Firefox is not complying with RFC6265 regarding processing the path attribute of cookies

Question

I was writing a PHP class for dealing with/parsing the Cookie and Set-Cookie HTTP headers to use it in my custom user-agents (crawlers, scrapers, bots, ..etc), and while testing it I found that it behaves different than Firefox in the way they process the Path attribute in the Set-Cookie header. I returned back to RFC 6265 and I was right

How to reproduce?

In any PHP file set this line and request it

<?php
header("set-cookie: foo=1; path=/bar/", true);
exit;

Now request /bar with Firefox, you will see that Firefox is sending the cookie, while it should only send to /bar/ or longer path according to the specifications !!

What are the specifications ?

I will quote the related part from RFC 6265 5.1.4 Paths and Path-Match

A request-path path-matches a given cookie-path if at least one of the following conditions holds:

o The cookie-path and the request-path are identical.

o The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").

o The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie- path is a %x2F ("/") character.

In this case the request-path /bar and the cookie-path /bar/ do not path-match

What about Google Chrome ?

Google Chrome does NOT send the cookie to /bar

My Question

Who is right ? Chrome ? or Firefox ?

Extra Details:

I tested on Firefox 66.0.4 on Linux and Chrome Version 76.0.3809.132 Linux

This is the related function I use in my class

public static function isPathMatch(string $requestPath, string $cookiePath)
{
    if ($requestPath === $cookiePath) return true;
    if (strpos($requestPath, $cookiePath) !== 0) return false;
    if (substr($cookiePath, strlen($cookiePath) - 1, 1) === "/") return true;
    if (substr($requestPath, strlen($cookiePath), 1) === "/") return true;
    return false;
}

This is the second issue I find for Firefox, however it still my favorite browser :)

Thanks for @fendall on the comment about the RFC, I tracked the RFCs that are related to this issue

February 1997 RFC 2109 HISTORIC. Obsoleted by
October 2000 RFC 2965 HISTORIC. Obsoleted by
April 2011 RFC 6265 PROPOSED STANDARD, if approved will be Obsoleted by
August 2017 draft-ietf-httpbis-rfc6265bis-02 Internet-Draft

The MDN Set-Cookie Documentation used the specifications of both RFC 6265 and draft-ietf-httpbis-rfc6265bis-02 and both specifications are almost the same in the "Paths and Path-Match" section. (the part I quoted in the question)

I reported a bug to Bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=1579552

An RFC is not necessarily part of internet standards. By search on IETF, you'll see that this RFC you refer to is a proposed standard: https://www.rfc-editor.org/search/rfc_search_detail.php?rfc=6265&pubstatus%5B%5D=Any&pub_date_type=any — fendall, Sep 06 '19 at 19:35
@fendall Where would one go to look for what the current accepted internet standards are in this case? I found another RFC (https://www.ietf.org/rfc/rfc2109.txt) that states explicitly that the path: *"Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /."*, which would seem to indicate that Firefox is actually correct, not Chrome. — Mike, Sep 06 '19 at 19:39
@Mike No, this is the "default path", the user-agent should use it in case the cookie `Path` attribute is empty or not starts with `/` — Accountant م, Sep 06 '19 at 19:41
@fendall hmmm, thanks for this, so what is the current applied standard I should refer to if I want to create a user-agent ? — Accountant م, Sep 06 '19 at 19:43
@Accountantم@Mike I found a couple links that might help: (https://www.rfc-editor.org/retrieve/), (https://www.rfc-editor.org/standards#IS) — fendall, Sep 06 '19 at 19:46
@Accountantم If you think about it though, the **default** path explicitly excludes the right-most /, so if you set a cookie for the request URL `/bar/`, the cookie's path will default to `/bar` with no trailing slash, which **may** indicate one of two things; that when manually setting the cookie path to `/bar/` the browser should remove the trailing slash like it does in the default case, or that these URLs can be considered to be equal. — Mike, Sep 06 '19 at 19:52
@Mike *"the browser should remove the trailing slash like it does in the default case"*... yes I understand what you mean, but if the server set the `path` attribute in the cookie and it was starting with `/` the browser will use it as the cookie path instead of the default one, check in FF and chrome cookies store you will find many cookies paths end with `/` . But yeah as you said `/bar/` and `/bar` should be considered equal. — Accountant م, Sep 06 '19 at 20:06
@fendall thanks for the links, I tracked the RFCs as shown in the edit. — Accountant م, Sep 06 '19 at 21:31

Accountant م · Accepted Answer · 2019-09-11T11:10:48.187

2

Yes, Chrome was right, as commented by ehsan akhgari in the bug report

Yes, our path matching algorithm is completely different than the spec. Comparing to Chrome's they seeming to be following the spec pretty closely.

... and they changed the source code of Firefox and fix it https://phabricator.services.mozilla.com/D45427

edited Sep 11 '19 at 11:10

answered Sep 10 '19 at 18:50

Accountant م

4,969
2
30
49