From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 21 12:36:13 2016
Received: (at submit) by debbugs.gnu.org; 21 Oct 2016 16:36:13 +0000
Received: from localhost ([127.0.0.1]:45251 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bxcnl-0008Ic-9k
	for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:13 -0400
Received: from eggs.gnu.org ([208.118.235.92]:45127)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alain.schneble@realize.ch>) id 1bxcnk-0008IQ-B1
 for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alain.schneble@realize.ch>) id 1bxcnd-0004k3-Ei
 for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:07 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=5.0 tests=BAYES_50,
 RECEIVED_FROM_WINDOWS_HOST autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:42205)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <alain.schneble@realize.ch>)
 id 1bxcnd-0004jz-BQ
 for submit@debbugs.gnu.org; Fri, 21 Oct 2016 12:36:05 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36093)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <alain.schneble@realize.ch>) id 1bxcnb-0005uZ-Gb
 for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alain.schneble@realize.ch>) id 1bxcnY-0004h2-A3
 for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:03 -0400
Received: from clientmail.realize.ch ([46.140.89.53]:2877)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alain.schneble@realize.ch>)
 id 1bxcnX-0004fv-T6
 for bug-gnu-emacs@gnu.org; Fri, 21 Oct 2016 12:36:00 -0400
Received: from rintintin.hq.realize.ch.lan.rit (Unknown [192.168.0.105])
 by clientmail.realize.ch with ESMTP ; Fri, 21 Oct 2016 18:35:49 +0200
Received: from myngb (192.168.66.64) by rintintin.hq.realize.ch.lan.rit
 (192.168.0.105) with Microsoft SMTP Server (TLS) id 15.0.516.32; Fri, 21 Oct
 2016 18:35:10 +0200
From: Alain Schneble <a.s@realize.ch>
To: <bug-gnu-emacs@gnu.org>
Subject: 25.1.50; url-cookie.el creates phantom cookie for HttpOnly
Date: Fri, 21 Oct 2016 18:35:11 +0200
Message-ID: <8637jp64ow.fsf@realize.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="shift_jis"
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: rintintin.hq.realize.ch.lan.rit (192.168.0.105) To
 rintintin.hq.realize.ch.lan.rit (192.168.0.105)
X-detected-operating-system: by eggs.gnu.org: Windows NT kernel [generic]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

Processing an HTTP response with a Set-Cookie header and HttpOnly
attribute creates a phantom cookie with name HttpOnly.  url-cookie.el
(url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
as the name of an additional cookie, thus interpreting Set-Cookie header
value as it would contain multiple cookies.  This is wrong.  See also
RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
https://www.rfc-editor.org/rfc/rfc6265.txt.

Here's a recipe to reproduce this issue:

- emacs -Q
- Eval the following fragment:
  (let ((file (make-temp-file "CookieHttpOnly")))
    (with-temp-buffer
      (insert
       "(setq url-cookie-storage nil)\n"
       "(setq url-cookie-secure-storage nil)")
      (write-file file))
    (setq url-cookie-file file)
    (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
    (url-cookie-write-file)
    (find-file file))
- The visited cookies file should now contain two cookie entries:
  ("en.wikipedia.org"
        [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00=
:00 GMT" "/" "en.wikipedia.org" t]
        [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.=
wikipedia.org" t])
  =3D> The second cookie entry is not expected.

I would be happy to arrange a patch to solve this issue, but would like
first to discuss which approach to choose:

1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
   value.

2. Extend the url-cookie cl-defstruct to contain an additional slot
   HTTPONLY.  Its value would be t if HttpOnly attribute was detected in
   Set-Cookie's header value, nil otherwise.

I could live with both.  What would you prefer?

