[New-bugs-announce] [issue35618] Allow users to set suffix list in cookiejar policy

Karthikeyan Singaravelan report at bugs.python.org
Sun Dec 30 10:37:18 EST 2018 

New submission from Karthikeyan Singaravelan <tir.karthi at gmail.com>:

cookiejar has a fixed set of public suffixes [0] on which cookies cannot be set when strict_domain is enabled. rfc6265 recommends rejecting cookies being set directly on domain which are public suffixes. The current list was last updated at issue1483395 (2006). Given the proliferation of public suffixes and new ones released by IANA it's not feasible for Python to be always updated with this list. It would be good if the suffix list can be supplied during constructing the cookiejar policy so that users can supply updated entries and Python can default to the current set that might be updated with more common ones. Outdated list causes someone to set cookie on a public suffix which is sent along with all the requests to the domain with the suffix causing problems.

The algorithm is also assumes suffixes to be of two parts like .co.uk which is not the case today and can be improved. But that require more work and increases the scope of the ticket. The current list is hardcoded as part of the code and it's not available for extension at https://github.com/python/cpython/blob/3f5fc70c6213008243e7d605f7d8a2d8f94cf919/Lib/http/cookiejar.py#L1020 . The default policy can be extended to override this but I think it's good to allow users to set this and to document a place if any where users can find updated lists. rfc6265 recommends http://publicsuffix.org/ that has a data file.

Looking at other popular implementations like go [1] and okhttp (java) [2] follow similar approach where users can specify a suffix list and resort to defaults.

[0] https://en.wikipedia.org/wiki/Public_Suffix_List
[1] https://godoc.org/golang.org/x/net/publicsuffix
[2] https://github.com/square/okhttp/blob/81d702c62d92d7dbd83c1daf620a4588b7d8e785/okhttp/src/main/java/okhttp3/internal/publicsuffix/PublicSuffixDatabase.java#L36

https://tools.ietf.org/html/rfc6265#section-5.3

If the user agent is configured to reject "public suffixes" and
the domain-attribute is a public suffix:

           If the domain-attribute is identical to the canonicalized
           request-host:

              Let the domain-attribute be the empty string.
           Otherwise:

              Ignore the cookie entirely and abort these steps.

NOTE: A "public suffix" is a domain that is controlled by a
public registry, such as "com", "co.uk", and "pvt.k12.wy.us".
This step is essential for preventing attacker.com from
disrupting the integrity of example.com by setting a cookie
with a Domain attribute of "com".  Unfortunately, the set of
public suffixes (also known as "registry controlled domains")
changes over time.  If feasible, user agents SHOULD use an
up-to-date public suffix list, such as the one maintained by
the Mozilla project at <http://publicsuffix.org/>.

----------
components: Library (Lib)
messages: 332752
nosy: xtreak
priority: normal
severity: normal
status: open
title: Allow users to set suffix list in cookiejar policy
type: enhancement
versions: Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35618>
_______________________________________

More information about the New-bugs-announce mailing list