comparing cf54ed606bb8abb54da99f9a76c1d0cbea375e90 and main on anil.recoil.org/ocaml-cookeio

+40 -54

lib/core/cookeio.ml

···

       356
       356
        
         (* IP addresses bypass PSL check per RFC 6265 Section 5.1.3 *)

     

       357
       357
        
         match Ipaddr.of_string cookie_domain with

     

       358
       358
        
         | Ok _ -> Ok () (* IP addresses are not subject to PSL rules *)

     

       359
       359
       -
         | Error _ ->

     

       359
       359
       +
         | Error _ -> (

     

       360
       360
        
             let psl = Lazy.force psl in

     

       361
       361
       -
             (match Publicsuffix.is_public_suffix psl cookie_domain with

     

       362
       362
       -
             | Error _ ->

     

       363
       363
       -
                 (* If PSL lookup fails (e.g., invalid domain), allow the cookie.

     

       364
       364
       -
                    Domain name validation is handled separately. *)

     

       365
       365
       -
                 Ok ()

     

       366
       366
       -
             | Ok false ->

     

       367
       367
       -
                 (* Not a public suffix, allow the cookie *)

     

       361
       361
       +
             match Publicsuffix.is_public_suffix psl cookie_domain with

     

       362
       362
       +
             | Error _ | Ok false ->

     

       363
       363
       +
                 (* If PSL lookup fails (e.g., invalid domain) or not a public suffix,

     

       364
       364
       +
                    allow the cookie. Domain name validation is handled separately. *)

     

       368
       365
        
                 Ok ()

     

       369
       366
        
             | Ok true ->

     

       370
       367
        
                 (* It's a public suffix - only allow if request host matches exactly.

     
···

       500
       497
        
       

     

       501
       498
        
         (** Parse HTTP date by trying all supported formats in sequence *)

     

       502
       499
        
         let parse_http_date s =

     

       503
       503
       -
           match parse_fmt1 s with

     

       504
       504
       -
           | Some t -> Some t

     

       505
       505
       -
           | None -> (

     

       506
       506
       -
               match parse_fmt2 s with

     

       507
       507
       -
               | Some t -> Some t

     

       508
       508
       -
               | None -> (

     

       509
       509
       -
                   match parse_fmt3 s with Some t -> Some t | None -> parse_fmt4 s))

     

       500
       500
       +
           let ( <|> ) a b = match a with Some _ -> a | None -> b () in

     

       501
       501
       +
           parse_fmt1 s <|> fun () ->

     

       502
       502
       +
           parse_fmt2 s <|> fun () ->

     

       503
       503
       +
           parse_fmt3 s <|> fun () ->

     

       504
       504
       +
           parse_fmt4 s

     

       510
       505
        
       end

     

       511
       506
        
       

     

       512
       507
        
       (** {1 Cookie Parsing} *)

     
···

       605
       600
        
           @see <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis#section-5.4.7> RFC 6265bis Section 5.4.7 - SameSite

     

       606
       601
        
           @see <https://developer.chrome.com/docs/privacy-sandbox/chips/> CHIPS - Cookies Having Independent Partitioned State *)

     

       607
       602
        
       let validate_attributes attrs =

     

       608
       608
       -
         (* SameSite=None requires Secure flag *)

     

       609
       609
       -
         let samesite_valid =

     

       610
       610
       -
           match attrs.same_site with

     

       611
       611
       -
           | Some `None when not attrs.secure ->

     

       612
       612
       -
               Log.warn (fun m ->

     

       613
       613
       -
                   m

     

       614
       614
       -
                     "Cookie has SameSite=None but Secure flag is not set; this \

     

       615
       615
       -
                      violates RFC requirements");

     

       616
       616
       -
               false

     

       617
       617
       -
           | _ -> true

     

       618
       618
       -
         in

     

       619
       619
       -
         (* Partitioned requires Secure flag *)

     

       620
       620
       -
         let partitioned_valid =

     

       621
       621
       -
           if attrs.partitioned && not attrs.secure then (