Alain





In GNU Emacs 25.1.50.1 (x86_64-w64-mingw32)
 of 2016-09-27 built on MYNGB
Repository revision: bbf1ffd7c74bdf3ea766580788f7f4adb98a47f0
Windowing system distributor 'Microsoft Corp.', version 10.0.10586
Configured using:
 'configure --prefix /c/usr/bin/emacs-25.1 --without-imagemagick'

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND NOTIFY ACL GNUTLS LIBXML2 ZLIB
TOOLKIT_SCROLL_BARS

Important settings:
  value of $LANG: DES
  locale-coding-system: cp1252

Major mode: Emacs-Lisp

Minor modes in effect:
  diff-auto-refine-mode: t
  shell-dirtrack-mode: t
  linum-mode: t
  paredit-mode: t
  winner-mode: t
  icomplete-mode: t
  show-paren-mode: t
  display-time-mode: t
  display-battery-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  column-number-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent messages:
Mark activated
Insomnium =81\=81\ 2014 - Shadows of the Dying Sun [Limited Digipack Editio=
n] (2014) =81\=81\ 204-the descent.mp3
Mark set [5 times]
Insomnium =81\=81\ 2011 - One For Sorrow (2014) =81\=81\ 01 Inertia.mp3
Mark set
Making completion list...
command-execute: Command attempted to use minibuffer while in minibuffer
Quit
Mark set [2 times]
Making completion list...
Quit [2 times]

Features:
(shadow emacsbug debug shr-color color timezone eww mm-url url-queue shr
dom browse-url pcmpl-unix em-unix em-term term ehelp em-script em-prompt
em-ls em-hist em-pred em-glob em-dirs em-cmpl em-basic em-banner
em-alias esh-var esh-io esh-cmd esh-opt esh-ext esh-proc esh-arg
esh-groups eshell esh-module esh-mode esh-util nndoc gnus-dup crm
debbugs-gnu add-log debbugs soap-client xml org-indent
sanityinc-tomorrow-eighties-theme warnings compile autoload tar-mode
lisp-mnt mm-archive url-handlers url-http url-gw url-cache url-auth url
url-proxy url-privacy url-expand url-methods url-history url-cookie
url-domsuf url-util url-parse url-vars pp ace-window ace-jump-mode
advice cl vc-dispatcher vc-svn nxml-uchnm rng-xsd xsd-regexp rng-cmpct
rng-nxml rng-valid rng-loc rng-uri rng-parse nxml-parse rng-match rng-dt
rng-util rng-pttrn nxml-ns nxml-mode nxml-outln nxml-rap nxml-util
nxml-glyph nxml-enc xmltok apropos tmm artist picture reporter rect
bongo lastfm-submit vc-git diff-mode org-element org-rmail org-mhe
org-irc org-info org-gnus org-docview doc-view subr-x image-mode
org-bibtex bibtex org-bbdb org-w3m shell find-dired gnus-fun jka-compr
misearch multi-isearch eieio-opt speedbar sb-image ezimage dframe
thingatpt nnfolder mailalias smtpmail sendmail nnir qp sort smiley
gnus-cite mail-extr gnus-async gnus-bcklg gnus-ml nndraft nnmh
network-stream nsm auth-source cl-seq starttls gnus-agent gnus-srvr
gnus-score score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view
mml-smime smime dig mailcap nntp gnus-cache gnus-sum gnus-group
gnus-undo gnus-start gnus-cloud nnimap nnmail mail-source tls gnutls
utf7 netrc nnoo parse-time gnus-spec gnus-int gnus-range message dired
rfc822 mml mml-sec password-cache epg mm-decode mm-bodies mm-encode
mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev gmm-utils
mailheader gnus-win linum paredit winner ob-ditaa ob-gnuplot org
org-macro org-footnote org-pcomplete pcomplete org-list org-faces
org-entities noutline outline easy-mmode org-version ob-emacs-lisp ob
ob-tangle ob-ref ob-lob ob-table ob-exp org-src ob-keys ob-comint comint
ansi-color ring ob-core ob-eval org-compat org-macs org-loaddefs
format-spec find-func cal-menu calendar cal-loaddefs server ido
icomplete sanityinc-tomorrow-night-theme sanityinc-tomorrow-bright-theme
color-theme-sanityinc-tomorrow paren gnus gnus-ems nnheader gnus-util
mail-utils mm-util help-fns mail-prsvr wid-edit time battery cus-start
cus-load finder-inf ac-js2-autoloads ace-window-autoloads
ace-jump-mode-autoloads bongo-autoloads
color-theme-sanityinc-tomorrow-autoloads company-autoloads
emms-autoloads expand-region-autoloads gnuplot-autoloads
gnuplot-mode-autoloads google-this-autoloads js2-refactor-autoloads
json-mode-autoloads json-reformat-autoloads json-snatcher-autoloads
eieio eieio-core cl-macs multiple-cursors-autoloads
auto-complete-autoloads flycheck-autoloads paredit-autoloads
pkg-info-autoloads epl-autoloads popup-autoloads s-autoloads
skewer-mode-autoloads js2-mode-autoloads simple-httpd-autoloads
solarized-theme-autoloads spacegray-theme-autoloads swift-mode-autoloads
info yasnippet-autoloads zenburn-theme-autoloads package epg-config seq
byte-opt gv bytecomp byte-compile cl-extra help-mode easymenu cconv
edmacro kmacro cl-loaddefs pcase cl-lib time-date mule-util tooltip
eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel
dos-w32 ls-lisp disp-table w32-win w32-vars term/common-win tool-bar dnd
fontset image regexp-opt fringe tabulated-list newcomment elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame
cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai
tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian
slovak czech european ethiopic indian cyrillic chinese charscript
case-table epa-hook jka-cmpr-hook help simple abbrev minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote w32notify w32 multi-tty
make-network-process emacs)

