From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Katsumi Yamaoka <yamaoka@jpl.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#24757: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Thu, 07 Dec 2017 07:47:26 +0900
Organization: Emacsen advocacy group
Message-ID: <b4mh8t3qxs1.fsf@jpl.org>
References: <8637jp64ow.fsf@realize.ch> <87vahkf5af.fsf@users.sourceforge.net>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: blaine.gmane.org 1512600491 31252 195.159.176.226 (6 Dec 2017 22:48:11 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 6 Dec 2017 22:48:11 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (i686-pc-cygwin)
Cc: 24757@debbugs.gnu.org, Alain Schneble <a.s@realize.ch>
To: Noam Postavsky <npostavs@users.sourceforge.net>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Dec 06 23:48:07 2017
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eMiU0-0007wH-0l
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 06 Dec 2017 23:48:04 +0100
Original-Received: from localhost ([::1]:58133 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1eMiU7-0000xo-7z
	for geb-bug-gnu-emacs@m.gmane.org; Wed, 06 Dec 2017 17:48:11 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59206)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eMiU1-0000xh-Lw
	for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 17:48:06 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eMiTy-0000AI-Jo
	for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 17:48:05 -0500
Original-Received: from debbugs.gnu.org ([208.118.235.43]:40944)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eMiTy-0000AA-FR
	for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 17:48:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eMiTy-0000yT-55
	for bug-gnu-emacs@gnu.org; Wed, 06 Dec 2017 17:48:02 -0500
X-Loop: help-debbugs@gnu.org
In-Reply-To: <8637jp64ow.fsf@realize.ch>
Resent-From: Katsumi Yamaoka <yamaoka@jpl.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Wed, 06 Dec 2017 22:48:02 +0000
Resent-Message-ID: <handler.24757.B24757.15126004573715@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 24757
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch
Original-Received: via spool by 24757-submit@debbugs.gnu.org id=B24757.15126004573715
	(code B ref 24757); Wed, 06 Dec 2017 22:48:02 +0000
Original-Received: (at 24757) by debbugs.gnu.org; 6 Dec 2017 22:47:37 +0000
Original-Received: from localhost ([127.0.0.1]:49625 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eMiTZ-0000xr-C4
	for submit@debbugs.gnu.org; Wed, 06 Dec 2017 17:47:37 -0500
Original-Received: from mail-hampton.hostforweb.net ([205.234.186.191]:54447
	helo=hampton.hostforweb.net)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <yamaoka@jpl.org>) id 1eMiTY-0000xf-5y
	for 24757@debbugs.gnu.org; Wed, 06 Dec 2017 17:47:36 -0500
Original-Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000
	helo=localhost) by hampton.hostforweb.net with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89)
	(envelope-from <yamaoka@jpl.org>)
	id 1eMiTO-004GOE-OY; Wed, 06 Dec 2017 16:47:28 -0600
X-Face: #kKnN,xUnmKia.'[pp`;
	Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk
	B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu;
	B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw= L&i*6&(
Cancel-Lock: sha1:AKfrR6EFHtIrKKFKj6V37A6na0w=
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse,
	please include it with any abuse report
X-AntiAbuse: Primary Hostname - hampton.hostforweb.net
X-AntiAbuse: Original Domain - debbugs.gnu.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jpl.org
X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id:
	yamaoka/from_h
X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs/>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: "bug-gnu-emacs"
	<bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.bugs:140770
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/140770>

On Wed, 06 Dec 2017 06:46:00 -0500, Noam Postavsky wrote:
[...]
> In emacs-26, as of [1: caa39f495c], the second cookie is not present,
> but it looks like it unconditionally drops the HttpOnly attribute (and
> all other attributes?).  Is that the right thing?

Yes, I believe so.  Not only HttpOnly but also Expires, Max-Age,
etc. are only attributes of the cookie of which the name appeared
at the beginning of the Set-Cookie header.  Sending such ones to
certain web sites would cause an error as I mentioned below.

> [1: caa39f495c]: 2017-11-13 23:56:26 +0000
>   Fix cookie handling (bug#29282)
>   https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=caa39f495c0783dac2d5701100db83ea10f126c0