[Issue]: Parsing empty domain attributes in cookies
Hi Dillo devs, Thanks for a great browser :-). I'm having great fun using it for accessing smaller sites. However, I might have found a minor issue with the way it handles cookies. I'm not very familiar with browser, so the problem is most likely on the site I'm trying to access. I use this pretty popular search engine called kagi.com. They have a html mode, which I enjoy testing in browsers like Dillo. The problem is that their session cookie is saved with an empty domain like so: `Domain=;`. As far as I can understand from [1], it seems that this should result in Dillo (the user agent?) ignoring this key/value pair. However, Dillo will parse the domain as "", which will fail the domain/host verification later in the program. I have attached a git formatted patch to demonstrate the issue. After applying this change, the kagi.com page works like I would expect. Best regards, Julian Jørgensen [1]: https://www.rfc-editor.org/rfc/rfc6265#section-5.2.3
Hi Julian, On Mon, Apr 27, 2026 at 11:30:06PM +0200, Julian Jørgensen wrote:
Hi Dillo devs,
Thanks for a great browser :-). I'm having great fun using it for accessing smaller sites. However, I might have found a minor issue with the way it handles cookies. I'm not very familiar with browser, so the problem is most likely on the site I'm trying to access.
I use this pretty popular search engine called kagi.com. They have a html mode, which I enjoy testing in browsers like Dillo. The problem is that their session cookie is saved with an empty domain like so: `Domain=;`.
As far as I can understand from [1], it seems that this should result in Dillo (the user agent?) ignoring this key/value pair. However, Dillo will parse the domain as "", which will fail the domain/host verification later in the program.
I have attached a git formatted patch to demonstrate the issue. After applying this change, the kagi.com page works like I would expect.
Thanks for the patch, it seems to work as intended. I also think that ignoring the key/value is the right interpretation from: https://www.rfc-editor.org/rfc/rfc6265#section-5.2.3
If the attribute-value is empty, the behavior is undefined. However, the user agent SHOULD ignore the cookie-av entirely.
I will merge it after fixing the cookies unit test, so I can add extra cases for empty domains. Best, Rodrigo.
Hi Rodrigo, På Wed, 29 Apr 2026 21:52:40 +0200 Rodrigo Arias <rodarima@gmail.com> skrev:
Thanks for the patch, it seems to work as intended. I also think that ignoring the key/value is the right interpretation from:
https://www.rfc-editor.org/rfc/rfc6265#section-5.2.3
If the attribute-value is empty, the behavior is undefined. However, the user agent SHOULD ignore the cookie-av entirely.
I will merge it after fixing the cookies unit test, so I can add extra cases for empty domains.
I'm glad that my patch and report turned out to be usefull. I found the codebase pretty nice to navigate, so if you want to, I can give fixing the test a try. Best regards, Julian Jørgensen
Hi Julian, On Fri, May 01, 2026 at 08:01:45PM +0200, Julian Jørgensen wrote:
I'm glad that my patch and report turned out to be usefull. I found the codebase pretty nice to navigate, so if you want to, I can give fixing the test a try.
No worries, I already know what is causing the problem. It should not take me long to fix it :) Best, Rodrigo.
Hi Rodrigo, På Fri, 1 May 2026 21:33:40 +0200 Rodrigo Arias <rodarima@gmail.com> skrev:
On Fri, May 01, 2026 at 08:01:45PM +0200, Julian Jørgensen wrote:
I'm glad that my patch and report turned out to be usefull. I found the codebase pretty nice to navigate, so if you want to, I can give fixing the test a try.
No worries, I already know what is causing the problem. It should not take me long to fix it :)
Hmm, I think I misphased my email. What I was trying to say was: I had fun debugging and creating the patch, and would like to work a bit more on dillo :-). Maybe you need a hand with other issues? Best regards, Julian Jørgensen
Hi Julian, On Fri, May 01, 2026 at 10:16:49PM +0200, Julian Jørgensen wrote:
Hmm, I think I misphased my email. What I was trying to say was: I had fun debugging and creating the patch, and would like to work a bit more on dillo :-).
I'm glad :)
Maybe you need a hand with other issues?
Sure!, here are some issues that would need a bit of work, but I haven't had much time: Recently I saw that Wikipedia images were starting to fail with a 429 HTTP code, likely because they consider Dillo a bot. I reached out to them, but didn't got any reply. Perhaps there is something we could do in our side to avoid this problem. https://bug.dillo-browser.org/523/ Another one is to add a limit to the maximum memory we will accept in the decoder so we protect the user from compression bombs: https://bug.dillo-browser.org/422/ Another problem is that Dillo always caches the page, even if they come with a no cache header. It would be nice to add some support for this: https://bug.dillo-browser.org/293/ https://bug.dillo-browser.org/77/ There are also many areas of improvement in the rendering side as well, but I think it would be easier to work on the network/cache first. Keep in mind that we have a strict ban against AI/LLM generated code. Best, Rodrigo.
Hi Rodrigo, På Fri, 1 May 2026 23:04:07 +0200 Rodrigo Arias <rodarima@gmail.com> skrev:
Maybe you need a hand with other issues?
Sure!, here are some issues that would need a bit of work, but I haven't had much time:
Recently I saw that Wikipedia images were starting to fail with a 429 HTTP code, likely because they consider Dillo a bot. I reached out to them, but didn't got any reply. Perhaps there is something we could do in our side to avoid this problem.
https://bug.dillo-browser.org/523/
Another one is to add a limit to the maximum memory we will accept in the decoder so we protect the user from compression bombs:
https://bug.dillo-browser.org/422/
Another problem is that Dillo always caches the page, even if they come with a no cache header. It would be nice to add some support for this:
https://bug.dillo-browser.org/293/ https://bug.dillo-browser.org/77/
There are also many areas of improvement in the rendering side as well, but I think it would be easier to work on the network/cache first.
Thanks, I will look at the page no-caching issue/feature :-).
Keep in mind that we have a strict ban against AI/LLM generated code. +1
Best regards, Julian Jørgensen
participants (2)
-
Julian Jørgensen -
Rodrigo Arias