*_COOKIE_DOMAIN settings should reject values that won't work in modern browsers
|Reported by:||Steven Cummings||Owned by:||nobody|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
When either of the cookie domain (CSRF_COOKIE_DOMAIN, SESSION_COOKIE_DOMAIN) settings are given values that browsers won't send to the server, they should be rejected to keep the programmer from thinking that such a value is okay.
So, one day I discovered that using ".localhost" as a *_COOKIE_DOMAIN setting doesn't work well as browsers avoid it. Specifically any domain with less than two dots. So ".com", etc. would be avoided too.
After searching I discovered ticket #10560, wherein the reporter thought it a bug with Django. It was closed as wontfix because, of course, it's not. However, I thought that the settings should at least reject such values so save programmers the time spent debugging this gotcha. So, I created a patch to do just that and am opening this ticket to see if others agree.
Some notes about the patch:
- Instead of attempting to capture the full range cookie requirements in the check, I decided to keep it simply ensuring that there are 2+ dots. Of course other mistakes could be made with the cookie domain, but I believe they would be more obvious.
- I decided to raise ImproperConfig instead of just warning. This could be a point of debate.
Change History (6)
comment:1 Changed 5 years ago by
|Patch needs improvement:||unset|