id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15797	*_COOKIE_DOMAIN settings should reject values that won't work in modern browsers	Steven Cummings	nobody	"When either of the cookie domain (CSRF_COOKIE_DOMAIN, SESSION_COOKIE_DOMAIN) settings are given values that browsers won't send to the server, they should be rejected to keep the programmer from thinking that such a value is okay.

So, one day I discovered that using "".localhost"" as a *_COOKIE_DOMAIN setting doesn't work well as browsers avoid it. Specifically any domain with less than two dots. So "".com"", etc. would be avoided too.

After searching I discovered ticket #10560, wherein the reporter thought it a bug with Django. It was closed as wontfix because, of course, it's not. However, I thought that the settings should at least reject such values so save programmers the time spent debugging this gotcha. So, I created a patch to do just that and am opening this ticket to see if others agree.

Some notes about the patch:

* Instead of attempting to capture the full range cookie requirements in the check, I decided to keep it simply ensuring that there are 2+ dots. Of course other mistakes could be made with the cookie domain, but I believe they would be more obvious.
* I decided to raise ImproperConfig instead of just warning. This could be a point of debate.
"	Bug	closed	Core (Other)	1.3	Normal	invalid			Unreviewed	1	0	0	0	0	0