浏览器如何处理没有路径和域的cookie [英] How does a browser handle cookie with no path and no domain
问题描述
我现在在Google上搜索了很多,发现了矛盾的答案。所以我的问题是:浏览器如何处理没有域和没有 path 属性的HTTP cookie? p>
例如来自服务器的以下响应:
200 OK https:// example.com/a/b(6047ms)
Set-Cookie:x-my-cookie = 1.0;最大年龄= 86400000; Expires = Sun,2020年1月5日08:30:25 GMT
当包含cookie时向 https://m.example.com/a/b 发出请求?
https://example.com/zzzz ?
和 https://example.com/ a ?
和 https://example.com/a/b/c ?
和 https://example.com ?
对于不具有 domain 属性的 Set-Cookie ,该Cookie的域值是原始服务器。根据 RFC6265 :
除非cookie的属性另有说明,否则cookie是
仅返回到原始服务器(而不返回到任何
子域)...如果服务器省略了Domain属性,则用户
代理只会将cookie返回给原始服务器。
以下例外:
警告:某些现有用户代理将缺少的Domain属性视为存在Domain属性并包含当前主机名。例如,如果example.com返回不带Domain属性的Set-Cookie标头,则这些用户代理也会错误地将cookie发送到www.example.com。
也许这就是为什么您发现冲突答案的原因。
对于 Set -Cookie 没有 path 属性, RFC6265 指出:
如果服务器省略了Path属性,则用户代理将使用该文件的目录
例如,答案是默认值。将会是:
否。因为 m.example.com 不是原始服务器( example.com )。
https://example.com/zzzz 呢? strong>
不。因为 / zzz 不在目录 / a / b 下。
否。因为 / a 不在目录 / a / b 下。
是的。因为 / a / b / c 在目录 / a / b 下。
否。因为 / 不在目录 / a / b 下。
I have googled this a lot now and have found conflicting answers. So my question is: how does a browser handle an HTTP cookie that has no domain and no path attributes?
For example this response from server:
200 OK https://example.com/a/b (6047ms)
Set-Cookie: x-my-cookie=1.0; Max-Age=86400000; Expires=Sun, 05-Jan-2020 08:30:25 GMT
Should the cookie be included when making requests to https://m.example.com/a/b?
What about https://example.com/zzzz?
And https://example.com/a?
And https://example.com/a/b/c?
And https://example.com?
For Set-Cookie without domain attribute, the cookie's domain value is "the origin server". According to RFC6265:
Unless the cookie's attributes indicate otherwise, the cookie is returned only to the origin server (and not, for example, to any subdomains)...If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.
With the following exception:
WARNING: Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well.
Maybe that's why you found conflicting answers.
For Set-Cookie without path attribute, RFC6265 states that:
If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.
For your example, the answer would be:
Should the cookie be included when making requests to https://m.example.com/a/b?
No. Because m.example.com is not the origin server (example.com).
What about https://example.com/zzzz?
No. Because /zzz is not under "directory" /a/b.
No. Because /a is not under "directory" /a/b.
And https://example.com/a/b/c?
Yes. Because /a/b/c IS under "directory" /a/b.
And https://example.com?
No. Because / is not under "directory" /a/b.
这篇关于浏览器如何处理没有路径和域的cookie的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
