Why does setCookie resolve with an error when domain doesn't match the host?

[edjonesdev]

Hello! I've been debugging an issue that came up with one of our apps and have narrowed the issue down to tough-cookie's implementation of S5.3 step 6. The RFC states: If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps.. We have an endpoint we call that responds with cookies with a domain field that doesn't match our host URL and it's causing an error in our app. According to the wording of the RFC, shouldn't this cookie simply be ignored instead of throwing an error?

[colincasey]

Hi @edjonesdev, thanks for reporting this issue!

It does sounds like the cookie should be ignored instead of throwing an error. Would you mind providing some details related to your tough-cookie usage to make sure we're accurately reproducing this error? E.g.;

• What version of tough-cookie are you using?
• What domain field / host url values are you using that cause the issue?
• I'm assuming the error is thrown from setCookie since you noted "S5.3 step 6" of the RFC, is this correct?
  • If yes, can you check if you're using setCookie with the ignoreError option and report the value used if this option is passed.
  • If no, where is the error thrown from?
• Can you provide code that reproduces the error directly?

I'll have a deeper look at this issue once I have this information.