc4e34061b0e675e98 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2129528 Commit-Queue: Mike West <[email protected]> Reviewed-by: Lily Chen <[email protected]> Cr-Commit-Position: refs/heads/master@{#755289} -- wpt-commits: a2b6b1e00220c3aa1d021b1a914bf134f59f3586 wpt-pr: 22560
|
For Maybe this issue with empty names and equal signs in the value should be mentioned specifically in the Implementation Considerations section? Edit: I've updated the description to better show which tests have been fixed in WPT, at the time of writing this comment. |
|
@essen @mikewest - I had a look at the remaining tests with open questions (I'm assuming that the tests with checkmarks from the OP are no longer problematic). It seems like of the 4, This test seems like it was just incorrect -- it was fixed downstream by Ehsan in https://bugzilla.mozilla.org/show_bug.cgi?id=1549389. So this test has 4097 Chromium: https://source.chromium.org/chromium/chromium/src/+/master:net/cookies/parsed_cookie.h;l=25?q=4096%20cookie&ss=chromium This test is fine, it's just kinda confusing to figure out what's happening at a glance. Blink and WebKit agree here, and Gecko fails this test. Looking at the extended commit message in web-platform-tests/wpt@89637ce (which added this test), that links to whatwg/xhr#165, which likely explains why Gecko fails this test -- it doesn't (yet?) reject null bytes in the header. But... the test case shows that Chrome and Safari are just ignoring the content after And whatwg/xhr#165 (comment) suggests that LF can be legal (in Also, I see in https://source.chromium.org/chromium/chromium/src/+/master:net/cookies/parsed_cookie.cc;l=362-372;drc=1f5bcd95363404f6c80dcf24730feb78cb4b1187?q=FindFirstTerminator&ss=chromium - that's pretty much what Chromium does. But in Step 1 of https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06#section-5.3, in the Otherwise clause (which is where this test ends up because it lacks
Maybe that language could use some tightening to make it more explicit? Currently the test looks like |
Right but I had this fix when I tested. I may be confused as to why it's not supposed to set or return the cookie, what the test paths are supposed to be, or just because I'm not familiar enough with Javascript. Could you clarify whether the cookie should be set or not, and explain what goes on in that particular test case? From my reading of the spec, the set-cookie will lead to the second Path attribute to be accepted, and later on when doing a Path-Match it will use
OK so failure depends on configuration. Thanks for figuring it out!
I think it might just be a second header that doesn't have a colon or value. I don't think this belongs in a cookie test suite.
OK then it takes the last Domain attribute and I think we fall under this rule:
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-domain-attribute-2 And in this case this would be my code that doesn't respect this rule. It currently treats missing Domain and empty Domain the same. Thanks for the help! |
As written today, I think the expectation of not setting the cookie is correct. But I think it's largely an accident of how the original tests were ported over to wpt, and due to the fact that it's not being sent to the path / set on the path it wants. I believe the intent of this test was to test that an invalid path, followed by a valid path should set the cookie (basically the inverse of attribute0024). So for the test header, If you look at the original test server code, you can see there is a https://github.com/abarth/http-state/blob/master/tools/testserver/testserver.py#L105-L134 But the iframe that the current WPT serves the cookie from is I plan to fix this, thanks for flagging! |
|
(we can probably close this issue once I land the fix for that test, I think?) |
|
Right I get that WPT doesn't have the right path but I'm running tests that do (I reimplemented them in my test suite).
That's what I mean, if the second path is the one accepted and assuming the paths used to do the requests are correct then the
(I have updated the top post to reflect the current state.) |
|
I think I have figured out exactly what is expected for The test case is as follow and the cookie ends up not being sent: The spec says: This leads to the empty domain attribute to be removed. If the spec is followed strictly (it's a SHOULD), then the set-cookie header is ultimately equivalent to: This leads to the cookie not being stored because we are on the It would be good to add tests such as: In this case the cookie should be stored and sent in the next request to home.example.org because the second domain attribute is dropped according to the spec. It would also be good to remove this part about the behavior being undefined from the spec. This is the only place in the spec that has uncertainty. It's also mildly confusing to only remove the |
Could you file a new issue for this (with the recommended test)? It's possible this suggestion gets lost in this issue about WPTs. Thanks! |
|
FWIW, I'm in the middle of re-writing all the http-state tests (meta bug over at https://bugs.chromium.org/p/chromium/issues/detail?id=1152796, which will have more bugs as I progress). As for https://github.com/web-platform-tests/wpt/blob/master/cookies/http-state/resources/test-files/attribute0023-test (which is 404 now, because I deleted it, but it used to look like this), it evolved into "No cookie returned for multiple mismatched paths", because even our best guesses of what attribute0023 was intending to capture don't reflect current browser reality. I'll be tackling the "chromium" tests next, so I guess I'll be forced to reckon with disabled-chromium0022 and then we can close this issue. |
|
Submitted as #1332. |
|
OK, I totally forgot to circle back to It took me a minute to page back into memory, but my understanding is as follows: A valid https://tools.ietf.org/html/rfc5234#appendix-B.1 defines At least Firefox and Chrome agree with that... but I don't really see in the current draft where it says to consume up until an invalid value, or line break. @chlily1, am I missing something obvious? Maybe it's less complicated than that -- is it just looking for the first CRLF in the header to know where to stop parsing? Should the draft say something to that effect? |
|
Hm, I don't think you're missing anything. As far as I can tell, in section 5.3, it says to use all the characters after the first '=' as the value string. |
|
Different rationales, but same result: Chromium and Gecko are treating CRLF as basically "the end of the cookie". https://searchfox.org/mozilla-central/source/netwerk/cookie/CookieService.cpp#1205-1259 |
|
The ABNF is much stricter than the parsing algorithm described in the draft. The parsing algorithm in the draft does not disallow CR, LF, NUL or any other invalid character. Perhaps it should, to reflect what browsers are doing. In that case I would suggest adding tests with CR, LF and NUL separately, at least, to detect and possibly correct differences. |
|
I have just filed issue #1399 regarding this and related issues. |
|
Since all the other issues have been addressed, I'm going to close this and we can follow #1399 for the final thing. |
I have implemented most of rfc6265bis from scratch for an HTTP client library, using the algorithms described in Section 5. I have found a few cases in WPT's
http-statesuite that do not pass and seem to go against the current editor draft of rfc6265bis (or vice versa). I figured this would be useful to share:The current spec accepts this with the cookie name being"foo;bar"and the value everything after the first =.The current spec accepts this with the cookie name being"foo\"bar;baz"and the value everything after the first =.aaa.Hope it's useful.
Everything else works, although note that I have not implemented SameSite checks at this point so I cannot comment on those.
The text was updated successfully, but these errors were encountered: