Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rfc6265bis] Cookie parser - cookie name and value with spaces #1074

Closed
bakulf opened this issue Feb 24, 2020 · 0 comments · Fixed by #1145
Closed

[rfc6265bis] Cookie parser - cookie name and value with spaces #1074

bakulf opened this issue Feb 24, 2020 · 0 comments · Fixed by #1145
Assignees
@mikewest
Labels
6265bis

Comments

@bakulf
Copy link

bakulf commented Feb 24, 2020

Similar to #1073, by spec, cookie name and value should not contain spaces, but modern browsers do allow spaces. We even have WPTs.

A similar issue is the trimming of cookie-name and cookie-value. By spec: "SetCookie: foo = bar" is invalid.

What I suggest is to write the BFN in this way (untested, unverified):

 cookie-pair       = cookie-name *[SP] "=" *[SP] cookie-value
 cookie-name       = 1*cookie-octet
 cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
 cookie-octet      =  %20 / %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
@mnot mnot added the 6265bis label Mar 17, 2020
mikewest added a commit that referenced this issue Mar 31, 2020
@mikewest
[RFC6265bis] Fix ABNF.
16a6a73 
This patch incorporates two ABNF changes:

1.  Closes #1074 by
    adjusting the `cookie-pair` grammar to include optional spaces.
    We test this behavior in a few distinct WPTs, including
    chromium0014, name0018, value0006.

2.  Closes #1119
    by removing OWS from the spec, as user agents generally follow
    the "SHOULD" in the current text to limit themselves to a single
    SP rather than serializing with OWS. It's reasonable to lock that
    in, and it also happens to match all the `Cookie:` header tests
    we have.

Thanks to both @reschke and @bakulf for paying attention to this.
@mikewest mikewest mentioned this issue Mar 31, 2020
Merged
@mikewest mikewest self-assigned this Mar 31, 2020
mikewest added a commit that referenced this issue Apr 7, 2020
@mikewest
[RFC6265bis] Fix ABNF. (#1145)
5469d51 
This patch incorporates two ABNF changes:

1.  Closes #1074 by
    adjusting the `cookie-pair` grammar to include optional spaces.
    We test this behavior in a few distinct WPTs, including
    chromium0014, name0018, value0006.

2.  Closes #1119
    by removing OWS from the spec, as user agents generally follow
    the "SHOULD" in the current text to limit themselves to a single
    SP rather than serializing with OWS. It's reasonable to lock that
    in, and it also happens to match all the `Cookie:` header tests
    we have.

Thanks to both @reschke and @bakulf for paying attention to this.
@miketaylr miketaylr mentioned this issue Feb 25, 2021
Closed
@markt-asf markt-asf mentioned this issue Aug 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikewest mikewest

Labels
6265bis
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[RFC6265bis] Fix ABNF. httpwg/http-extensions
3 participants
@mikewest @mnot @bakulf