From f1d61b959fc0f759a619025eebd3c76d8a897553 Mon Sep 17 00:00:00 2001
From: Volker Dobler <dr.volker.dobler@gmail.com>
Date: Mon, 26 Aug 2013 07:41:37 -0500
Subject: [PATCH] net/http: do not send leading dot in cookie domain attribute

RFC 6265 allows a leading dot in a cookie domain attribute
but is clear (see section 4.1.1) that a Set-Cookie header
should be sent without these dots.

R=bradfitz
CC=golang-dev
https://golang.org/cl/13111043
---
 src/pkg/net/http/cookie.go      | 9 +++++++--
 src/pkg/net/http/cookie_test.go | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/pkg/net/http/cookie.go b/src/pkg/net/http/cookie.go
index 2074c149c26..8b01c508eb1 100644
--- a/src/pkg/net/http/cookie.go
+++ b/src/pkg/net/http/cookie.go
@@ -149,8 +149,13 @@ func (c *Cookie) String() string {
 		if validCookieDomain(c.Domain) {
 			// A c.Domain containing illegal characters is not
 			// sanitized but simply dropped which turns the cookie
-			// into a host-only cookie.
-			fmt.Fprintf(&b, "; Domain=%s", c.Domain)
+			// into a host-only cookie. A leading dot is okay
+			// but won't be sent.
+			d := c.Domain
+			if d[0] == '.' {
+				d = d[1:]
+			}
+			fmt.Fprintf(&b, "; Domain=%s", d)
 		} else {
 			log.Printf("net/http: invalid Cookie.Domain %q; dropping domain attribute",
 				c.Domain)
diff --git a/src/pkg/net/http/cookie_test.go b/src/pkg/net/http/cookie_test.go
index 7a4827cb6b4..11b01cc5713 100644
--- a/src/pkg/net/http/cookie_test.go
+++ b/src/pkg/net/http/cookie_test.go
@@ -26,7 +26,7 @@ var writeSetCookiesTests = []struct {
 	},
 	{
 		&Cookie{Name: "cookie-3", Value: "three", Domain: ".example.com"},
-		"cookie-3=three; Domain=.example.com",
+		"cookie-3=three; Domain=example.com",
 	},
 	{
 		&Cookie{Name: "cookie-4", Value: "four", Path: "/restricted/"},