python - 为什么 werkzeug 不允许将 localhost 用于 cookie 域？

Question

我正在使用 Flask，当我尝试使用 localhost 作为 cookie 域时，werkzeug 说:

ValueError: Setting 'domain' for a cookie on a server running localy (ex: localhost) is not supportted by complying browsers. You should have something like: '127.0.0.1 localhost dev.localhost' on your hosts file and then point your server to run on 'dev.localhost' and also set 'domain' for 'dev.localhost'

每个开发人员都必须在 hosts 文件中设置域才能使项目正常运行，这很糟糕。我不明白为什么 werkzeug 会阻止这种情况!

问题是:

• werkzeug 为什么要这样做？
• 如果可以使用 localhost 作为 cookie 域会怎样？
• 如何忽略此错误？

Answer 1

问题不在于 Werkzeug 阻止了基于域的 cookie 的设置 - 而问题在于大多数浏览器 不支持范围限于本地主机(或任何其他单一 -词域)。 Werkzeug 不会让你自己调试这个问题(为什么我的 session 没有得到尊重)，Werkzeug 会检测你何时使用这个设置并立即出错。

我找到的最接近原因的是 pseudo-spec :

domain=DOMAIN_NAME

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".

Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". [emphasis mine] Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

如果允许使用单名称域，黑客可以为 .com 设置 cookie，然后让浏览器将该 cookie 传输到最终用户的每个 .com 域访问过。

另请参阅:http://daniel.haxx.se/blog/2011/04/28/the-cookie-rfc-6265/