Skip to content(if available)orjump to list(if available)

A Tale of a Trailing Dot (2022)

A Tale of a Trailing Dot (2022)

5 comments

·May 13, 2025
Visit

watersb

Another fun interaction of trailing dot in URLs and web browsers: password management.

This is layers far above the curl internals discussed in the article.

On some platforms, the built in web password management considers web passwords for URLs with or without a trailing dot as distinct situations. Same for the 1Password manager.

I can't think of problems this might cause.

As long as we're trying to break things, I presume it would be easy enough to use JavaScript to switch the current URL to the one with a different trailing dot situation than the current application flow. Like in the middle of a hand-off from one authorization screen to another.

I tend to consider multi-page web application issues as a much higher plane than something curl library internals. But essentially, the back-and-forth of web communication isn't so different.

recursive

> The cookie spec RFC 6265 section 5.1.2 defines the host name in a way that makes it ignore trailing dots. Cookies set for a domain with a dot are valid for the same domain without one and vice versa.

Well... that's not what the browsers do. If you're logged in to HN, try it now. Add a dot to the host name. Cookie is gone. Remove the dot. It's back.

simoncion

That wouldn't be the first time web browsers do something that's contrary to spec (and sanity).

Also, I think the section that was intended to be referenced was section 5.1.3.

null

[deleted]

gitroom

[dead]