     

       603
       603
       +
         match (attrs.same_site, attrs.secure, attrs.partitioned) with

     

       604
       604
       +
         | Some `None, false, _ ->

     

       605
       605
       +
             Log.warn (fun m ->

     

       606
       606
       +
                 m

     

       607
       607
       +
                   "Cookie has SameSite=None but Secure flag is not set; this \

     

       608
       608
       +
                    violates RFC requirements");

     

       609
       609
       +
             false

     

       610
       610
       +
         | _, false, true ->

     

       622
       611
        
             Log.warn (fun m ->

     

       623
       612
        
                 m

     

       624
       613
        
                   "Cookie has Partitioned attribute but Secure flag is not set; this \

     

       625
       614
        
                    violates CHIPS requirements");

     

       626
       626
       -
             false)

     

       627
       627
       -
           else true

     

       628
       628
       -
         in

     

       629
       629
       -
         samesite_valid && partitioned_valid

     

       615
       615
       +
             false

     

       616
       616
       +
         | _ -> true

     

       630
       617
        
       

     

       631
       618
        
       (** Build final cookie from name/value and accumulated attributes.

     

       632
       619
        
       

     
···

       896
       883
        
         Buffer.add_string buffer (Printf.sprintf "%s=%s" (name cookie) (value cookie));

     

       897
       884
        
       

     

       898
       885
        
         (* Add Max-Age if present *)

     

       899
       899
       -
         (match max_age cookie with

     

       900
       900
       -
         | Some span -> (

     

       901
       901
       -
             match Ptime.Span.to_int_s span with

     

       902
       902
       -
             | Some seconds ->

     

       903
       903
       -
                 Buffer.add_string buffer (Printf.sprintf "; Max-Age=%d" seconds)

     

       904
       904
       -
             | None -> ())

     

       905
       905
       -
         | None -> ());

     

       886
       886
       +
         Option.iter

     

       887
       887
       +
           (fun span ->

     

       888
       888
       +
             Option.iter

     

       889
       889
       +
               (fun seconds ->

     

       890
       890
       +
                 Buffer.add_string buffer (Printf.sprintf "; Max-Age=%d" seconds))

     

       891
       891
       +
               (Ptime.Span.to_int_s span))

     

       892
       892
       +
           (max_age cookie);

     

       906
       893
        
       

     

       907
       894
        
         (* Add Expires if present *)

     

       908
       908
       -
         (match expires cookie with

     

       909
       909
       -
         | Some `Session ->

     

       910
       910
       -
             (* Session cookies can be indicated with Expires=0 or a past date *)

     

       911
       911
       -
             Buffer.add_string buffer "; Expires=0"

     

       912
       912
       -
         | Some (`DateTime exp_time) ->

     

       913
       913
       -
             (* Format as HTTP date *)

     

       914
       914
       -
             let exp_str = Ptime.to_rfc3339 ~tz_offset_s:0 exp_time in

     

       915
       915
       -
             Buffer.add_string buffer (Printf.sprintf "; Expires=%s" exp_str)

     

       916
       916
       -
         | None -> ());

     

       895
       895
       +
         Option.iter

     

       896
       896
       +
           (function

     

       897
       897
       +
             | `Session -> Buffer.add_string buffer "; Expires=0"

     

       898
       898
       +
             | `DateTime exp_time ->

     

       899
       899
       +
                 let exp_str = Ptime.to_rfc3339 ~tz_offset_s:0 exp_time in

     

       900
       900
       +
                 Buffer.add_string buffer (Printf.sprintf "; Expires=%s" exp_str))

     

       901
       901
       +
           (expires cookie);

     

       917
       902
        
       

     

       918
       903
        
         (* Add Domain *)

     

       919
       904
        
         Buffer.add_string buffer (Printf.sprintf "; Domain=%s" (domain cookie));

     
···

       931
       916
        
         if partitioned cookie then Buffer.add_string buffer "; Partitioned";

     

       932
       917
        
       

     

       933
       918
        
         (* Add SameSite *)

