ureq icon indicating copy to clipboard operation
ureq copied to clipboard

Published 20 hours ago verified publisher icon algesten

Add "strict mode"

Open tcmal opened this issue 1 year ago • 6 comments

As mentioned here, enforcing RFC requirements for cookies has some downsides for interoperability - in my case, Blackboard Learn's BBRouter cookie is sometimes sent without quotes when it should have them.

This PR adds a "strict mode" option (on by default). Behaviour is the same when strict mode is on, but when it is off non-RFC compliant cookies are accepted so long as they can be parsed.

tcmal avatar Dec 26 '23 15:12 tcmal

bump @algesten

tcmal avatar Jan 25 '24 11:01 tcmal

Hi and thanks for the submission! I don't think we should merge this. Two reasons: there's not enough evidence that this is a widespread compatibility problem; and it's important to carefully avoid a proliferation of options, because it makes API design more complicated and it makes the software harder to thoroughly test.

jsha avatar Jan 25 '24 22:01 jsha

hm fair enough. like i mentioned, the reason i need it is because blackboard learn (a mature but sorta niche bit of software) sends a bad cookie, and since i can't change that i need this in order to use this library. i think its also worth noting that browsers don't bother doing this validation and just take anything they can parse, which makes it hard to find sites that are breaking it.

i assume adding a feature gate wouldn't help with the api surface you're worried about, i'll let you decide whether to close this or not.

tcmal avatar Feb 06 '24 12:02 tcmal

One way you could probably work around would be to turn off the cookies Cargo feature and parse cookies from the responses yourself. Would that solve your issue?

jsha avatar Feb 07 '24 02:02 jsha

Probably possible, I'll take a look. Thank you.

tcmal avatar Feb 12 '24 12:02 tcmal

Yeah, I also stumbled across this with a website that sets cookie values as an encoded value, and it was randomly failing - but thanks to ureqs great logging it was easy to figure out why.

They wrap the value with " if it ends with = it seems.

set-cookie: foo="xxx--=="; Version=1; Path=/; Secure; HttpOnly; Max-Age=86400; Expires=Thu, 15-Feb-2024 12:12:12 GMT

I can't figure out if this is valid from reading the RFC, as the cookie crate does the validation.

edit: I was thinking I could use middleware to fix the cookie to the expected value, but I believe that is just on the Request, and not the response?

The annoying thing about these endpoints is they have multiple redirects, I can write code for it but was hoping not to, as ureq has really reduced boilerplate.

edit: You can use middleware on responses by calling next.handle(req)?;, but the middleware is done after the cookies are processed.

joshuataylor avatar Feb 14 '24 12:02 joshuataylor

Closing since we are moving to 3.x. This is an interesting topic though.

algesten avatar Aug 13 '24 17:08 algesten

Might be worth converting to a discussion, the nice thing is I haven't faced this same problem since that website (it was Snowflakes API authentication flow, FWIW), and ureq has served me well with many other websites. 😍

joshuataylor avatar Aug 14 '24 14:08 joshuataylor