Add support for sending secure cookies over localhost (#1327)

* Add support for sending secure cookies over localhost * Refactor * Fix the CI Co-authored-by: Jakub Roztocil <jakub@roztocil.co>
2025-08-10 22:42:05 +02:00 · 2022-04-14 17:42:05 +03:00
parent e6d0bfec7c
commit 86f4bf4d0a
9 changed files with 147 additions and 15 deletions
--- a/httpie/compat.py
+++ b/httpie/compat.py
@@ -1,6 +1,15 @@
 import sys
 from typing import Any, Optional, Iterable

+from httpie.cookies import HTTPieCookiePolicy
+from http import cookiejar # noqa
+
+
+# Request does not carry the original policy attached to the
+# cookie jar, so until it is resolved we change the global cookie
+# policy. <https://github.com/psf/requests/issues/5449>
+cookiejar.DefaultCookiePolicy = HTTPieCookiePolicy
+

 is_windows = 'win32' in str(sys.platform).lower()

--- a/httpie/cookies.py
+++ b/httpie/cookies.py
@@ -0,0 +1,25 @@
+from http import cookiejar
+
+
+_LOCALHOST = 'localhost'
+_LOCALHOST_SUFFIX = '.localhost'
+
+
+class HTTPieCookiePolicy(cookiejar.DefaultCookiePolicy):
+    def return_ok_secure(self, cookie, request):
+        """Check whether the given cookie is sent to a secure host."""
+
+        is_secure_protocol = super().return_ok_secure(cookie, request)
+        if is_secure_protocol:
+            return True
+
+        # The original implementation of this method only takes secure protocols
+        # (e.g., https) into account, but the latest developments in modern browsers
+        # (chrome, firefox) assume 'localhost' is also a secure location. So we
+        # override it with our own strategy.
+        return self._is_local_host(cookiejar.request_host(request))
+
+    def _is_local_host(self, hostname):
+        # Implements the static localhost detection algorithm in firefox.
+        # <https://searchfox.org/mozilla-central/rev/d4d7611ee4dd0003b492b865bc5988a4e6afc985/netwerk/dns/DNS.cpp#205-218>
+        return hostname == _LOCALHOST or hostname.endswith(_LOCALHOST_SUFFIX)
--- a/httpie/sessions.py
+++ b/httpie/sessions.py
@@ -14,6 +14,7 @@ from requests.auth import AuthBase
 from requests.cookies import RequestsCookieJar, remove_cookie_by_name

 from .context import Environment, Levels
+from .cookies import HTTPieCookiePolicy
 from .cli.dicts import HTTPHeadersDict
 from .config import BaseConfigDict, DEFAULT_CONFIG_DIR
 from .utils import url_as_host
@@ -146,7 +147,10 @@ class Session(BaseConfigDict):
        # Runtime state of the Session objects.
        self.env = env
        self._headers = HTTPHeadersDict()
-        self.cookie_jar = RequestsCookieJar()
+        self.cookie_jar = RequestsCookieJar(
+            # See also a temporary workaround for a Requests bug in `compat.py`.
+            policy=HTTPieCookiePolicy(),
+        )
        self.session_id = session_id
        self.bound_host = bound_host
        self.suppress_legacy_warnings = suppress_legacy_warnings