     

       934
       934
       -
         (match same_site cookie with

     

       935
       935
       -
         | Some `Strict -> Buffer.add_string buffer "; SameSite=Strict"

     

       936
       936
       -
         | Some `Lax -> Buffer.add_string buffer "; SameSite=Lax"

     

       937
       937
       -
         | Some `None -> Buffer.add_string buffer "; SameSite=None"

     

       938
       938
       -
         | None -> ());

     

       919
       919
       +
         Option.iter

     

       920
       920
       +
           (function

     

       921
       921
       +
             | `Strict -> Buffer.add_string buffer "; SameSite=Strict"

     

       922
       922
       +
             | `Lax -> Buffer.add_string buffer "; SameSite=Lax"

     

       923
       923
       +
             | `None -> Buffer.add_string buffer "; SameSite=None")

     

       924
       924
       +
           (same_site cookie);

     

       939
       925
        
       

     

       940
       926
        
         Buffer.contents buffer

+79 -2

lib/core/cookeio.mli

···

       45
       45
        
           - IP addresses require exact match only

     

       46
       46
        
           - Path matching requires exact match or prefix with "/" separator

     

       47
       47
        
       

     

       48
       48
       -
           @see <https://datatracker.ietf.org/doc/html/rfc6265> RFC 6265 - HTTP State Management Mechanism *)

     

       48
       48
       +
           @see <https://datatracker.ietf.org/doc/html/rfc6265> RFC 6265 - HTTP State Management Mechanism

     

       49
       49
       +
       

     

       50
       50
       +
           {2 Standards and References}

     

       51
       51
       +
       

     

       52
       52
       +
           This library implements and references the following IETF specifications:

     

       53
       53
       +
       

     

       54
       54
       +
           {ul

     

       55
       55
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc6265}RFC 6265} -

     

       56
       56
       +
              HTTP State Management Mechanism (April 2011) - Primary specification}

     

       57
       57
       +
           {- {{:https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis}RFC 6265bis} -

     

       58
       58
       +
              Cookies: HTTP State Management Mechanism (Draft) - SameSite attribute and modern updates}

     

       59
       59
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc1034#section-3.5}RFC 1034 Section 3.5} -

     

       60
       60
       +
              Domain Names - Preferred Name Syntax for domain validation}

     

       61
       61
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc2616#section-2.2}RFC 2616 Section 2.2} -

     

       62
       62
       +
              HTTP/1.1 - Token syntax definition}

     

       63
       63
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc1123#section-5.2.14}RFC 1123 Section 5.2.14} -

     

       64
       64
       +
              Internet Host Requirements - Date format (rfc1123-date)}}

     

       65
       65
       +
       

     

       66
       66
       +
           Additional standards:

     

       67
       67
       +
           {ul

     

       68
       68
       +
           {- {{:https://publicsuffix.org/}Mozilla Public Suffix List} - Registry

     

       69
       69
       +
              of public suffixes for cookie domain validation per RFC 6265 Section 5.3 Step 5}} *)

     

       49
       70
        
       

     

       50
       71
        
       (** {1 Types} *)

     

       51
       72
        
       

     
···

       265
       286
        
       

     

       266
       287
        
           Validation functions for cookie names, values, and attributes per

     

       267
       288
        
           {{:https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1} RFC 6265 Section 4.1.1}.

     

       289
       289
       +
       

     

       290
       290
       +
           These functions implement the syntactic requirements from RFC 6265 to ensure

     

       291
       291
       +
           cookies conform to the specification before being sent in HTTP headers.

     

       292
       292
       +
           All validation failures return detailed error messages citing the specific

     

       293
       293
       +
           RFC requirement that was violated.