Memory information:
((conses 16 1451456 275303)
 (symbols 56 52346 0)
 (miscs 48 3682 1278)
 (strings 32 219721 96665)
 (string-bytes 1 6292673)
 (vectors 16 69870)
 (vector-slots 8 1820989 19661)
 (floats 8 3501 683)
 (intervals 56 148195 1586)
 (buffers 976 118))





From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 22 09:59:29 2016
Received: (at 24757) by debbugs.gnu.org; 22 Oct 2016 13:59:29 +0000
Received: from localhost ([127.0.0.1]:46431 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bxwpd-00056y-2m
	for submit@debbugs.gnu.org; Sat, 22 Oct 2016 09:59:29 -0400
Received: from clientmail.realize.ch ([46.140.89.53]:3414)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alain.schneble@realize.ch>) id 1bxwpa-00056f-Nm
 for 24757@debbugs.gnu.org; Sat, 22 Oct 2016 09:59:27 -0400
Received: from rintintin.hq.realize.ch.lan.rit (Unknown [192.168.0.105])
 by clientmail.realize.ch with ESMTP ; Sat, 22 Oct 2016 15:59:15 +0200
Received: from myngb (192.168.66.64) by rintintin.hq.realize.ch.lan.rit
 (192.168.0.105) with Microsoft SMTP Server (TLS) id 15.0.516.32; Sat, 22 Oct
 2016 15:58:53 +0200
From: Alain Schneble <a.s@realize.ch>
To: <24757@debbugs.gnu.org>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
References: <8637jp64ow.fsf@realize.ch>
Date: Sat, 22 Oct 2016 15:58:43 +0200
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21
 Oct 2016 18:35:11 +0200")
Message-ID: <86y41g4h9o.fsf@realize.ch>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (windows-nt)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-ClientProxiedBy: rintintin.hq.realize.ch.lan.rit (192.168.0.105) To
 rintintin.hq.realize.ch.lan.rit (192.168.0.105)
X-Spam-Score: -0.3 (/)
X-Debbugs-Envelope-To: 24757
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

--=-=-=
Content-Type: text/plain

Alain Schneble <a.s@realize.ch> writes:

> I would be happy to arrange a patch to solve this issue, but would like
> first to discuss which approach to choose:
>
> 1. Simply ignore any HttpOnly attribute/flag on a Set-Cookie header
>    value.

