Add "strict mode"

[tcmal]

As mentioned here, enforcing RFC requirements for cookies has some downsides for interoperability - in my case, Blackboard Learn's BBRouter cookie is sometimes sent without quotes when it should have them.

This PR adds a "strict mode" option (on by default). Behaviour is the same when strict mode is on, but when it is off non-RFC compliant cookies are accepted so long as they can be parsed.

[tcmal]

bump @algesten

[jsha]

Hi and thanks for the submission! I don't think we should merge this. Two reasons: there's not enough evidence that this is a widespread compatibility problem; and it's important to carefully avoid a proliferation of options, because it makes API design more complicated and it makes the software harder to thoroughly test.

[tcmal]

hm fair enough. like i mentioned, the reason i need it is because blackboard learn (a mature but sorta niche bit of software) sends a bad cookie, and since i can't change that i need this in order to use this library.
i think its also worth noting that browsers don't bother doing this validation and just take anything they can parse, which makes it hard to find sites that are breaking it.

i assume adding a feature gate wouldn't help with the api surface you're worried about, i'll let you decide whether to close this or not.

[jsha]

One way you could probably work around would be to turn off the cookies Cargo feature and parse cookies from the responses yourself. Would that solve your issue?

[tcmal]

Probably possible, I'll take a look. Thank you.

[joshuataylor]

Yeah, I also stumbled across this with a website that sets cookie values as an encoded value, and it was randomly failing - but thanks to ureqs great logging it was easy to figure out why.

They wrap the value with " if it ends with = it seems.

set-cookie: foo="xxx--=="; Version=1; Path=/; Secure; HttpOnly; Max-Age=86400; Expires=Thu, 15-Feb-2024 12:12:12 GMT

I can't figure out if this is valid from reading the RFC, as the cookie crate does the validation.

edit: I was thinking I could use middleware to fix the cookie to the expected value, but I believe that is just on the Request, and not the response?

The annoying thing about these endpoints is they have multiple redirects, I can write code for it but was hoping not to, as ureq has really reduced boilerplate.

edit: You can use middleware on responses by calling next.handle(req)?;, but the middleware is done after the cookies are processed.

[algesten]

Closing since we are moving to 3.x. This is an interesting topic though.

[joshuataylor]

Might be worth converting to a discussion, the nice thing is I haven't faced this same problem since that website (it was Snowflakes API authentication flow, FWIW), and ureq has served me well with many other websites. 😍