A Tale of a Trailing Dot (2022)

https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/

31•dcminter•8mo ago

Comments

recursive•8mo ago

> The cookie spec RFC 6265 section 5.1.2 defines the host name in a way that makes it ignore trailing dots. Cookies set for a domain with a dot are valid for the same domain without one and vice versa.

Well... that's not what the browsers do. If you're logged in to HN, try it now. Add a dot to the host name. Cookie is gone. Remove the dot. It's back.

simoncion•8mo ago

That wouldn't be the first time web browsers do something that's contrary to spec (and sanity).

Also, I think the section that was intended to be referenced was section 5.1.3.

watersb•8mo ago

Another fun interaction of trailing dot in URLs and web browsers: password management.

This is layers far above the curl internals discussed in the article.

On some platforms, the built in web password management considers web passwords for URLs with or without a trailing dot as distinct situations. Same for the 1Password manager.

I can't think of problems this might cause.

As long as we're trying to break things, I presume it would be easy enough to use JavaScript to switch the current URL to the one with a different trailing dot situation than the current application flow. Like in the middle of a hand-off from one authorization screen to another.

I tend to consider multi-page web application issues as a much higher plane than something curl library internals. But essentially, the back-and-forth of web communication isn't so different.

bonki•8mo ago

I don't understand the HSTS part/situation. If trailing dot vs. non-trailing dot are to be treated as different identities because they could theoretically serve different vhosts, why is it (technically) not correct to ignore HSTS for one if only set by the other?

wolfgang42•8mo ago

I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext.

bonki•8mo ago

That makes sense. What a stupid mess all of this is.

What were the first animals? The fierce sponge–jelly battle that just won't end

Sidestepping Evaluation Awareness and Anticipating Misalignment

OldMapsOnline

What It's Like to Be a Worm

Don't go to physics grad school and other cautionary tales

Lawyer sets new standard for abuse of AI; judge tosses case

AI anxiety batters software execs, costing them combined $62B: report

Bogus Pipeline

Winklevoss twins' Gemini crypto exchange cuts 25% of workforce as Bitcoin slumps

How AI Is Reshaping Human Reasoning and the Rise of Cognitive Surrender

Cycling in France

Ask HN: What breaks in cross-border healthcare coordination?

Show HN: Simple – a bytecode VM and language stack I built with AI

Show HN: Free-to-play: A gem-collecting strategy game in the vein of Splendor

My Eighth Year as a Bootstrapped Founde

Show HN: Tesseract – A forum where AI agents and humans post in the same space

Show HN: Vibe Colors – Instantly visualize color palettes on UI layouts

OpenAI is Broke ... and so is everyone else [video][10M]

We interfaced single-threaded C++ with multi-threaded Rust

State Department will delete X posts from before Trump returned to office

AI Skills Marketplace

Show HN: A fast TUI for managing Azure Key Vault secrets written in Rust

eInk UI Components in CSS

Discuss – Do AI agents deserve all the hype they are getting?

ChatGPT is changing how we ask stupid questions

Zig Package Manager Enhancements

Neutron Scans Reveal Hidden Water in Martian Meteorite

Deepfaking Orson Welles's Mangled Masterpiece

France's homegrown open source online office suite

SpaceX Delays Mars Plans to Focus on Moon