Copy unsafe setting from session cookie jar to ad-hoc request cookie jar by Krishnachaitanyakc · Pull Request #12271 · aio-libs/aiohttp

Krishnachaitanyakc · 2026-03-25T02:26:50Z

Summary

Fixes #12011

When ad-hoc cookies are passed to individual requests via the cookies parameter, a temporary CookieJar is created to filter them. Previously, only the quote_cookie setting was copied from the session's cookie jar. This meant that if the session's cookie jar had unsafe=True (to allow cookies with IP addresses), the ad-hoc cookies would still be filtered out by the temporary jar's default unsafe=False setting.

This change:

Copies the unsafe setting from the session's cookie jar to the temporary cookie jar used for ad-hoc request cookies
Exposes unsafe as a public abstract property on AbstractCookieJar (mirroring the existing quote_cookie property)
Implements the unsafe property on CookieJar and DummyCookieJar

This approach was explicitly approved by maintainers @Dreamsorcerer and @bdraco in the issue discussion.

Test plan

Added test_cookies_with_unsafe_cookie_jar in test_client_session.py verifying ad-hoc cookies are sent when the session cookie jar has unsafe=True and the target URL uses an IP address
Added test_cookie_jar_unsafe_property in test_cookiejar.py verifying the new unsafe property on CookieJar
Added assertion for DummyCookieJar.unsafe in the existing test_dummy_cookie_jar test
Updated MockCookieJar in test suite to implement the new abstract unsafe property
All existing cookie jar tests pass (84/84)
All existing client session tests pass (86/86, 1 skipped)

When ad-hoc cookies are passed to individual requests via the `cookies` parameter, a temporary `CookieJar` is created to filter them. Previously, only the `quote_cookie` setting was copied from the session's cookie jar. This meant that if the session's cookie jar had `unsafe=True` (to allow cookies with IP addresses), the ad-hoc cookies would still be filtered out by the temporary jar's default `unsafe=False` setting. This copies the `unsafe` setting from the session's cookie jar to the temporary cookie jar, and also exposes `unsafe` as a public property on `AbstractCookieJar`, `CookieJar`, and `DummyCookieJar` (mirroring the existing `quote_cookie` property). Closes aio-libs#12011

for more information, see https://pre-commit.ci

codecov · 2026-03-25T02:33:00Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.10%. Comparing base (b5a5170) to head (aa79505).
⚠️ Report is 5 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12271   +/-   ##
=======================================
  Coverage   99.10%   99.10%           
=======================================
  Files         130      130           
  Lines       45432    45465   +33     
  Branches     2400     2400           
=======================================
+ Hits        45027    45060   +33     
  Misses        273      273           
  Partials      132      132

Flag	Coverage Δ
CI-GHA	`98.96% <100.00%> (+<0.01%)`	⬆️
OS-Linux	`98.70% <100.00%> (-0.01%)`	⬇️
OS-Windows	`96.98% <100.00%> (+<0.01%)`	⬆️
OS-macOS	`97.86% <100.00%> (+<0.01%)`	⬆️
Py-3.10.11	`97.41% <100.00%> (-0.01%)`	⬇️
Py-3.10.20	`97.89% <100.00%> (+<0.01%)`	⬆️
Py-3.11.15	`98.09% <100.00%> (+<0.01%)`	⬆️
Py-3.11.9	`97.62% <100.00%> (+<0.01%)`	⬆️
Py-3.12.10	`97.71% <100.00%> (+<0.01%)`	⬆️
Py-3.12.13	`98.19% <100.00%> (+<0.01%)`	⬆️
Py-3.13.12	`98.43% <100.00%> (+<0.01%)`	⬆️
Py-3.14.3	`98.49% <100.00%> (+<0.01%)`	⬆️
Py-3.14.3t	`97.48% <100.00%> (-0.01%)`	⬇️
Py-pypy3.11.13-7.3.20	`?`
Py-pypy3.11.15-7.3.21	`97.53% <100.00%> (?)`
VM-macos	`97.86% <100.00%> (+<0.01%)`	⬆️
VM-ubuntu	`98.70% <100.00%> (-0.01%)`	⬇️
VM-windows	`96.98% <100.00%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

codspeed-hq · 2026-03-25T02:34:35Z

Merging this PR will not alter performance

✅ 59 untouched benchmarks

_{Comparing Krishnachaitanyakc:fix/copy-unsafe-to-adhoc-cookie-jar (aa79505) with master (b5a5170)¹}

No successful run was found on master (3f30561) during the generation of this report, so b5a5170 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

tests/test_client_session.py

- Simplify handler to return web.Response() since response text is unused - Add sanity check that test URL is IP-based (assert str(ip_url).count(".") == 3) - Use async with for request to handle errors better - Add assert jar.unsafe is False for missing coverage

tests/test_client_session.py

patchback · 2026-03-25T14:27:41Z

Backport to 3.14: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.14/e04da11f7a075547bfe8abf6b1361adae19949bf/pr-12271

Backported as #12274

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

…jar (#12271) (cherry picked from commit e04da11)

…cookie jar to ad-hoc request cookie jar (#12274) **This is a backport of PR #12271 as merged into master (e04da11).** Co-authored-by: Krishna Chaitanya <[email protected]>

Krishnachaitanyakc requested review from asvetlov and webknjaz as code owners March 25, 2026 02:26

psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Mar 25, 2026

[pre-commit.ci] auto fixes from pre-commit.com hooks

7de8600

for more information, see https://pre-commit.ci