Sorry for confusing strings (it was html formatting). Thank you for your point of view.
On Thu, Jul 18, 2013 at 11:54 PM, Marc Lehmann <[email protected]> wrote: > On Thu, Jul 18, 2013 at 11:40:14PM +0600, Andrey Khozov < > [email protected]> wrote: > > ​When AE::HTTP get header > > *Set-Cookie: name=data; Path=/; Domain=example.com* > > in jar appear a key '*.example.com*' (with leading point) > > And at the next http request cookies are not sent. > > Your mails are very confusing - I assume '* means a start quote and *' > means an end quote (using consistent quoting would help enourmously), so > the two strings are: > > example.com > .example.com > > And for this, yes, as per most of the specs and as used in the real world, > the cookie should not be send, as .example.com only matches subdomains of > example.com. Sending it unconditionally is a security risk. > > So, this is not a bug. > > Keep in mind that AE::HTTP doesn't enforce it's cookie management, it's > entirely optional, and, as mentioned in the documentation, you can use > other implementations that might implement your take on how cookies should > work, or implement your own. > > Again, there is no official specification (or rather, there are many, but > no agreed-upon one) for how this should be done, so your idea is likely as > good as mine. AE::HTTP is designed to err on the conservative side. > > -- > The choice of a Deliantra, the free code+content > MORPG > -----==- _GNU_ http://www.deliantra.net > ----==-- _ generation > ---==---(_)__ __ ____ __ Marc Lehmann > --==---/ / _ \/ // /\ \/ / [email protected] > -=====/_/_//_/\_,_/ /_/\_\ > -- Andrey Khozov
_______________________________________________ anyevent mailing list [email protected] http://lists.schmorp.de/mailman/listinfo/anyevent
