8f3c6a1005
Rails has incorrectly been adding leading dots to cookie domain values when the `domain: :all` option is present. This leading dot was required in cookies based on [RFC 2965][rfc2965] (October 2000), but [RFC 6265][rfc6265] (April 2011) changed that behaviour, making a leading dot strictly incorrect. Todays browsers aim to confirm to RFC6265 with repect to cookies. The new behaviour is that *any* cookie with an explicitly passed domain is sent to all matching subdomains[[ref][mdn]]. For a server to indicate that only the exact origin server should receive the cookie, it should instead pass *no* domain attribute. Despite the change in behaviour, browser devtools often display a cookie domain with a leading dot to indicate that it is valid for subdomains - this prefixed domain is *not* necessarily the raw value that was passed in the Set-Cookie header. This explains why it's a common belief among developers that the leading dot is required. RFC6265 standard gives UAs an algorithm to handle old-style cookie domain parameters (they can drop a leading dot if present), so it's unlikely that this error would ever have had any effect on web browsers. However, cookies generated this way can't be processed by Ruby's own CGI::Cookie class: > CGI::Cookie.new "domain" => ".foo.bar", "name" => "foo" ArgumentError: invalid domain: ".foo.bar" Newer versions of the Ruby CGI library accomodate the same fallback behaviour (dropping the extra dot) but this isn't a justification for it being the right way to set a cookie. [mdn]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#domain_attribute [rfc2965]: https://www.rfc-editor.org/rfc/rfc2965#section-3.2 [rfc6265]: https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1 |
||
|---|---|---|
| .. | ||
| abstract | ||
| assertions | ||
| controller | ||
| dispatch | ||
| fixtures | ||
| journey | ||
| lib | ||
| routing | ||
| support | ||
| abstract_unit.rb | ||