fix: RFC 6265 domain matching in Chrome cookies capability#84
Merged
Conversation
The previous implementation built a `LIKE '%.${host}'` pattern, which
only matched cookie host_keys that end in the full request hostname.
Cookies set with an explicit parent Domain attribute (e.g.
`.reddit.com`) were missed when the request URL used a subdomain
(`https://www.reddit.com`), because `.reddit.com` does not end in
`.www.reddit.com`.
Replace with proper RFC 6265 §5.1.3 matching: enumerate all valid
host_key values for a given request host (self host-only, self with
leading dot, each parent domain with leading dot — stopping before bare
TLDs) and query with `IN (...)`.
Verified live against Chrome cookie DB:
- https://reddit.com → 10 cookies, reddit_session present
- https://www.reddit.com → 14 cookies, reddit_session present (includes
extra host-only cookies on www.reddit.com, correctly excluded from
the apex query)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Chrome cookie lookup used a
host_key LIKE '%.${host}'suffix match, which missed parent-domain cookies whenever the request URL used a subdomain. Replaced with proper RFC 6265 §5.1.3 matching via enumeratedhost_key IN (...).Why it matters
Any connector querying cookies on a subdomain URL was silently returning incomplete cookie sets. Concrete repro with Reddit:
.reddit.comis wherereddit_session,token_v2, etc. actually live in Chrome's storehttps://www.reddit.combuilt pattern%.www.reddit.com→ missed.reddit.comentirely → connector reportedAUTH_NOT_LOGGED_INeven when the user was logged inhttps://x.com(already apex)Change
getMatchingHostKeys(host): returns[host, '.host', '.parent', '.grandparent', ...]stopping before bare TLDs. Handles leading dots, case-insensitivity, and empty / single-label inputs.queryAllCookiesForDomain→queryAllCookiesForHost: useshost_key IN (?, ?, ...)instead of aLIKEpattern.Verification
pnpm --filter @spool/core test— 147 passed, 1 skipped (integration requiring Chrome env var)https://reddit.com(10 cookies) andhttps://www.reddit.com(14 cookies) now returnreddit_sessioncorrectlyNot in scope
Reddit connector is still pinned to
https://reddit.com(apex) since that's what shipped in npm 0.1.0 and it works with both old and new capability. Future connectors can freely use subdomain URLs.🤖 Generated with Claude Code