Summary

Enable optional strict domain checking for cookies.

Review Request #14223 — Created Nov. 2, 2024 and submitted Nov. 12, 2024, 3:43 a.m.

Information

Owner

chipx86

Repository

RBTools

Branch

release-5.x

Bugs

Depends On

Reviewers

Groups

rbtools

People

Description

This is a problem in the case where you have a primary server (e.g.,
rb.example.com) and a staging server as a subdomain (e.g.,
staging.rb.example.com).

To address this, we have a new option, COOKIES_STRICT_DOMAIN_MATCH.
When set, this overrides Python's default cookie logic to require an
exact domain match unless the cookie's domain contains a leading .
(which indicates a cookie intended to be used for subdomains).

This is off by default, in case this could impact any deployments out
there, but it can be safely enabled in most cases.

Testing Done

Unit tests pass.

Successfully posted changes to a subdomain exhibiting this problem
once the option was turned on.

Commits

Summary	ID
Enable optional strict domain checking for cookies. Python's cookie handler defaults to including cookies from any parent domain in a request to a subdomain. This can lead to issues if the same cookie is present for both domains, as the wrong cookie may end up winning. This isn't standard cookie behavior in all clients, but it is in Python, and it's not configurable. This is a problem in the case where you have a primary server (e.g., `rb.example.com`) and a staging server as a subdomain (e.g., `staging.rb.example.com`). To address this, we have a new option, `COOKIES_STRICT_DOMAIN_MATCH`. When set, this overrides Python's default cookie logic to require an exact domain match unless the cookie's domain contains a leading `.` (which indicates a cookie intended to be used for subdomains). This is off by default, in case this could impact any deployments out there, but it can be safely enabled in most cases.	e9d3831759b06c3eb3e27d4893c76a37e94bd028

Summary

Enable optional strict domain checking for cookies.

Python's cookie handler defaults to including cookies from any parent domain in a request to a subdomain. This can lead to issues if the same cookie is present for both domains, as the wrong cookie may end up winning. This isn't standard cookie behavior in all clients, but it is in Python, and it's not configurable. This is a problem in the case where you have a primary server (e.g., `rb.example.com`) and a staging server as a subdomain (e.g., `staging.rb.example.com`). To address this, we have a new option, `COOKIES_STRICT_DOMAIN_MATCH`. When set, this overrides Python's default cookie logic to require an exact domain match unless the cookie's domain contains a leading `.` (which indicates a cookie intended to be used for subdomains). This is off by default, in case this could impact any deployments out there, but it can be safely enabled in most cases.

e9d3831759b06c3eb3e27d4893c76a37e94bd028

Issues

Description	From	Last Updated
You're missing the COOKIES_STRICT_DOMAIN_MATCH section header.	david	Nov. 10, 2024, 10:38 p.m.
Missing the "Version Added" here.	maubin	Nov. 10, 2024, 10:38 p.m.

flake8 passed.

JSHint passed.

Ship it!

rbtools/api/request.py (Diff revision 1)
The issue has been resolved. Show all issues
```
Missing the "Version Added" here.
```

docs/rbtools/rbt/configuration/users.rst (Diff revision 1)
The issue has been resolved. Show all issues
```
You're missing the COOKIES_STRICT_DOMAIN_MATCH section header.
```

Change Summary:


Added a missing Version Added in a docstring and in the config docs.
Added a missing section header in docs.

Commits:

	Summary	ID
	Enable optional strict domain checking for cookies. Python's cookie handler defaults to including cookies from any parent domain in a request to a subdomain. This can lead to issues if the same cookie is present for both domains, as the wrong cookie may end up winning. This isn't standard cookie behavior in all clients, but it is in Python, and it's not configurable. This is a problem in the case where you have a primary server (e.g., `rb.example.com`) and a staging server as a subdomain (e.g., `staging.rb.example.com`). To address this, we have a new option, `COOKIES_STRICT_DOMAIN_MATCH`. When set, this overrides Python's default cookie logic to require an exact domain match unless the cookie's domain contains a leading `.` (which indicates a cookie intended to be used for subdomains). This is off by default, in case this could impact any deployments out there, but it can be safely enabled in most cases.	4dfe9599de2658a1eed20051243da79926ecf043
	Enable optional strict domain checking for cookies. Python's cookie handler defaults to including cookies from any parent domain in a request to a subdomain. This can lead to issues if the same cookie is present for both domains, as the wrong cookie may end up winning. This isn't standard cookie behavior in all clients, but it is in Python, and it's not configurable. This is a problem in the case where you have a primary server (e.g., `rb.example.com`) and a staging server as a subdomain (e.g., `staging.rb.example.com`). To address this, we have a new option, `COOKIES_STRICT_DOMAIN_MATCH`. When set, this overrides Python's default cookie logic to require an exact domain match unless the cookie's domain contains a leading `.` (which indicates a cookie intended to be used for subdomains). This is off by default, in case this could impact any deployments out there, but it can be safely enabled in most cases.	e9d3831759b06c3eb3e27d4893c76a37e94bd028

Diff:

Revision 2 (+284 -12)

Show changes

	docs/rbtools/rbt/configuration/users.rst
	rbtools/api/request.py
	rbtools/config/config.py

Checks run (2 succeeded)

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status:: Completed
Change Summary:: Pushed to release-5.x (c264936)

rbtools/api/request.py (Diff revision 1)