Following the first approach above, I propose to apply this patch:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
	filename="0001-Eliminate-phantom-HttpOnly-cookie-Bug-24757-2.patch"
Content-Description: Eliminate-phantom-HttpOnly-cookie-Bug-24757

>From cf934b9c5d214e0853feef2d8ba42582eb5af5be Mon Sep 17 00:00:00 2001
From: Alain Schneble <a.s@realize.ch>
Date: Sat, 22 Oct 2016 15:43:11 +0200
Subject: [PATCH] Eliminate phantom HttpOnly cookie (Bug#24757)

* lisp/url/url-cookie.el (url-cookie-handle-set-cookie): Remove HttpOnly
attribute from the list of cookie name-value-pairs if it's present in a
Set-Cookie header value.
---
 lisp/url/url-cookie.el | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lisp/url/url-cookie.el b/lisp/url/url-cookie.el
index 6848230..e22bc40 100644
--- a/lisp/url/url-cookie.el
+++ b/lisp/url/url-cookie.el
@@ -245,6 +245,12 @@ url-cookie-handle-set-cookie
   (let* ((args (url-parse-args str t))
 	 (case-fold-search t)
 	 (secure (and (assoc-string "secure" args t) t))
+         ;; HttpOnly attribute was introduced in RFC6265.  Treat it as
+         ;; a cookie name if it appears on the left hand side of a
+         ;; cookie name-value-pair (i.e. HttpCookie=<value>).  Only
+         ;; treat it as HttpOnly flag if it stands alone.
+         (httponly-attribute (assoc-string "httponly" args t))
+         (httponly (and httponly-attribute (not (cdr httponly-attribute))))
 	 (domain (or (cdr-safe (assoc-string "domain" args t))
 		     (url-host url-current-object)))
 	 (current-url (url-view-url t))
@@ -257,7 +263,9 @@ url-cookie-handle-set-cookie
 	 (rest nil))
     (dolist (this args)
       (or (member (downcase (car this)) '("secure" "domain" "expires" "path"))
-	  (setq rest (cons this rest))))
+          ;; Accounts for the special case where HttpOnly is used as cookie name.
+          (and (equal (downcase (car this)) "httponly") httponly)
+          (setq rest (cons this rest))))
 
     ;; Sometimes we get dates that the timezone package cannot handle very
     ;; gracefully - take care of this here, instead of in url-cookie-expired-p
-- 
2.9.1


--=-=-=
Content-Type: text/plain


Could you please consider committing it to the 25.1 branch?

Thanks,
Alain

--=-=-=--





From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 22 10:00:30 2016
Received: (at control) by debbugs.gnu.org; 22 Oct 2016 14:00:30 +0000
Received: from localhost ([127.0.0.1]:46435 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bxwqc-0005A6-CJ
	for submit@debbugs.gnu.org; Sat, 22 Oct 2016 10:00:30 -0400
Received: from clientmail.realize.ch ([46.140.89.53]:3415)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alain.schneble@realize.ch>) id 1bxwqa-00059r-9Y
 for control@debbugs.gnu.org; Sat, 22 Oct 2016 10:00:28 -0400
Received: from rintintin.hq.realize.ch.lan.rit (Unknown [192.168.0.105])
 by clientmail.realize.ch with ESMTP ; Sat, 22 Oct 2016 16:00:19 +0200
Received: from myngb (192.168.66.64) by rintintin.hq.realize.ch.lan.rit
 (192.168.0.105) with Microsoft SMTP Server (TLS) id 15.0.516.32; Sat, 22 Oct
 2016 16:00:16 +0200
Date: Sat, 22 Oct 2016 16:00:18 +0200
Message-ID: <86wph04h71.fsf@realize.ch>
To: <control@debbugs.gnu.org>
From: Alain Schneble <a.s@realize.ch>
Subject: control message for bug #24757
MIME-Version: 1.0
Content-Type: text/plain
X-ClientProxiedBy: rintintin.hq.realize.ch.lan.rit (192.168.0.105) To
 rintintin.hq.realize.ch.lan.rit (192.168.0.105)
X-Spam-Score: -0.3 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

