This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Bogus cookie generated after invalid cookie attribute is input
Type: behavior Stage: patch review
Components: Library (Lib) Versions: Python 3.11
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: greob
Priority: normal Keywords: patch

Created on 2021-10-03 22:03 by greob, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 28726 open greob, 2021-10-04 22:04
Messages (1)
msg403114 - (view) Author: (greob) * Date: 2021-10-03 22:03
Youtube sends cookies with some non-standard attributes. For example:
```
Secure-1PSID=XXXXXX; Domain=.youtube.com; Path=/; Expires=Tue, 03-Oct-2023 16:26:27 GMT; Secure; HttpOnly; Priority=HIGH; SameParty
```
Notice the Priority and SameParty attributes. 


In the case above, the cookie is entirely discarded because of the unexpected SameParty attribute. I have not read the specifications, but I would prefer to keep the cookie instead of discarding it. 
These unusual attributes are clearly used by Chromium. Firefox ignore these attributes and does not discard the cookies.

In another case, the "Priority" key/value attribute is present, which may or may not be followed by any other (valid) attributes. 
An extra cookie is then generated by http.cookies.BaseCookie.__parse_string() (cpython/Lib/http/cookies.py:539):

```
Set-Cookie: priority=high; Domain=www.youtube.com; Path=/; SameSite=none
```
There may even be duplicate cookies generated if the case changes (ie. "Priority=HIGH" would be yet another bogus cookie).

The reason for this is as follows:
The "priority=high" is seen as a key/value pair, and added to the parsed_items list with type TYPE_KEYVALUE, which is now the _second_ TYPE_KEYVALUE in the list. To my understanding, there should be only _one_ TYPE_KEYVALUE in this list, that is the actual cookie key/value pair. Any other item added to that list should be a TYPE_ATTRIBUTE.

In the for loop below (cpython/Lib/http/cookies.py:590), a new Morsel is created with key=Priority and value=HIGH, which is not what we want at all.

I have been working on a patch, but I keep pulling my hair over the fact that multiple key=value pairs can be found in the same string, which is expected by the test suite to result in multiple separate cookies.

An easy workaround would be to justadd "priority" to _reserved keys, and "sameparty" to known flags. Basically catching up with Google's "extensions".

Thoughts?
History
Date User Action Args
2022-04-11 14:59:50adminsetgithub: 89521
2021-10-04 22:04:49greobsetkeywords: + patch
stage: patch review
pull_requests: + pull_request27072
2021-10-03 22:03:46greobcreate