| Age | Commit message (Collapse) | Author |
|---|
|
|
|
For development purposes, browsers treat localhost
as a secure origin regardless of protocol.
Fixes #60997
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#restrict_access_to_cookies
https://bugzilla.mozilla.org/show_bug.cgi?id=1618113
https://issues.chromium.org/issues/40120372
Change-Id: I6d31df4e055f2872c4b93571c53ae5160923852b
Reviewed-on: https://go-review.googlesource.com/c/go/+/717860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
|
|
Use the TrimPrefix, TrimSuffix and CutPrefix to simplify the code.
Change-Id: I3e2b271ec0d3f9ce664b830e2b0c21ab47337ed0
GitHub-Last-Rev: 4bd1577d2496173800d609da75b08f6de177aba9
GitHub-Pull-Request: golang/go#68629
Reviewed-on: https://go-review.googlesource.com/c/go/+/601675
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
|
|
Doing this because the slices functions are slightly faster and
slightly easier to use. It also removes one dependency layer.
This CL does not change packages that are used during bootstrap,
as the bootstrap compiler does not have the required slices functions.
It does not change the go/scanner package because the ErrorList
Len, Swap, and Less methods are part of the Go 1 API.
Change-Id: If52899be791c829198e11d2408727720b91ebe8a
Reviewed-on: https://go-review.googlesource.com/c/go/+/587655
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Commit-Queue: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
|
|
This change fixes some typographic errors that I found in various packages.
Change-Id: Ie2d0316f0137d6521496d389a9777659ae22128b
GitHub-Last-Rev: 0307b03d50f664a00a4afa5afa08a35efb7f3045
GitHub-Pull-Request: golang/go#66917
Reviewed-on: https://go-review.googlesource.com/c/go/+/580077
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Rob Pike <r@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Commit-Queue: Ian Lance Taylor <iant@golang.org>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
|
|
The current implementation of the http package strips double quotes
from the cookie-value during parsing, resulting in the serialized
cookie not including them. This patch addresses this limitation by
introducing a new field to track whether the original value was
enclosed in quotes.
Additionally, the internal representation of a cookie in the cookiejar
package has been adjusted to align with the new representation.
The syntax of cookies is outlined in RFC 6265 Section 4.1.1:
https://datatracker.ietf.org/doc/html/rfc6265\#section-4.1.1
Fixes #46443
Change-Id: Iac12a56397d77a6060a75757ab0daeacc60457f3
GitHub-Last-Rev: a76440e741440cddaa05944b6828a14a32b5a44a
GitHub-Pull-Request: golang/go#66752
Reviewed-on: https://go-review.googlesource.com/c/go/+/577755
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
|
|
When deciding whether to forward cookies or sensitive headers
across a redirect, do not attempt to interpret an IPv6 address
as a domain name.
Avoids a case where a maliciously-crafted redirect to an
IPv6 address with a scoped addressing zone could be
misinterpreted as a within-domain redirect. For example,
we could interpret "::1%.www.example.com" as a subdomain
of "www.example.com".
Thanks to Juho Nurminen of Mattermost for reporting this issue.
Fixes CVE-2023-45289
Fixes #65065
Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/569340
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
|
|
Change-Id: Ib7c4baf0247c421954aedabfbb6a6af8a08a8936
Reviewed-on: https://go-review.googlesource.com/c/go/+/540021
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: shuang cui <imcusg@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
|
The errNoHostname variable is not used, delete it.
