net/http: do not send leading dot in cookie domain attribute

RFC 6265 allows a leading dot in a cookie domain attribute
but is clear (see section 4.1.1) that a Set-Cookie header
should be sent without these dots.

R=bradfitz
CC=golang-dev
https://golang.org/cl/13111043

diff --git a/src/pkg/net/http/cookie.go b/src/pkg/net/http/cookie.go
index 2074c149c268e42f15ba70541c21e0071f68849c..8b01c508eb1e305d398e3db710bd1738632d8278 100644 (file)
--- a/src/pkg/net/http/cookie.go
+++ b/src/pkg/net/http/cookie.go
@@ -149,8 +149,13 @@ func (c *Cookie) String() string {
                if validCookieDomain(c.Domain) {
                        // A c.Domain containing illegal characters is not
                        // sanitized but simply dropped which turns the cookie
-                       // into a host-only cookie.
-                       fmt.Fprintf(&b, "; Domain=%s", c.Domain)
+                       // into a host-only cookie. A leading dot is okay
+                       // but won't be sent.
+                       d := c.Domain
+                       if d[0] == '.' {
+                               d = d[1:]
+                       }
+                       fmt.Fprintf(&b, "; Domain=%s", d)
                } else {
                        log.Printf("net/http: invalid Cookie.Domain %q; dropping domain attribute",
                                c.Domain)

diff --git a/src/pkg/net/http/cookie_test.go b/src/pkg/net/http/cookie_test.go
index 7a4827cb6b4792b0d34a7e79fc8d51821fe4ea5b..11b01cc5713de70f06e3c0e676c630e5833cb819 100644 (file)
--- a/src/pkg/net/http/cookie_test.go
+++ b/src/pkg/net/http/cookie_test.go
@@ -26,7 +26,7 @@ var writeSetCookiesTests = []struct {
        },
        {
                &Cookie{Name: "cookie-3", Value: "three", Domain: ".example.com"},
-               "cookie-3=three; Domain=.example.com",
+               "cookie-3=three; Domain=example.com",
        },
        {
                &Cookie{Name: "cookie-4", Value: "four", Path: "/restricted/"},