I was writing a PHP class for dealing with/parsing the Cookie and Set-Cookie HTTP headers to use it in my custom user-agents (crawlers, scrapers, bots, ..etc), and while testing it I found that it behaves different than Firefox in the way they process the Path attribute in the Set-Cookie header. I returned back to RFC 6265 and I was right
###How to reproduce? In any PHP file set this line and request it
<?php
header("set-cookie: foo=1; path=/bar/", true);
exit;
Now request /bar with Firefox, you will see that Firefox is sending the cookie, while it should only send to /bar/ or longer path according to the specifications !!
###What are the specifications ?
I will quote the related part from RFC 6265 5.1.4 Paths and Path-Match
A request-path path-matches a given cookie-path if at least one of the following conditions holds:
o The cookie-path and the request-path are identical.
o The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").
o The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie- path is a %x2F ("/") character.
In this case the request-path /bar and the cookie-path /bar/ do not path-match
###What about Google Chrome ?
Google Chrome does NOT send the cookie to /bar 👍
Who is right ? Chrome ? or Firefox ?
###Extra Details:
I tested on Firefox 66.0.4 on Linux and Chrome Version 76.0.3809.132 Linux
This is the related function I use in my class
public static function isPathMatch(string $requestPath, string $cookiePath)
{
if ($requestPath === $cookiePath) return true;
if (strpos($requestPath, $cookiePath) !== 0) return false;
if (substr($cookiePath, strlen($cookiePath) - 1, 1) === "/") return true;
if (substr($requestPath, strlen($cookiePath), 1) === "/") return true;
return false;
}
This is the second issue I find for Firefox, however it still my favorite browser :)
Thanks for @fendall on the comment about the RFC, I tracked the RFCs that are related to this issue
The MDN Set-Cookie Documentation used the specifications of both RFC 6265 and draft-ietf-httpbis-rfc6265bis-02 and both specifications are almost the same in the "Paths and Path-Match" section. (the part I quoted in the question)
I reported a bug to Bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=1579552
Yes, Chrome was right, as commented by ehsan akhgari in the bug report
Yes, our path matching algorithm is completely different than the spec. Comparing to Chrome's they seeming to be following the spec pretty closely.
... and they changed the source code of Firefox and fix it https://phabricator.services.mozilla.com/D45427