How is the missing path attribute of a cookie computed or handled in a Single Page Application?
If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.
Though it talks about the Set-Cookie thing, it also applies to the document.cookie API. To verify this, one can open new tab on Chrome and type "https://github.com/pulls/review-requested". Once the webpage finished loading, open the dev console, type the following code and enter:
document.cookie = "mycookie=114514"
The application tab in dev console shows that the cookie is created with the path "/pulls", which is exactly what is mentioned in RFC6265. But it seems to be a little complicated if SPA is involved (though github is indeed written in react). Let's follow the steps:
- Open a new tab to github.com. You'd better delete the cookie above.
- In order to change url to "https://github.com/pulls/review-requested" without reloading, click the pull request button on the top-right, and then click the button with text "Review requests".
- Type
document.cookie = "mycookie=114514"in dev console and check the value in the application tab.
At this time, the cookie is created with the root path "/", even if Chrome's address bar is filled with https://github.com/pulls/review-requested .
That seems to differ from RFC6265. I have tried it on Firefox, which behaves the same as Chrome. I can't figure out the following questions:
- How is the missing path attribute of a cookie is computed or handled via the
document.cookieAPI? - Are there any articles that document the way path of cookie is computed?
Strictly speaking, it is working within the limits of the specifications. As you noted, the browser will set the path to the request-uri's path component. As the browser did not make the SPA request, the request uri's path component is still '/'.
This has security benefits, for instance, this logic would make it so a XSS attack could not use the History API to change the path and bypass cookie path restrictions. This should be an important precaution for larger websites.
- Keep numbers which appear in both columns, in J lang
- Differentiation in J
- How to reshape an array with an arbitrary size in one dimension?
- Why is Insert (fold) right associative
- Write 4 : 'x&{.&.;: y' tacitly
- Alignment issue when printing formatted prime numbers in J language
- How can I define a verb in J that applies a different verb alternately to each atom in a list?
- How to get user input in the J programming language
- How to unbox a list of boxed lists of differing lengths in J?
- How can I fix 'noun result was required' error in J?
- In j, how can I define a verb locally in one scope and pass it to a defined adverb?
- Convert boxed array to normal array?
- Read column of CSV file as array
- Replace atom in array of strings
- What does the dyad `=` do to boxed strings?
- Index of minimum element using J
- How can I take the outer product of string vectors in J?
- Building an array of verbs in J
- Reading in multidigit command line parameter
- Amend with bond to new data shows unexpected behaviour
- How to turn a table or matrix into a (flat) list in J
- How to run dissect in J?
- How to define selection using index function in J
- How to exit the J console?
- Find 4-neighbors using J
- Writing custom verbs in J
- How do I negate a selector in J lang?
- How to use arbitrary selector in interchange in J lang?
- different result once square root is added inside tacit
- Sum of arrays with repeated indices