A Tale of a Trailing Dot (2022)

https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/

31•dcminter•9mo ago

Comments

recursive•8mo ago

> The cookie spec RFC 6265 section 5.1.2 defines the host name in a way that makes it ignore trailing dots. Cookies set for a domain with a dot are valid for the same domain without one and vice versa.

Well... that's not what the browsers do. If you're logged in to HN, try it now. Add a dot to the host name. Cookie is gone. Remove the dot. It's back.

simoncion•8mo ago

That wouldn't be the first time web browsers do something that's contrary to spec (and sanity).

Also, I think the section that was intended to be referenced was section 5.1.3.

watersb•8mo ago

Another fun interaction of trailing dot in URLs and web browsers: password management.

This is layers far above the curl internals discussed in the article.

On some platforms, the built in web password management considers web passwords for URLs with or without a trailing dot as distinct situations. Same for the 1Password manager.

I can't think of problems this might cause.

As long as we're trying to break things, I presume it would be easy enough to use JavaScript to switch the current URL to the one with a different trailing dot situation than the current application flow. Like in the middle of a hand-off from one authorization screen to another.

I tend to consider multi-page web application issues as a much higher plane than something curl library internals. But essentially, the back-and-forth of web communication isn't so different.

bonki•8mo ago

I don't understand the HSTS part/situation. If trailing dot vs. non-trailing dot are to be treated as different identities because they could theoretically serve different vhosts, why is it (technically) not correct to ignore HSTS for one if only set by the other?

wolfgang42•8mo ago

I assume a big reason is cookies, which are specced to be shared across the two versions: an attacker could relatively trivially trigger a request to http://example.com. which would get example.com's cookies, but not the HSTS upgrade that would prevent them from being sent in plaintext.

bonki•8mo ago

That makes sense. What a stupid mess all of this is.

SectorC: A C Compiler in 512 bytes

Brookhaven Lab's RHIC concludes 25-year run with final collisions

The F Word

I write games in C (yes, C)

Software factories and the agentic moment

Speed up responses with fast mode

Hoot: Scheme on WebAssembly

Stories from 25 Years of Software Development

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

First Proof

The Waymo World Model

Al Lowe on model trains, funny deaths and working with Disney

Reinforcement Learning from Human Feedback

Vocal Guide – belt sing without killing yourself

Start all of your commands with a comma (2009)

We mourn our craft

Coding agents have replaced every framework I used

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

France's homegrown open source online office suite

72M Points of Interest

The AI boom is causing shortages everywhere else

Selection Rather Than Prediction

A Fresh Look at IBM 3270 Information Display System

Unseen Footage of Atari Battlezone Arcade Cabinet Production

History and Timeline of the Proco Rat Pedal (2021)

Where did all the starships go?

Show HN: Kappal – CLI to Run Docker Compose YML on Kubernetes for Local Dev

Learning from context is harder than we thought

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Hackers (1995) Animated Experience