     

       294
       294
       +
       

     

       295
       295
       +
           {2 Validation Philosophy}

     

       296
       296
       +
       

     

       297
       297
       +
           Per RFC 6265 Section 4, there is an important distinction between:

     

       298
       298
       +
           - {b Server requirements} (Section 4.1): Strict syntax for generating Set-Cookie headers

     

       299
       299
       +
           - {b User agent requirements} (Section 5): Lenient parsing for receiving Set-Cookie headers

     

       300
       300
       +
       

     

       301
       301
       +
           These validation functions enforce the {b server requirements}, ensuring that

     

       302
       302
       +
           cookies generated by this library conform to RFC 6265 syntax. When parsing

     

       303
       303
       +
           cookies from HTTP headers, the library may be more lenient to maximize

     

       304
       304
       +
           interoperability with non-compliant servers.

     

       305
       305
       +
       

     

       306
       306
       +
           {2 Character Set Requirements}

     

       307
       307
       +
       

     

       308
       308
       +
           RFC 6265 restricts cookies to US-ASCII characters with specific exclusions:

     

       309
       309
       +
           - Cookie names: RFC 2616 tokens (no CTLs, no separators)

     

       310
       310
       +
           - Cookie values: cookie-octet characters (0x21, 0x23-0x2B, 0x2D-0x3A, 0x3C-0x5B, 0x5D-0x7E)

     

       311
       311
       +
           - Domain values: RFC 1034 domain name syntax or IP addresses

     

       312
       312
       +
           - Path values: Any character except CTLs and semicolon

     

       313
       313
       +
       

     

       268
       314
        
           These functions return [Ok value] on success or [Error msg] with a detailed

     

       269
       315
        
           explanation of why validation failed.

     

       270
       316
        
       

     
···

       277
       323
        
             Cookie names must be valid RFC 2616 tokens: one or more characters

     

       278
       324
        
             excluding control characters and separators.

     

       279
       325
        
       

     

       326
       326
       +
             Per {{:https://datatracker.ietf.org/doc/html/rfc2616#section-2.2}RFC 2616 Section 2.2},

     

       327
       327
       +
             a token is defined as: one or more characters excluding control characters

     

       328
       328
       +
             and the following 19 separator characters: parentheses, angle brackets, at-sign,

     

       329
       329
       +
             comma, semicolon, colon, backslash, double-quote, forward slash, square brackets,

     

       330
       330
       +
             question mark, equals, curly braces, space, and horizontal tab.

     

       331
       331
       +
       

     

       332
       332
       +
             This means tokens consist of visible ASCII characters (33-126) excluding

     

       333
       333
       +
             control characters (0-31, 127) and the separator characters listed above.

     

       334
       334
       +
       

     

       280
       335
        
             @param name The cookie name to validate

     

       281
       336
        
             @return [Ok name] if valid, [Error message] with explanation if invalid

     

       282
       337
        
       

     

       283
       283
       -
             @see <https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1> RFC 6265 Section 4.1.1 *)

     

       338
       338
       +
             @see <https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1> RFC 6265 Section 4.1.1

     

       339
       339
       +
             @see <https://datatracker.ietf.org/doc/html/rfc2616#section-2.2> RFC 2616 Section 2.2 - Basic Rules *)

     

       284
       340
        
       

     

       285
       341
        
         val cookie_value : string -> (string, string) result

     

       286
       342
        
         (** Validate a cookie value per RFC 6265.

     
···

       289
       345
        
             double quotes. Invalid characters include: control characters, space,

     

       290
       346
        
             double quote (except as wrapper), comma, semicolon, and backslash.

     

       291
       347
        
       

     

       348
       348
       +
             Per {{:https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1}RFC 6265 Section 4.1.1},

     

       349
       349
       +
             cookie-value may be:

     

       350
       350
       +
             - Zero or more cookie-octet characters, or

     

       351
       351
       +
             - Double-quoted string containing cookie-octet characters

     

       352
       352
       +
       

     

       353
       353
       +
             Where cookie-octet excludes: CTLs (0x00-0x1F, 0x7F), space (0x20),

     

       354
       354
       +
             double-quote (0x22), comma (0x2C), semicolon (0x3B), and backslash (0x5C).

