Open
Description
| Previous ID | SR-15927 |
| Radar | None |
| Original Reporter | CodingMarkus (JIRA User) |
| Type | Bug |
Additional Detail from JIRA
| Votes | 0 |
| Component/s | Foundation |
| Labels | Bug |
| Assignee | None |
| Priority | Medium |
md5: b10ba7dbf508f3cfee30c8942379f473
Issue Description:
RFC 6265 clearly specifies how to match cookies to be sent out in section 5.4:
https://datatracker.ietf.org/doc/html/rfc6265#section-5.4
But
open func cookies(for url: URL) -> [HTTPCookie]?does not follow these rules even remotely.
E.g. it completely ignores the host-only-flag, it completely ignores the secure-only-flag, it completely ignores the path component of the cookie. The only thing it does is matching the domain.
As cookie content can be security relevant information, this is a security nightmare, as it can cause cookies to be sent in requests where they must be sent at all.