crystal-community
Adds filters for request cookies, per HTTP standards
HTTP::Cookies, in the standard library, appears to be a relatively dumb collection of HTTP::Cookie objects and does not appear to do any filtering based on HTTP standards. The library seems to rely on the developer having prior knowledge of whether or not to send any given cookie.
Not everyone may understand there even should be filtering, but it makes sense when put in another context: not sending my Facebook login cookie to Github even though I have visited both sites in the same browsing session.
This change applies the necessary filtering for security reasons:
-
HTTP::Cookie#securelimits the cookie to only HTTPS requests -
HTTP::Cookie#pathlimits the cookie to be used only if the request path starts with the given value on the cookie -
HTTP::Cookie#domainlimits the cookie to be used only if the request's domain is either the cookie's domain or subdomain (or somewhere down the chain of sub-sub-domains)
Ignored attributes of HTTP::Cookie:
-
HTTP::Cookie#http_onlylimits usage of the cookie by javascript to prevent the browser from XSS attacks leaking the cookies to an unauthorized destination -
HTTP::Cookie#extension??? (frankly, I'm not sure what this is for. Haven't found anything online about it in the HTTP standards)
Note: Until #7 is merged in, Travis will say this build is broken. I wanted this PR to be independent of it. The current form should work just fine in prior versions of Crystal.
@TheLonelyGhost Thanks again for the activity:) I'll take a look when I have fresh brain)
Just saw #7 was merged. Will rebase from the new master branch before you review the code.