     

       355
       355
       +
       

     

       356
       356
       +
             Valid cookie-octet characters: 0x21, 0x23-0x2B, 0x2D-0x3A, 0x3C-0x5B, 0x5D-0x7E

     

       357
       357
       +
       

     

       292
       358
        
             @param value The cookie value to validate

     

       293
       359
        
             @return [Ok value] if valid, [Error message] with explanation if invalid

     

       294
       360
        
       

     
···

       301
       367
        
             - A valid domain name per RFC 1034 Section 3.5

     

       302
       368
        
             - A valid IPv4 address

     

       303
       369
        
             - A valid IPv6 address

     

       370
       370
       +
       

     

       371
       371
       +
             Per {{:https://datatracker.ietf.org/doc/html/rfc1034#section-3.5}RFC 1034 Section 3.5},

     

       372
       372
       +
             preferred domain name syntax requires:

     

       373
       373
       +
             - Labels separated by dots

     

       374
       374
       +
             - Labels must start with a letter

     

       375
       375
       +
             - Labels must end with a letter or digit

     

       376
       376
       +
             - Labels may contain letters, digits, and hyphens

     

       377
       377
       +
             - Labels are case-insensitive

     

       378
       378
       +
             - Total length limited to 255 octets

     

       379
       379
       +
       

     

       380
       380
       +
             Leading dots are stripped per RFC 6265 Section 5.2.3 before validation.

     

       304
       381
        
       

     

       305
       382
        
             @param domain The domain value to validate (leading dot is stripped first)

     

       306
       383
        
             @return [Ok domain] if valid, [Error message] with explanation if invalid

+28 -59

lib/jar/cookeio_jar.ml

···

       43
       43
        
             String.sub domain 1 (String.length domain - 1)

     

       44
       44
        
         | _ -> domain

     

       45
       45
        
       

     

       46
       46
       +
       (** Remove duplicate cookies, keeping the last occurrence.

     

       47
       47
       +
       

     

       48
       48
       +
           Used to deduplicate combined cookie lists where delta cookies should

     

       49
       49
       +
           take precedence over original cookies. *)

     

       50
       50
       +
       let dedup_by_identity cookies =

     

       51
       51
       +
         let rec aux acc = function

     

       52
       52
       +
           | [] -> List.rev acc

     

       53
       53
       +
           | c :: rest ->

     

       54
       54
       +
               let has_duplicate =

     

       55
       55
       +
                 List.exists (fun c2 -> cookie_identity_matches c c2) rest

     

       56
       56
       +
               in

     

       57
       57
       +
               if has_duplicate then aux acc rest else aux (c :: acc) rest

     

       58
       58
       +
         in

     

       59
       59
       +
         aux [] cookies

     

       60
       60
       +
       

     

       46
       61
        
       (** Check if a string is an IP address (IPv4 or IPv6).

     

       47
       62
        
       

     

       48
       63
        
           Per RFC 6265 Section 5.1.3, domain matching should only apply to hostnames,

     

       49
       64
        
           not IP addresses. IP addresses require exact match only.

     

       50
       65
        
       

     

       51
       66
        
           @see <https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3> RFC 6265 Section 5.1.3 - Domain Matching *)

     

       52
       52
       -
       let is_ip_address domain =

     

       53
       53
       -
         match Ipaddr.of_string domain with

     

       54
       54
       -
         | Ok _ -> true

     

       55
       55
       -
         | Error _ -> false

     

       67
       67
       +
       let is_ip_address domain = Result.is_ok (Ipaddr.of_string domain)

     

       56
       68
        
       

     

       57
       69
        
       (** Check if a cookie domain matches a request domain.

