Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add RFC 6761–compliant localhost loopback checks so secure cookies work on localhost (fixes: #382) #498

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

feat: Add RFC 6761–compliant localhost loopback checks so secure cookies work on localhost (fixes: #382) #498

wants to merge 10 commits into from

Conversation

Chriss4123
Copy link

fixes: #382

Description

This commit extends how cookies are treated in secure contexts by fully recognizing localhost and loopback IPs as trustworthy origins, matching the de facto behavior of all modern browsers and RFC 6761. Previously, tough-cookie defaulted secure to true only for https: and wss: URLs, causing cookies with secure to not work with localhost.

What Changed

  1. New secureContext.ts

    • Implements isPotentiallyTrustworthy(url) by checking:
      • Schemes: https or wss
      • Loopback IPs: 127.0.0.1/8 and ::1
      • Hostnames: localhost and *.localhost
    • Adapted from Chromium’s IsLocalhost, IsLoopback and HostNoBracketsPiece, located at:

  2. cookieJar.ts Update

  • Replaced the old check which only accounts for https and wss schemes:
const secure =
  context.protocol &&
  (context.protocol == 'https:' || context.protocol == 'wss:')
  • with the new isPotentiallyTrustworthy function which accounts for secure schemes, localhost addresses and loopback addresses.

No existing functionality is removed. Where the old check would return true, so does the new check. The only added functionality is treating localhost addresses and loopback addresses as secure contexts which was previously not present.

All modern browsers (Chrome et. al) support secure cookies on localhost so it only makes sense tough-cookie supports this too.

@Chriss4123 Chriss4123 mentioned this pull request Feb 16, 2025
Open
@colincasey
Copy link
Contributor

@Chriss4123 thanks for this pull request! I try to review it by the end of the week.

@colincasey colincasey self-assigned this Feb 18, 2025
colincasey
colincasey requested changes Feb 20, 2025
View reviewed changes
@Chriss4123
Copy link
Author

@colincasey I've completed all the requested changes and also added a comment linking a potentially trustworthy origin and the notion of a "secure" connection in draft-ietf-httpbis-rfc6265bis-19.

I'm ready for you to re-review the PR.

@Chriss4123
Copy link
Author

Will look at the integration tests later and find what is causing these issues. Will let you know once all is good.

@colincasey
Copy link
Contributor

Thanks @Chriss4123, I'll hold off on approval until it's clearer why jsdom tests would fail with this code included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colincasey colincasey colincasey requested changes

@awaterma awaterma Awaiting requested review from awaterma awaterma is a code owner

@wjhsf wjhsf Awaiting requested review from wjhsf wjhsf is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@colincasey colincasey

Labels
cla:signed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure; Flag should be ignored when sending to 'localhost'
3 participants
@Chriss4123 @colincasey @awaterma