The RFC section that you link to describes how the
domain field should be parsed in a
SET-COOKIE header. This corresponds to the
FromStr implementation of
Cookie, i.e, the parser. The
Cookie::set_domain() and corresponding
CookieBuilder::domain() methods are not part of the parser, so the linked RFC section is not applicable. All this to say: there isn't an obvious logic bug here.
The question is whether the
set_domain() method (and
CookieBuilder::domain()) should encode the same logic as the parser, that is, strip the leading
.. Whether they do or don't should specified more accurately in the methods' documentation. Currently, the docs say simply: "sets the
domain attribute of the cookie".
I'm not certain if we should or shouldn't. On the one hand, these and all other setters are working in the "raw", validating little and setting the parameters as they're passed in. If you set
.foo.com, you get
.foo.com. On the other hand, at least one person (you) expected different behavior.
One major issue with removing a prefix of
. when set via
.domain() is that round-tripping no longer works as expected. That is, this would fail:
let c1 = Cookie::parse("name=value; domain=..foo.com").unwrap(); let c2 = Cookie::build(c1.name(), c1.value()).domain(c1.domain()).build(); assert_eq!(c1, c2);
On the other hand, it might be surprising that this fails, which appears to be the basis of this report:
let c1 = Cookie::parse("name=value; domain=..foo.com").unwrap(); let c2 = Cookie::build(c1.name(), c1.value()).domain("..foo.com").build(); assert_eq!(c1, c2);
Ideally, both of these cases would pass, somehow.
One idea is to always store the raw value, with the leading
., if any. From
.domain(), return a
&Domain proxy that contains the raw string, accessible via a method, but otherwise compares ignoring the leading
. (and case insensitively). Implementations of
From<&str> for Domain<'_> and
Deref<Target=&str> for Domain would keep most code working while resolving this issue and allowing both examples above to work as expected.
How does this proposal sound? Would love your thoughts as well, @pfernie.
Cookie builder doesn't ignore leading dots (as the `FromStr` implementation does) #207
A dot at the beginning of the
.name.com) should be ignored, but CookieBuilder does not (which is a behavior that differs from the
Here is a working example (it uses
cookie_storebecause I've submitted my report there first).
Please also see the comment of the maintainer of the
cookie_storecrate, for some additional information.