Change-Id: I62ca6390fd026e6a8cb1e8147f3fbfc3078c2249
Reviewed-on: https://go-review.googlesource.com/c/go/+/538455
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
|
|
There are some symbol mismatches in the comments, this commit attempts to fix them
Change-Id: I5c9075e5218defe9233c075744d243b26ff68496
Reviewed-on: https://go-review.googlesource.com/c/go/+/492996
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: shuang cui <imcusg@gmail.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
|
|
Change-Id: I1b90619fd073a0c41188278a50ed149b763f0fa8
Reviewed-on: https://go-review.googlesource.com/c/go/+/496135
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
|
|
Fixes the misuse of "a" vs "an", according to English grammatical
expectations and using https://www.a-or-an.com/
Change-Id: I53ac724070e3ff3d33c304483fe72c023c7cda47
Reviewed-on: https://go-review.googlesource.com/c/go/+/480536
Run-TryBot: shuang cui <imcusg@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
|
|
Change-Id: I4730673130bdfbda9987dcb5869f421082f92150
Reviewed-on: https://go-review.googlesource.com/c/go/+/435615
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
|
|
Change-Id: Id44f587199683fd8018865af1c2442f9f74e0dad
GitHub-Last-Rev: 35b1ab88677586c79918d363f22e05bc0c3c6479
GitHub-Pull-Request: golang/go#54495
Reviewed-on: https://go-review.googlesource.com/c/go/+/424434
Reviewed-by: hopehook <hopehook@qq.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: hopehook <hopehook@qq.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
|
|
A set domain attribute in a cookie in a Set-Cookie header is intended to
create a domain cookie, i.e. a cookie that is not only sent back to the
domain the Set-Cookie was received from, but to all subdomains thereof
too. Sometimes people set this domain attribute to an IP address. This
seems to be allowed by RFC 6265 albeit it's not really sensible as there
are no "subdomains" of an IP address.
Contemporary browsers allow such cookies, currently Jar forbids them.
This CL allows to persist such cookies in the Jar and send them back
again in subsequent requests. Jar allows those cookies that all
contemporary browsers allow (not all browsers behave the same and none
seems to conform to RFC 6265 in regards to these cookies, see below).
The following browsers in current version) were tested:
- Chrome (Mac and Windows)
- Firefox (Mac and Windows)
- Safari (Mac)
- Opera (Mac)
- Edge (Windows)
- Internet Explorer (Windows)
- curl (Mac, Linux)
All of them allow a cookie to be set via the following HTTP header if
the request was made to e.g. http://35.206.97.83/ :
Set-Cookie: a=1; domain=35.206.97.83
They differ in handling a leading dot "." before the IP address as in
Set-Cookie: a=1; domain=.35.206.97.83
sets a=1 only in curl and in Internet Explorer, the other browsers just
reject such cookies.
As far as these internals can be observed the browsers do not treat such
cookies as domain cookies but as host cookies. RFC 6265 would require to
treat them as domain cookies; this is a) nonsensical and b) doesn't make
an observable difference. As we do not expose Jar entries and their
HostOnly flag it probably is still okay to claim that Jar implements a
RFC 6265 cookie jar.
RFC 6265 would allow cookies with dot-prefixed domains like
domain=.35.206.97.83 but it seems as if this feature of RFC 6265 is not
used in real life and not requested by users of package cookiejar (probably
because it doesn't work in browsers) so we refrain from documenting this
detail.
Fixes #12610
Change-Id: Ibd883d85bde6b958b732cbc3618a1238ac4fc84a
Reviewed-on: https://go-review.googlesource.com/c/go/+/326689
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
|
|
Make some code more simple.
Change-Id: I801adf0dba5f6c515681345c732dbb907f945419
GitHub-Last-Rev: a505146baca00a1b3268d11d10510afa8cea6f1d
GitHub-Pull-Request: golang/go#49626
Reviewed-on: https://go-review.googlesource.com/c/go/+/364634
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
|
|
[This CL is part of a sequence implementing the proposal #51082.
The design doc is at https://go.dev/s/godocfmt-design.]
Run the updated gofmt, which reformats doc comments,
on the main repository. Vendored files are excluded.
For #51082.
Change-Id: I7332f099b60f716295fb34719c98c04eb1a85407
Reviewed-on: https://go-review.googlesource.com/c/go/+/384268
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
The current implementation uses UTF-aware functions
like strings.EqualFold and strings.ToLower.
This could, in some cases, cause http smuggling.