     

       58
       70
        
       

     
···

       74
       86
        
           @see <https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3> RFC 6265 Section 5.1.3 - Domain Matching

     

       75
       87
        
           @see <https://datatracker.ietf.org/doc/html/rfc6265#section-5.3> RFC 6265 Section 5.3 - Storage Model (host-only-flag) *)

     

       76
       88
        
       let domain_matches ~host_only cookie_domain request_domain =

     

       77
       77
       -
         if is_ip_address request_domain then

     

       78
       78
       -
           (* IP addresses: exact match only per Section 5.1.3 *)

     

       79
       79
       -
           request_domain = cookie_domain

     

       80
       80
       -
         else

     

       81
       81
       -
           (* Hostnames: exact match or subdomain match (if not host_only) *)

     

       82
       82
       -
           request_domain = cookie_domain

     

       83
       83
       -
           || (not host_only

     

       84
       84
       -
               && String.ends_with ~suffix:("." ^ cookie_domain) request_domain)

     

       89
       89
       +
         request_domain = cookie_domain

     

       90
       90
       +
         || (not (is_ip_address request_domain || host_only)

     

       91
       91
       +
             && String.ends_with ~suffix:("." ^ cookie_domain) request_domain)

     

       85
       92
        
       

     

       86
       93
        
       (** Check if a cookie path matches a request path.

     

       87
       94
        
       

     
···

       347
       354
        
       

     

       348
       355
        
         (* Combine original and delta cookies, with delta taking precedence *)

     

       349
       356
        
         let all_cookies = jar.original_cookies @ jar.delta_cookies in

     

       350
       350
       -
       

     

       351
       351
       -
         (* Filter out duplicates, keeping the last occurrence (from delta) *)

     

       352
       352
       -
         let rec dedup acc = function

     

       353
       353
       -
           | [] -> List.rev acc

     

       354
       354
       -
           | c :: rest ->

     

       355
       355
       -
               (* Keep this cookie only if no later cookie has the same identity *)

     

       356
       356
       -
               let has_duplicate =

     

       357
       357
       -
                 List.exists (fun c2 -> cookie_identity_matches c c2) rest

     

       358
       358
       -
               in

     

       359
       359
       -
               if has_duplicate then dedup acc rest else dedup (c :: acc) rest

     

       360
       360
       -
         in

     

       361
       361
       -
         let unique_cookies = dedup [] all_cookies in

     

       357
       357
       +
         let unique_cookies = dedup_by_identity all_cookies in

     

       362
       358
        
       

     

       363
       359
        
         (* Filter for applicable cookies, excluding removal cookies and expired cookies *)

     

       364
       360
        
         let applicable =

     
···

       452
       448
        
       

     

       453
       449
        
       let count jar =

     

       454
       450
        
         Eio.Mutex.lock jar.mutex;

     

       455
       455
       -
         (* Combine and deduplicate cookies for count *)

     

       456
       451
        
         let all_cookies = jar.original_cookies @ jar.delta_cookies in

     

       457
       457
       -
         let rec dedup acc = function

     

       458
       458
       -
           | [] -> List.rev acc

     

       459
       459
       -
           | c :: rest ->

     

       460
       460
       -
               let has_duplicate =

     

       461
       461
       -
                 List.exists (fun c2 -> cookie_identity_matches c c2) rest

     

       462
       462
       -
               in

     

       463
       463
       -
               if has_duplicate then dedup acc rest else dedup (c :: acc) rest

     

       464
       464
       -
         in

     

       465
       465
       -
         let unique = dedup [] all_cookies in

     

       452
       452
       +
         let unique = dedup_by_identity all_cookies in

     

       466
       453
        
         let n = List.length unique in

     

       467
       454
        
         Eio.Mutex.unlock jar.mutex;

     

       468
       455
        
         n

     

       469
       456
        
       

     

       470
       457
        
       let get_all_cookies jar =

     

       471
       458
        
         Eio.Mutex.lock jar.mutex;

     

       472
       472
       -
         (* Combine and deduplicate, with delta taking precedence *)

     

       473
       459
        
         let all_cookies = jar.original_cookies @ jar.delta_cookies in

     

       474
       474
       -
         let rec dedup acc = function

     

       475
       475
       -
           | [] -> List.rev acc

     

       476
       476
       -
           | c :: rest ->

     

       477
       477
       -
               let has_duplicate =

     

       478
       478
       -
                 List.exists (fun c2 -> cookie_identity_matches c c2) rest

     

       479
       479
       -
               in

     

