Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CookieJar cookies should not be sorted #86232

Open
IKermani mannequin opened this issue Oct 18, 2020 · 2 comments
Open

CookieJar cookies should not be sorted #86232

IKermani mannequin opened this issue Oct 18, 2020 · 2 comments
Labels
3.10 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@IKermani
Copy link
Mannequin

IKermani mannequin commented Oct 18, 2020

BPO 42066
Nosy @rhettinger, @IKermani
PRs
  • bpo-42066: CookieJar cookies should not be sorted #22745
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = None
    created_at = <Date 2020-10-18.08:59:25.049>
    labels = ['type-bug', 'library', '3.10']
    title = 'CookieJar cookies should not be sorted'
    updated_at = <Date 2021-10-07.15:18:17.271>
    user = 'https://github.com/IKermani'

    bugs.python.org fields:

    activity = <Date 2021-10-07.15:18:17.271>
    actor = 'Patrick Decat'
    assignee = 'none'
    closed = False
    closed_date = None
    closer = None
    components = ['Library (Lib)']
    creation = <Date 2020-10-18.08:59:25.049>
    creator = 'IKermani'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 42066
    keywords = ['patch']
    message_count = 2.0
    messages = ['378855', '378882']
    nosy_count = 3.0
    nosy_names = ['rhettinger', 'Patrick Decat', 'IKermani']
    pr_nums = ['22745']
    priority = 'normal'
    resolution = None
    stage = 'patch review'
    status = 'open'
    superseder = None
    type = 'behavior'
    url = 'https://bugs.python.org/issue42066'
    versions = ['Python 3.10']

    @IKermani
    Copy link
    Mannequin Author

    IKermani mannequin commented Oct 18, 2020

    Lib/http/cookiejar.py

    By default python handle cookies based on regular Netscape cookie protocol and the protocol defined by RFC 2965.

    There is a behavior in python which sort cookies in CookieJar by default:

    keys = sorted(adict.keys())

    Moreover there is no definition in the 2965 about the cookie ordering in Cookie Header when cookies have equal-length path fields.

    This is a undesirable behavior when working with certain libraries like requests. psf/requests#5630

    In this case browser implements the RFC 6265 which obsoletes the RFC 2965. Therefore The behavior is based on https://tools.ietf.org/html/rfc6265#section-5.4:
    "The user agent SHOULD sort the cookie-list in the following order:
    Cookies with longer paths are listed before cookies with shorter paths.
    Among cookies that have equal-length path fields, cookies with earlier creation-times are listed before cookies with later creation-times."

    This means that the order of the cookies with same path attribute in Cookie header follow the Set-Cookie order in the HTTP response.

    RFC 6265 compliance is not what this issue is meant rather it imply on the sorting of cookies which is unnecessary here and not mentioned in RFC 2965 or the regular Netscape cookie protocol.

    Thanks in advance for looking into this issue

    Regards.

    @IKermani IKermani mannequin added 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error labels Oct 18, 2020
    @rhettinger
    Copy link
    Contributor

    The seems reasonable to me. Likely, the sorting was originally added to make the execution order deterministic. Now that dicts remember insertion order, that is no longer necessary. Helpfully, the docs do not specify sorting, so there is no guaranteed behavior. That said, there is some risk that applications or their tests depend on the existing behavior.

    @rhettinger rhettinger removed 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes labels Oct 19, 2020
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    verhovsky added a commit to verhovsky/cpython that referenced this issue Apr 21, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.10 only security fixes stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    Status: No status
    Development

    No branches or pull requests

    1 participant