tags 24757 patch





From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 06 06:46:15 2017
Received: (at 24757) by debbugs.gnu.org; 6 Dec 2017 11:46:15 +0000
Received: from localhost ([127.0.0.1]:48580 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eMY9W-0006Qt-QD
	for submit@debbugs.gnu.org; Wed, 06 Dec 2017 06:46:15 -0500
Received: from mail-it0-f42.google.com ([209.85.214.42]:44915)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <npostavs@gmail.com>) id 1eMY9Q-0006QZ-NK
 for 24757@debbugs.gnu.org; Wed, 06 Dec 2017 06:46:09 -0500
Received: by mail-it0-f42.google.com with SMTP id b5so6843111itc.3
 for <24757@debbugs.gnu.org>; Wed, 06 Dec 2017 03:46:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=L1HZOh/Eio98wQ7MQHaJcZxh+guYcBnpadwIzotZW84=;
 b=dp0TApFjPABjGMSxGMEbNfqeJ2A4YJV/J2iy0FsqiCB4s3VlibrnwBZdFd6piYxpXZ
 pe+on/bjCRWxHfCXk8efVnmHsPOh7fyCR5JaQZ5Rc9egAvNaTse3l6V+OQfmmsEY3xjt
 62Df0ec3Q+v1YEV2IioQD6YHFTz/7YJ/oxgnFCKXmUwV/ZDg94prn5SMB9GUSfd6S404
 JppKIoCJxbX05DF4+hxyCKSeMJ3u7AMiO6wp9koDoVzjC4mXGNhMdlPnkcFJm38ekhxW
 3pAzDhzuAigGU5cNePl3sCnS2B3QEtVIfPHyAWDiBqeJUrA2Znk8ZVlkMLV0f+kR+MM2
 8/+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:references:date
 :in-reply-to:message-id:user-agent:mime-version;
 bh=L1HZOh/Eio98wQ7MQHaJcZxh+guYcBnpadwIzotZW84=;
 b=PYU4xeNORMfmKFYotsCqGiCrM/dtfYAtPab7/0DFhzG0QE5Rj+EcwwWLaiL0yV/pc6
 Oee2hOaQ0xFxzjk1U7nxWxuaJnCGySHeBkw9iUXNO34BVJpWJ1wZbk9vnyX9Etv2d8lD
 5McpZCIP2Q396vXXvv4V1I8i2fOLYPALqwOQo6gCG8grCtHliITQQbuVOG0/JZDiguEf
 xM/C8EhGHfa0jUamFL2iOF1hpG/9KEqBBv+jO7fRS5sVTSfbSYzYGafY1KBxZXiSwJAj
 4iQu9F1mj7IVfAM7aZ2NPZzReW1ErJX5I8llUdcJvrT/YoFEgRmBIqE0UFl757bcvWcV
 sFqg==
X-Gm-Message-State: AKGB3mI9rFs+aNJJ0cvGL41S3E4yerwL/91IMITQRiwvwu9CB/I9E9Oj
 EUopA3E/D59lYCLEHYlqU1dLBg==
X-Google-Smtp-Source: AGs4zMbRhPX9a0MWHuum/qKj2t9rDoAxWMjdQJzwUTbtJfehhVMxMqSJt1vwWYZPTUhn8eqpD0CDOQ==
X-Received: by 10.36.57.13 with SMTP id l13mr13458701ita.101.1512560762838;
 Wed, 06 Dec 2017 03:46:02 -0800 (PST)
Received: from zebian ([45.2.119.34])
 by smtp.googlemail.com with ESMTPSA id m34sm1520839iti.24.2017.12.06.03.46.01
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 06 Dec 2017 03:46:01 -0800 (PST)
From: Noam Postavsky <npostavs@users.sourceforge.net>
To: Alain Schneble <a.s@realize.ch>, Katsumi Yamaoka <yamaoka@jpl.org>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
References: <8637jp64ow.fsf@realize.ch>
Date: Wed, 06 Dec 2017 06:46:00 -0500
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21
 Oct 2016 18:35:11 +0200")
Message-ID: <87vahkf5af.fsf@users.sourceforge.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.5 (/)
X-Debbugs-Envelope-To: 24757
Cc: 24757@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 0.5 (/)