       480
       480
       -
               if has_duplicate then dedup acc rest else dedup (c :: acc) rest

     

       481
       481
       -
         in

     

       482
       482
       -
         let unique = dedup [] all_cookies in

     

       460
       460
       +
         let unique = dedup_by_identity all_cookies in

     

       483
       461
        
         Eio.Mutex.unlock jar.mutex;

     

       484
       462
        
         unique

     

       485
       463
        
       

     
···

       498
       476
        
       

     

       499
       477
        
         (* Combine and deduplicate cookies *)

     

       500
       478
        
         let all_cookies = jar.original_cookies @ jar.delta_cookies in

     

       501
       501
       -
         let rec dedup acc = function

     

       502
       502
       -
           | [] -> List.rev acc

     

       503
       503
       -
           | c :: rest ->

     

       504
       504
       -
               let has_duplicate =

     

       505
       505
       -
                 List.exists (fun c2 -> cookie_identity_matches c c2) rest

     

       506
       506
       -
               in

     

       507
       507
       -
               if has_duplicate then dedup acc rest else dedup (c :: acc) rest

     

       508
       508
       -
         in

     

       509
       509
       -
         let unique = dedup [] all_cookies in

     

       479
       479
       +
         let unique = dedup_by_identity all_cookies in

     

       510
       480
        
       

     

       511
       481
        
         List.iter

     

       512
       482
        
           (fun cookie ->

     
···

       552
       522
        
                     |> Option.value ~default:Ptime.epoch

     

       553
       523
        
                   in

     

       554
       524
        
                   let expires =

     

       555
       555
       -
                     let exp_int = try int_of_string expires with _ -> 0 in

     

       556
       556
       -
                     if exp_int = 0 then None

     

       557
       557
       -
                     else

     

       558
       558
       -
                       match Ptime.of_float_s (float_of_int exp_int) with

     

       559
       559
       -
                       | Some t -> Some (`DateTime t)

     

       560
       560
       -
                       | None -> None

     

       525
       525
       +
                     match int_of_string_opt expires with

     

       526
       526
       +
                     | Some exp_int when exp_int <> 0 ->

     

       527
       527
       +
                         Option.map (fun t -> `DateTime t)

     

       528
       528
       +
                           (Ptime.of_float_s (float_of_int exp_int))

     

       529
       529
       +
                     | _ -> None

     

       561
       530
        
                   in

     

       562
       531
        
                   (* Mozilla format: include_subdomains=TRUE means host_only=false *)

     

       563
       532
        
                   let host_only = include_subdomains <> "TRUE" in

+47 -5

lib/jar/cookeio_jar.mli

···

       18
       18
        
           - Delta tracking for Set-Cookie headers

     

       19
       19
        
           - Mozilla format persistence for cross-tool compatibility

     

       20
       20
        
       

     

       21
       21
       -
           @see <https://datatracker.ietf.org/doc/html/rfc6265> RFC 6265 - HTTP State Management Mechanism *)

     

       21
       21
       +
           @see <https://datatracker.ietf.org/doc/html/rfc6265> RFC 6265 - HTTP State Management Mechanism

     

       22
       22
       +
       

     

       23
       23
       +
           {2 Standards and References}

     

       24
       24
       +
       

     

       25
       25
       +
           This cookie jar implements the storage model from:

     

       26
       26
       +
       

     

       27
       27
       +
           {ul

     

       28
       28
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.3}RFC 6265 Section 5.3} -

     

       29
       29
       +
              Storage Model - Cookie insertion, replacement, and expiration}

     

       30
       30
       +
           {- {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.4}RFC 6265 Section 5.4} -

     

       31
       31
       +
              The Cookie Header - Cookie retrieval and ordering}}

     

       32
       32
       +
       

     

       33
       33
       +
           Key RFC 6265 requirements implemented:

     

       34
       34
       +
           {ul

     

       35
       35
       +
           {- Domain matching per {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3}Section 5.1.3}}

     

       36
       36
       +
           {- Path matching per {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4}Section 5.1.4}}

     

       37
       37
       +
           {- Cookie ordering per {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.4}Section 5.4 Step 2}}

     

       38
       38
       +
           {- Creation time preservation per {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.3}Section 5.3 Step 11.3}}} *)

     

       22
       39
        
       

     

       23
       40
        
       type t

     

       24
       41
        
       (** Cookie jar for storing and managing cookies.

