A Tale of a Trailing Dot (2022)

https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/

31•dcminter•8mo ago

Comments

recursive•8mo ago

> The cookie spec RFC 6265 section 5.1.2 defines the host name in a way that makes it ignore trailing dots. Cookies set for a domain with a dot are valid for the same domain without one and vice versa.

Well... that's not what the browsers do. If you're logged in to HN, try it now. Add a dot to the host name. Cookie is gone. Remove the dot. It's back.

simoncion•8mo ago

That wouldn't be the first time web browsers do something that's contrary to spec (and sanity).

Also, I think the section that was intended to be referenced was section 5.1.3.

watersb•8mo ago

Another fun interaction of trailing dot in URLs and web browsers: password management.

This is layers far above the curl internals discussed in the article.

On some platforms, the built in web password management considers web passwords for URLs with or without a trailing dot as distinct situations. Same for the 1Password manager.

I can't think of problems this might cause.

As long as we're trying to break things, I presume it would be easy enough to use JavaScript to switch the current URL to the one with a different trailing dot situation than the current application flow. Like in the middle of a hand-off from one authorization screen to another.

I tend to consider multi-page web application issues as a much higher plane than something curl library internals. But essentially, the back-and-forth of web communication isn't so different.

bonki•8mo ago

I don't understand the HSTS part/situation. If trailing dot vs. non-trailing dot are to be treated as different identities because they could theoretically serve different vhosts, why is it (technically) not correct to ignore HSTS for one if only set by the other?

wolfgang42•8mo ago

I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext.

bonki•8mo ago

That makes sense. What a stupid mess all of this is.

Xkcd: Game AIs

Windows 11 is finally killing off legacy printer drivers in 2026

From Offloading to Engagement (Study on Generative AI)

AI for People

Rome is studded with cannon balls (2022)

8-piece tablebase development on Lichess (op1 partial)

US to bankroll far-right think tanks in Europe against digital laws

Ask HN: Have AI companies replaced their own SaaS usage with agents?

pi-nes

Show HN: Crew – Multi-agent orchestration tool for AI-assisted development

New hire fixed a problem so fast, their boss left to become a yoga instructor

Four horsemen of the AI-pocalypse line up capex bigger than Israel's GDP

A free Dynamic QR Code generator (no expiring links)

nextTick but for React.js

Show HN: I Built an AI-Powered Pull Request Review Tool

Git-am applies commit message diffs

ClawEmail: 1min setup for OpenClaw agents with Gmail, Docs

UnAutomating the Economy: More Labor but at What Cost?

Show HN: Gettorr – Stream magnet links in the browser via WebRTC (no install)

Statin drugs safer than previously thought

Handy when you just want to distract yourself for a moment

More States Are Taking Aim at a Controversial Early Reading Method

AI will not save developer productivity

How I do and don't use agents

BTDUex Safe? The Back End Withdrawal Anomalies

Show HN: Compile-Time Vibe Coding

Show HN: Ensemble – macOS App to Manage Claude Code Skills, MCPs, and Claude.md

PR to support XMPP channels in OpenClaw

Twenty: A Modern Alternative to Salesforce

Raspberry Pi: More memory-driven price rises