Follow

Browser folks/HTTP client folks I have a quandary: if a request is made to example.ORG, with a Host:example.COM header, should cookies for example.ORG or example.COM be sent? Or neither/both? /cc @yoavweiss@twitter.com

@dshafik Where are they about to end up? Probably example.com.

@dshafik The Host: header is used by the HTTP server to determine what gets served. If you GET / by asking “example.org” but say “Host: example.com” then the origin is example.com.

The UA is expected to use the vhost (Host header), not the DNS name used. The domainspec on the cookie itself must then be unspecified or exactly “example.com”. See en.m.wikipedia.org/wiki/HTTP_c for more.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and have documented a list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!