     
···

       101
       118
        
         Cookeio.t list

     

       102
       119
        
       (** Get cookies applicable for a URL.

     

       103
       120
        
       

     

       104
       104
       -
           Returns all cookies that match the given domain and path, and satisfy the

     

       105
       105
       -
           secure flag requirement. Combines original and delta cookies, with delta

     

       106
       106
       -
           taking precedence. Excludes:

     

       121
       121
       +
           Implements the cookie retrieval algorithm from

     

       122
       122
       +
           {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.4}RFC 6265 Section 5.4}

     

       123
       123
       +
           for generating the Cookie header.

     

       124
       124
       +
       

     

       125
       125
       +
           {3 Algorithm}

     

       126
       126
       +
       

     

       127
       127
       +
           Per RFC 6265 Section 5.4, the user agent should:

     

       128
       128
       +
           1. Filter cookies by domain matching (Section 5.1.3)

     

       129
       129
       +
           2. Filter cookies by path matching (Section 5.1.4)

     

       130
       130
       +
           3. Filter out cookies with Secure attribute when request is non-secure

     

       131
       131
       +
           4. Filter out expired cookies

     

       132
       132
       +
           5. Sort remaining cookies (longer paths first, then by creation time)

     

       133
       133
       +
           6. Update last-access-time for retrieved cookies

     

       134
       134
       +
       

     

       135
       135
       +
           This function implements all these steps, combining original and delta cookies

     

       136
       136
       +
           with delta taking precedence. Excludes:

     

       107
       137
        
           - Removal cookies (empty value)

     

       108
       138
        
           - Expired cookies (expiry-time in the past per Section 5.3)

     

       139
       139
       +
           - Secure cookies when [is_secure = false]

     

       140
       140
       +
       

     

       141
       141
       +
           {3 Cookie Ordering}

     

       109
       142
        
       

     

       110
       143
        
           Cookies are sorted per Section 5.4, Step 2:

     

       111
       144
        
           - Cookies with longer paths are listed before cookies with shorter paths

     

       112
       145
        
           - Among cookies with equal-length paths, cookies with earlier creation-times

     

       113
       146
        
             are listed first

     

       114
       147
        
       

     

       115
       115
       -
           Also updates the last access time of matching cookies using the provided clock.

     

       148
       148
       +
           This ordering ensures more specific cookies take precedence.

     

       149
       149
       +
       

     

       150
       150
       +
           {3 Matching Rules}

     

       116
       151
        
       

     

       117
       152
        
           Domain matching follows {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.3} Section 5.1.3}:

     

       118
       153
        
           - IP addresses require exact match only

     

       119
       154
        
           - Hostnames support subdomain matching unless host-only flag is set

     

       120
       155
        
       

     

       121
       156
        
           Path matching follows {{:https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4} Section 5.1.4}.

     

       157
       157
       +
       

     

       158
       158
       +
           @param t Cookie jar

     

       159
       159
       +
           @param clock Clock for updating last-access-time

     

       160
       160
       +
           @param domain Request domain

     

       161
       161
       +
           @param path Request path

     

       162
       162
       +
           @param is_secure Whether the request is over a secure channel (HTTPS)

     

       163
       163
       +
           @return List of matching cookies, sorted per RFC 6265

     

       122
       164
        
       

     

       123
       165
        
           @see <https://datatracker.ietf.org/doc/html/rfc6265#section-5.3> RFC 6265 Section 5.3 - Storage Model (expiry)

     

       124
       166
        
           @see <https://datatracker.ietf.org/doc/html/rfc6265#section-5.4> RFC 6265 Section 5.4 - The Cookie Header *)

Compare changes