HTTP-State
view release on metacpan or search on metacpan
lib/HTTP/State.pm view on Meta::CPAN
# Calculate default
if(length($path)==0 or substr($path, 0, 1 ) ne "/"){
$path="/";
}
# Remove right / if present
if(length($path) >1){
my @parts=split "/", $path;
pop @parts;
$c->[COOKIE_PATH]=join "/", @parts;
}
else {
$c->[COOKIE_PATH]=$path;
}
}
Log::OK::TRACE and log_trace __PACKAGE__. " Step 11 OK";
#12
#If the cookie-attribute-list contains an attribute with an attribute-name
#of "Secure", set the cookie's secure-only-flag to true. Otherwise, set the
#cookie's secure-only-flag to false.
#13
#If the scheme component of the request-uri does not denote a "secure"
#protocol (as defined by the user agent), and the cookie's secure-only-flag
#is true, then abort these steps and ignore the cookie entirely.
next if $c->[COOKIE_SECURE] and ($scheme ne "https");
Log::OK::TRACE and log_trace __PACKAGE__. " Step 12, 13 OK";
#14
#If the cookie-attribute-list contains an attribute with an attribute-name
#of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the
#cookie's http-only-flag to false.
#15
#If the cookie was received from a "non-HTTP" API and the cookie's
#http-only-flag is true, abort these steps and ignore the cookie entirely.
next if ($c->[COOKIE_HTTPONLY] and !($flags & FLAG_TYPE_HTTP));
Log::OK::TRACE and log_trace __PACKAGE__. " Step 14, 15 OK";
#16
#If the cookie's secure-only-flag is false, and the scheme component of
#request-uri does not denote a "secure" protocol, then abort these steps
#and ignore the cookie entirely if the cookie store contains one or more
#cookies that meet all of the following criteria:
#
#1
#Their name matches the name of the newly-created cookie.
#2
#Their secure-only-flag is true.
#3
#Their domain domain-matches the domain of the newly-created cookie, or vice-versa.
#4
#The path of the newly-created cookie path-matches the path of the existing cookie.
#
#Note: The path comparison is not symmetric, ensuring only that a
#newly-created, non-secure cookie does not overlay an existing secure
#cookie, providing some mitigation against cookie-fixing attacks. That is,
#given an existing secure cookie named 'a' with a path of '/login', a
#non-secure cookie named 'a' could be set for a path of '/' or '/foo', but
#not for a path of '/login' or '/login/en'.
my $part;
if(!$c->[COOKIE_SECURE] and $scheme ne "https"){
# get the second level domain to act as base to start search
$sld//=$_sld_cache{$c->[COOKIE_DOMAIN]}//=scalar reverse $_second_level_domain_sub->(scalar reverse $c->[COOKIE_DOMAIN]);
next unless defined $sld;
# IF partitions are enabled and the cookie is partitioned then lookup partition
# otherwise use normal cookies array
#
my @parts=(($partition_key and $c->[COOKIE_PARTITIONED])?$_partitions{$partition_key}//=[]: \@_cookies);
for my $part (@parts){
my $index=search_string_left $sld, $part;
$index=@$part if $index<@$part and (index($part->[$index][COOKIE_KEY], $sld)==0);
my $found;
local $_;
while(!$found and $index<@$part){
$_=$part->[$index];
#exit the inner loop if the SLD is not a prefix of the current cookie key
last if index $_->[COOKIE_KEY], $sld;
next SET_COOKIE_LOOP if $_->[COOKIE_SECURE]
and $_->[COOKIE_NAME] eq $c->[COOKIE_NAME] #name match
and (index($_->[COOKIE_DOMAIN], $sld)==0 or index($sld, $_->[COOKIE_DOMAIN])==0) # symmetric match
and _path_match $c->[COOKIE_PATH], $_; #path match
$index++;
}
}
}
Log::OK::TRACE and log_trace __PACKAGE__. " Step 16 OK";
#17
#If the cookie-attribute-list contains an attribute with an attribute-name
#of "SameSite", and an attribute-value of "Strict", "Lax", or "None", set
#the cookie's same-site-flag to the attribute-value of the last attribute
#in the cookie-attribute-list with an attribute-name of "SameSite".
#Otherwise, set the cookie's same-site-flag to "Default".
$c->[COOKIE_SAMESITE]//=SAME_SITE_DEFAULT;#"Default";#$_default_same_site;
Log::OK::TRACE and log_trace __PACKAGE__. " Step 17 OK";
#18
#If the cookie's same-site-flag is not "None":
#1
#If the cookie was received from a "non-HTTP" API, and the API was called
#from a navigable's active document whose "site for cookies" is not
#same-site with the top-level origin, then abort these steps and ignore
#the newly created cookie entirely.
#2
#If the cookie was received from a "same-site" request (as defined in
( run in 0.460 second using v1.01-cache-2.11-cpan-df04353d9ac )