Change-Id: I0e76a993470a1e1b1b472f4b2859ea0a2b22ada0
Reviewed-on: https://go-review.googlesource.com/c/go/+/308009
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
|
|
The same-site cookie attribute prevents a cookie from being sent along with
cross-site requests. The main goal is mitigate the risk of cross-origin
information leakage and provides some protection against cross-site request
forgery attacks.
This change adds the option to http.Cookie so it can be stored and
passed to HTTP clients.
Spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
Fixes #15867
Based on
https://github.com/reedloden/go/commit/eb31a0f063c80058bbb3abff4ca09b3565985500
by Reed Loden <reed@hackerone.com>
Change-Id: I98c8a9a92358b2f632990576879759e3aff38cff
Reviewed-on: https://go-review.googlesource.com/79919
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
|
This reverts https://golang.org/cl/66372.
Updates #22148
Change-Id: I3e94af3dfc11a2883bf28e1d5e1f32f98760b3ee
Reviewed-on: https://go-review.googlesource.com/68431
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
strings.LastIndexByte was introduced in go1.5 and it can be used
effectively wherever the second argument to strings.LastIndex is
exactly one byte long.
This avoids generating unnecessary string symbols and saves
a few calls to strings.LastIndex.
Change-Id: I7b5679d616197b055cffe6882a8675d24a98b574
Reviewed-on: https://go-review.googlesource.com/66372
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
|
|
The jarKey function handles broken PublicSuffixList implementations but
no test verified it.
Change-Id: Ifb76de9e8c3941f3b08d3e43970056e023013457
Reviewed-on: https://go-review.googlesource.com/38357
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
|
|
The old implementation of Jar made the assumption that the host names
in the URLs given to SetCookies() and Cookies() methods are well-formed.
This is not an unreasonable assumption as malformed host names do not
trigger calls to SetCookies or Cookies (at least not from net/http)
as the HTTP request themselves are not executed. But there can be other
invocations of these methods and at least on Linux it was possible to
make DNS lookup to domain names with two trailing dots (see issue #7122).
This is an old bug and this CL revives an old change (see
https://codereview.appspot.com/52100043) to fix the issue. The discussion
around 52100043 focused on the interplay between the jar and the
public suffix list and who is responsible for which type if domain name
canonicalization. The new bug report in issue #19384 used a nil public
suffix list which demonstrates that the package cookiejar alone exhibits
this problem and any solution cannot be fully delegated to the
implementation of the used PublicSuffixList: Package cookiejar itself
needs to protect against host names of the form ".." which triggered an
out-of-bounds error.
This CL does not address the issue of host name canonicalization and
the question who is responsible for it. This CL just prevents the
out-of-bounds error: It is a very conservative change, i.e. one might
still set and retrieve cookies for host names like "weird.stuf...".
Several more test cases document how the current code works.
Fixes #19384.
Change-Id: I14be080e8a2a0b266ced779f2aeb18841b730610
Reviewed-on: https://go-review.googlesource.com/37843
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
|
|
I avoided anywhere in the compiler or things which might be used by
the compiler in the future, since they need to build with Go 1.4.
I also avoided anywhere where there was no benefit to changing it.
I probably missed some.
Updates #16721
Change-Id: Ib3c895ff475c6dec2d4322393faaf8cb6a6d4956
Reviewed-on: https://go-review.googlesource.com/30250
TryBot-Result: Gobot Gobot <gobot@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Andrew Gerrand <adg@golang.org>
|
|
Change-Id: I6ea8650927e7946c6fd4659f400fd91ddaae68af
Reviewed-on: https://go-review.googlesource.com/29510
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
|
|
LGTM=rsc, r
R=r, rsc
CC=golang-codereview, golang-codereviews
https://golang.org/cl/168050043
|
|
Preparation was in CL 134570043.
This CL contains only the effect of 'hg mv src/pkg/* src'.
For more about the move, see golang.org/s/go14nopkg.
|