Alain Schneble <a.s@realize.ch> writes:

> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly.  url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies.  This is wrong.  See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
>   (let ((file (make-temp-file "CookieHttpOnly")))
>     (with-temp-buffer
>       (insert
>        "(setq url-cookie-storage nil)\n"
>        "(setq url-cookie-secure-storage nil)")
>       (write-file file))
>     (setq url-cookie-file file)
>     (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
>     (url-cookie-write-file)
>     (find-file file))
> - The visited cookies file should now contain two cookie entries:
>   ("en.wikipedia.org"
>         [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
>         [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
>   => The second cookie entry is not expected.

In emacs-26, as of [1: caa39f495c], the second cookie is not present,
but it looks like it unconditionally drops the HttpOnly attribute (and
all other attributes?).  Is that the right thing?

[1: caa39f495c]: 2017-11-13 23:56:26 +0000
  Fix cookie handling (bug#29282)
  https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=caa39f495c0783dac2d5701100db83ea10f126c0




From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 06 17:47:37 2017
Received: (at 24757) by debbugs.gnu.org; 6 Dec 2017 22:47:37 +0000
Received: from localhost ([127.0.0.1]:49625 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1eMiTZ-0000xr-C4
	for submit@debbugs.gnu.org; Wed, 06 Dec 2017 17:47:37 -0500
Received: from mail-hampton.hostforweb.net ([205.234.186.191]:54447
 helo=hampton.hostforweb.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <yamaoka@jpl.org>) id 1eMiTY-0000xf-5y
 for 24757@debbugs.gnu.org; Wed, 06 Dec 2017 17:47:36 -0500
Received: from s70.gtokyofl21.vectant.ne.jp ([202.215.75.70]:60000
 helo=localhost) by hampton.hostforweb.net with esmtpsa
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89)
 (envelope-from <yamaoka@jpl.org>)
 id 1eMiTO-004GOE-OY; Wed, 06 Dec 2017 16:47:28 -0600
Date: Thu, 07 Dec 2017 07:47:26 +0900
Message-ID: <b4mh8t3qxs1.fsf@jpl.org>
From: Katsumi Yamaoka <yamaoka@jpl.org>
To: Noam Postavsky <npostavs@users.sourceforge.net>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
References: <8637jp64ow.fsf@realize.ch> <87vahkf5af.fsf@users.sourceforge.net>
Organization: Emacsen advocacy group
X-Face: #kKnN,xUnmKia.'[pp`;
 Omh}odZK)?7wQSl"4o04=EixTF+V[""w~iNbM9ZL+.b*_CxUmFk
 B#Fu[*?MZZH@IkN:!"\w%I_zt>[$nm7nQosZ<3eu; B:$Q_:p!',P.c0-_Cy[dz4oIpw0ESA^D*1Lw=
 L&i*6&(
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (i686-pc-cygwin)
Cancel-Lock: sha1:AKfrR6EFHtIrKKFKj6V37A6na0w=
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - hampton.hostforweb.net
X-AntiAbuse: Original Domain - debbugs.gnu.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jpl.org
X-Get-Message-Sender-Via: hampton.hostforweb.net: authenticated_id:
 yamaoka/from_h
X-Authenticated-Sender: hampton.hostforweb.net: yamaoka@jpl.org
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 24757
Cc: 24757@debbugs.gnu.org, Alain Schneble <a.s@realize.ch>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

On Wed, 06 Dec 2017 06:46:00 -0500, Noam Postavsky wrote:
[...]
> In emacs-26, as of [1: caa39f495c], the second cookie is not present,
> but it looks like it unconditionally drops the HttpOnly attribute (and
> all other attributes?).  Is that the right thing?

Yes, I believe so.  Not only HttpOnly but also Expires, Max-Age,
etc. are only attributes of the cookie of which the name appeared
at the beginning of the Set-Cookie header.  Sending such ones to
certain web sites would cause an error as I mentioned below.

