net/http: trim cookie names

The current implementation ignores cookies where the cookie name starts or ends with a space. For example, name =value is ignored. I have come across pages that send cookies in this weird format. I tested with the latest versions of Firefox, Safari and Chrome, all of which accept cookies in this format. To do this, I remove leading and trailing spaces from the cookie name after cutting at '='. Change-Id: I8fd0c37a2113b6ce75712dd43607d1ea55e86c68 GitHub-Last-Rev: 368f50fcb4 GitHub-Pull-Request: golang/go#52121 Reviewed-on: https://go-review.googlesource.com/c/go/+/397734 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Damien Neil <dneil@google.com>
2024-09-05 07:54:46 +00:00 · 2022-05-04 12:39:49 +00:00 · 2022-05-04 12:39:49 +00:00 · 2cf49a76b6
parent 57c1edcaec
commit 2cf49a76b6
2 changed files with 8 additions and 0 deletions
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@ -73,6 +73,7 @@ func readSetCookies(h Header) []*Cookie {
 		if !ok {
 			continue
 		}
+		name = textproto.TrimString(name)
 		if !isCookieNameValid(name) {
 			continue
 		}
@ -291,6 +292,7 @@ func readCookies(h Header, filter string) []*Cookie {
 				continue
 			}
 			name, val, _ := strings.Cut(part, "=")
+			name = textproto.TrimString(name)
 			if !isCookieNameValid(name) {
 				continue
 			}
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@ -352,6 +352,12 @@ var readSetCookiesTests = []struct {
 		Header{"Set-Cookie": {`special-8=","`}},
 		[]*Cookie{{Name: "special-8", Value: ",", Raw: `special-8=","`}},
 	},
+	// Make sure we can properly read back the Set-Cookie headers
+	// for names containing spaces:
+	{
+		Header{"Set-Cookie": {`special-9 =","`}},
+		[]*Cookie{{Name: "special-9", Value: ",", Raw: `special-9 =","`}},
+	},

 	// TODO(bradfitz): users have reported seeing this in the
 	// wild, but do browsers handle it? RFC 6265 just says "don't