Commit 17c423f added RFC6265 validation when building a new ResponseCookie, but the validation seems too "strict" for the domain attribute-value.
The RFC says : (https://tools.ietf.org/html/rfc6265#section-5.2.3):
5.2.3. The Domain Attribute
[...]
If the first character of the attribute-value string is %x2E ("."):
Let cookie-domain be the attribute-value without the leading %x2E
(".") character.
Otherwise:
Let cookie-domain be the entire attribute-value.
And
4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com. (Note that a leading %x2E ("."), if present,
is ignored even though that character is not permitted, but a
trailing %x2E ("."), if present, will cause the user agent to ignore
the attribute.) If the server omits the Domain attribute, the user
agent will return the cookie only to the origin server.
The current implementation of the Rfc6265Utils validateDomain method throws an IllegalArgumentException if the domain attribute-value starts with a . (dot)
If I understand well, the expected behavior should ignore/remove the leading dot instead of throwing an exception. Am I right ?
Commit 17c423f added RFC6265 validation when building a new ResponseCookie, but the validation seems too "strict" for the domain attribute-value.
The RFC says : (https://tools.ietf.org/html/rfc6265#section-5.2.3):
And
The current implementation of the
Rfc6265Utils validateDomainmethod throws an IllegalArgumentException if the domain attribute-value starts with a . (dot)If I understand well, the expected behavior should ignore/remove the leading dot instead of throwing an exception. Am I right ?