> [1: caa39f495c]: 2017-11-13 23:56:26 +0000
>   Fix cookie handling (bug#29282)
>   https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=caa39f495c0783dac2d5701100db83ea10f126c0




From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 15 15:47:47 2018
Received: (at 24757) by debbugs.gnu.org; 15 Apr 2018 19:47:47 +0000
Received: from localhost ([127.0.0.1]:54549 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1f7ncp-0000dy-2d
	for submit@debbugs.gnu.org; Sun, 15 Apr 2018 15:47:47 -0400
Received: from hermes.netfonds.no ([80.91.224.195]:38766)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@gnus.org>) id 1f7ncn-0000dq-4G
 for 24757@debbugs.gnu.org; Sun, 15 Apr 2018 15:47:45 -0400
Received: from 46.67.12.60.tmi.telenormobil.no ([46.67.12.60] helo=corrigan)
 by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <larsi@gnus.org>)
 id 1f7ncj-0002KI-KX; Sun, 15 Apr 2018 21:47:44 +0200
Received: from larsi by corrigan with local (Exim 4.89)
 (envelope-from <larsi@gnus.org>)
 id 1f7ncd-00051G-NA; Sun, 15 Apr 2018 21:47:35 +0200
From: Lars Ingebrigtsen <larsi@gnus.org>
To: Alain Schneble <a.s@realize.ch>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
References: <8637jp64ow.fsf@realize.ch>
Date: Sun, 15 Apr 2018 21:47:35 +0200
In-Reply-To: <8637jp64ow.fsf@realize.ch> (Alain Schneble's message of "Fri, 21
 Oct 2016 18:35:11 +0200")
Message-ID: <874lkc6ylk.fsf@mouse.gnus.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 24757
Cc: 24757@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Alain Schneble <a.s@realize.ch> writes:

> Processing an HTTP response with a Set-Cookie header and HttpOnly
> attribute creates a phantom cookie with name HttpOnly.  url-cookie.el
> (url-cookie-handle-set-cookie) handles the additional HttpOnly attribute
> as the name of an additional cookie, thus interpreting Set-Cookie header
> value as it would contain multiple cookies.  This is wrong.  See also
> RFC6265 HTTP State Management Mechanism, section 4.1.2.6:
> https://www.rfc-editor.org/rfc/rfc6265.txt.
>
> Here's a recipe to reproduce this issue:
>
> - emacs -Q
> - Eval the following fragment:
>   (let ((file (make-temp-file "CookieHttpOnly")))
>     (with-temp-buffer
>       (insert
>        "(setq url-cookie-storage nil)\n"
>        "(setq url-cookie-secure-storage nil)")
>       (write-file file))
>     (setq url-cookie-file file)
>     (url-retrieve-synchronously "https://en.wikipedia.org/wiki/GNU_Guile")
>     (url-cookie-write-file)
>     (find-file file))
> - The visited cookies file should now contain two cookie entries:
>   ("en.wikipedia.org"
>         [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
>         [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
>   => The second cookie entry is not expected.

