New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting a cookie for a different domain does not work #5841
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given a request like:
The cookie download middleware will discard the cookie because
b.example
does not match¹a.example
. The cookie will not only be ignored for the purpose of sending this specific request, which is OK, but it will not be added to the cookie jar either, meaning that ifa.example
redirects tob.example
, the follow-up request tob.example
is not going to include this cookie either.I think we need to make it so that domain-based filtering does not keep a cookie out of the cookie jar, so that we can set a cookie for a different domain on a request with the goal of having that cookie reach the right domain in a redirect scenario.
But we need to make sure that we keep applying the domain filtering to cookies that come in the
Set-Cookie
header in a response, as doing otherwise would be a security issue.¹ Understanding by “match” what the cookie specification understands when it defines how user agents must handle
Set-Cookie
headers.The text was updated successfully, but these errors were encountered: