Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add RFC 6761–compliant localhost loopback checks so secure cookies work on localhost (fixes: #1676) #4038

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add RFC 6761–compliant localhost loopback checks so secure cookies work on localhost (fixes: #1676) #4038

wants to merge 2 commits into from
+107 −1

Conversation

Chriss4123
Copy link

fixes: #1676

Description

Contribution Checklist:

  • The pull request only addresses one issue or adds one feature.
  • The pull request does not introduce any breaking changes
  • I have added screenshots or gifs to help explain the change if applicable.
  • I have read the contribution guidelines.
  • Create an issue and link to the pull request.

This commit extends how cookies are treated in secure contexts by fully recognizing localhost and loopback IPs as trustworthy origins, matching the de facto behavior of all modern browsers and RFC 6761. Previously, tough-cookie defaulted secure to true only for https: and wss: URLs, causing cookies with secure set to never be sent to localhost.

What Changed

  1. New trustworthy-util.js

    • Implements isPotentiallyTrustworthy(url) by checking:
      • Schemes: https, wss, file
      • Loopback IPs: 127.0.0.1/8 and ::1
      • Hostnames: localhost and *.localhost
    • Adapted from Chromium’s IsLocalhost, IsLoopback and HostNoBracketsPiece, located at:

  2. cookies.js Update

    • Passes the { secure: isPotentiallyTrustworthy(url) } option to cookieJar.getCookiesSync().
    • This overrides tough-cookie’s built-in: 
      let secure = options.secure;
if (secure == null && (context.protocol == "https:" || context.protocol == "wss:")) {
  secure = true;
}
      We do everything tough-cookie does by default—plus treat localhost/loopback the same as modern browsers. No existing functionality is removed, only expanded.

Testing this change

from flask import Flask, request, make_response

app = Flask(__name__)

@app.route('/setcookie')
def set_cookie():
    resp = make_response('')
    resp.set_cookie('example', '', secure=True)
    return resp

@app.route('/getcookie')
def get_cookie():
    return 'Cookie is set' if 'example' in request.cookies else 'No cookie set'

app.run()
  • Before: The secure cookie would not be sent to /getcookie after it was set by /setcookie due to secure being set to True.
  • After: The secure cookie would be sent to /getcookie which mirrors the behavior of modern browsers.

All modern browsers (Chrome et al.) and many other API testing clients (Postman et al.) handle http://localhost as a trustworthy origin. It only makes sense that this behavior also exists in Bruno.

@Chriss4123 Chriss4123 mentioned this pull request Feb 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] Cookies not sent
1 participant
@Chriss4123