I'm unable to reproduce this now, and I seem to vaguely remember this
being fixed a while ago?  Are you still seeing this, Alan?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 30 22:09:09 2018
Received: (at 24757) by debbugs.gnu.org; 31 Jul 2018 02:09:09 +0000
Received: from localhost ([127.0.0.1]:35614 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1fkK5x-0000K0-FS
	for submit@debbugs.gnu.org; Mon, 30 Jul 2018 22:09:08 -0400
Received: from mail-it0-f50.google.com ([209.85.214.50]:55413)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <npostavs@gmail.com>)
 id 1fkK5o-0000JE-5g; Mon, 30 Jul 2018 22:09:00 -0400
Received: by mail-it0-f50.google.com with SMTP id p7-v6so2126435itf.5;
 Mon, 30 Jul 2018 19:08:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version;
 bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=;
 b=GqFcANK2Vm52PknU1pIoOMzX6ljyoPSEzi2DslpftW8HUXxFNErdLi0paCuckrl5B2
 JPTEWIvRVeWxIacs9jRzRnG+4+J5AgYR47gaCZZoDjgglLq/pGIB0vpVDBUgqHHTA4L9
 XAL9q9x3Z+qRfvFyVvuEVDAvgS9wNCzCtCpa+NfhjrBHtjAzlM7u6BLWkNFTnsfzOkzW
 ULNfs39OEOoSl/lEKNewLQMbI8FQ4SUeqfiZ0BvZGx29t+9SEH8siZWSCg4gdRpd5pxm
 FUS9d3IbXisWDBSV2q4rGHracBXm3aw++SdD/ihB765w/b0avh4D6Jl5t5d9m+fhF0Du
 CvPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version;
 bh=qWbt5Bktto2MxL5eB1BSQEJbysI/5pRL4SeGCMWHzcA=;
 b=IfZTQCBXH2P4HKiTaJbUxqIMspGZMrlaA5JugKX6sdgS9kQ7z+LCpVN0G6GIAGOohF
 epud/kqdFZpb/Y5fkhAjOVOnlKxDW1Li4Uspy674EiRPMdrbHY/VvaFHWj9h70/PvP1X
 nkBnYih5ijlb5Mtm8Bvkia0t6m2wYjyN9ulLJNVThWMijXJMDZo7ST53kakZEuT7oS7T
 iaKgrMlD5tHBx8hxZGk8nP0m8jGHcsJ3m8WgYwFhpLMbhYNImCGrPd+X1scUVZHOzFsn
 5Qw98l46/Na8mpUNJbf4eCWNkplNSxluXYsuBO1uJabBROgfTFq+dr21iZ0e90UDq2yW
 pkEQ==
X-Gm-Message-State: AOUpUlHyDkTtO9mO7swKZsfflDXTAEbhEeQNHl/TkbNKVUVKKCY59GfZ
 mbypH5W9B0agYbyr8vgTmYousl0c
X-Google-Smtp-Source: AAOMgpfbsqCRFb2GY97HLWwibCfX12rzF6vpYI6CZUFhIsAW5zL1jl98O9UkwoVgqpVdi/KVoZtttA==
X-Received: by 2002:a02:f02:: with SMTP id h2-v6mr18868276jad.24.1533002930521; 
 Mon, 30 Jul 2018 19:08:50 -0700 (PDT)
Received: from zebian (cbl-45-2-119-34.yyz.frontiernetworks.ca. [45.2.119.34])
 by smtp.googlemail.com with ESMTPSA id
 x73-v6sm648293ita.30.2018.07.30.19.08.49
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 30 Jul 2018 19:08:49 -0700 (PDT)
From: Noam Postavsky <npostavs@gmail.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Subject: Re: bug#24757: 25.1.50;
 url-cookie.el creates phantom cookie for HttpOnly
References: <8637jp64ow.fsf@realize.ch> <874lkc6ylk.fsf@mouse.gnus.org>
Date: Mon, 30 Jul 2018 22:08:48 -0400
In-Reply-To: <874lkc6ylk.fsf@mouse.gnus.org> (Lars Ingebrigtsen's message of
 "Sun, 15 Apr 2018 21:47:35 +0200")
Message-ID: <87pnz417in.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 24757
Cc: 24757@debbugs.gnu.org, Alain Schneble <a.s@realize.ch>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

fixed 24757 26.1
unarchive 29282
forcemerge 29282 24757
quit

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Alain Schneble <a.s@realize.ch> writes:
>> - The visited cookies file should now contain two cookie entries:
>>   ("en.wikipedia.org"
>>         [url-cookie "WMF-Last-Access" "21-Oct-2016" "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t]
>>         [url-cookie "HttpOnly" nil "Tue, 22 Nov 2016 12:00:00 GMT" "/" "en.wikipedia.org" t])
>>   => The second cookie entry is not expected.
>
> I'm unable to reproduce this now, and I seem to vaguely remember this
> being fixed a while ago?  Are you still seeing this, Alan?

As far as I can tell, this was fixed along with Bug#29282 in 26.1.




From unknown Sat Jun 21 10:43:28 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Tue, 28 Aug 2018 11:24:05 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator