Skip to content

Loosen cookie name/value validation #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
blakeembrey merged 2 commits into from
Nov 20, 2024
Merged

Loosen cookie name/value validation #210

blakeembrey merged 2 commits into from
Nov 20, 2024

Conversation

@blakeembrey
Copy link
Member

@blakeembrey blakeembrey commented Nov 15, 2024

Closes #191. All keys and values are supported in Safari. Although older or other browsers may not support some of these characters, I don't think we should be restricting it unless it's a security issue.

@codecov
Copy link

codecov bot commented Nov 15, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (ba9e677) to head (8c9f866).
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##            master      #210   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines          160       159    -1     
  Branches        69        69           
=========================================
- Hits           160       159    -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

ctcpip

This comment was marked as outdated.

Sign in to view

ctcpip
ctcpip approved these changes Nov 15, 2024
View reviewed changes
Copy link
Member

@ctcpip ctcpip left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ignore previous comment, I was squinting wrongly at the regex

@blakeembrey blakeembrey mentioned this pull request Nov 15, 2024
Closed
@blakeembrey blakeembrey merged commit 8be4b82 into master Nov 20, 2024
10 checks passed
@blakeembrey blakeembrey deleted the be/loosen-regex branch November 20, 2024 17:21
@Conduitry Conduitry mentioned this pull request Jan 26, 2025
Open
6 tasks
@benmccann
Copy link

benmccann commented Jan 27, 2025

A couple of questions about this:

  • Is 1.0.2 fully backward compatible with the pre-1.0 releases?
  • Is there any need to avoid cookies with special characters such as : still?

@blakeembrey
Copy link
Member Author

blakeembrey commented Jan 29, 2025
edited
Loading

Is 1.0.2 fully backward compatible with the pre-1.0 releases?

No, the breaking changes can be viewed here: https://github.com/jshttp/cookie/releases/tag/v1.0.0

Assuming you are only referring to this PR and pre-0.7 releases, still no. The regex is stricter than what was previously causing a security issue. However it’s fairly unlikely you’d have any characters that cause an error in either release as the values are automatically encoded and decoded.

Is there any need to avoid cookies with special characters such as : still?

Cookies could contain :, but names were stricter following the RFC and didn't allow :. They now allow : again with this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@ctcpip ctcpip ctcpip approved these changes

@wesleytodd wesleytodd Awaiting requested review from wesleytodd

@sheplu sheplu Awaiting requested review from sheplu

@jonchurch jonchurch Awaiting requested review from jonchurch

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Option to bypass validation during cookie serialization

4 participants

@blakeembrey @benmccann @UlisesGascon @ctcpip