Re: [http-state] Ticket 11: Character encoding for non-ASCII cookies values

Adam Barth <ietf@adambarth.com> Wed, 03 March 2010 23:32 UTC

Return-Path: <abarth@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 017C628C47A for <http-state@core3.amsl.com>; Wed, 3 Mar 2010 15:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opsVsg+XcP2n for <http-state@core3.amsl.com>; Wed, 3 Mar 2010 15:32:22 -0800 (PST)
Received: from mail-yw0-f173.google.com (mail-yw0-f173.google.com [209.85.211.173]) by core3.amsl.com (Postfix) with ESMTP id 3A34C28C414 for <http-state@ietf.org>; Wed, 3 Mar 2010 15:32:22 -0800 (PST)
Received: by ywh3 with SMTP id 3so762992ywh.31 for <http-state@ietf.org>; Wed, 03 Mar 2010 15:32:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=wyYqHNpuIubE0bfOrDXgibIQkHhHzIjpj/3xb6yopjI=; b=fzmBXLqwyt8sgtPttYdtYXrOzGE4eiHIakKoRbmYg7NgW8w8/D7iW7UOT2Yqo2+MfH nyRsHIhwmH16/Fo0VOwQrkn6/T4xOJhPwuWaKf3gTrz9H5b9gTwPjTbABSsu7dCvZxPF M9IEC6ugMncL6Dbanbq0z66txNQcZdYZ8FU2I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=VuTjsLueXmhOErl4JAZrNce184XHkcmkgSriIGj48zzxHav441f0xMJYHGNDJemGFA OWmB4D3YljVObYT6zJ/4druWmEhHgOod/AMFFk+bZDE4P8zyQSzxe1Gph7Peu8oIKaGX +nd8z3GwaTBE6/BVllew+VpYPlDnp9RfEYEKE=
MIME-Version: 1.0
Sender: abarth@gmail.com
Received: by 10.151.129.4 with SMTP id g4mr1713324ybn.1.1267659141106; Wed, 03 Mar 2010 15:32:21 -0800 (PST)
In-Reply-To: <alpine.DEB.2.00.1003040019500.3143@tvnag.unkk.fr>
References: <5c4444771003021624qc0b00cet27e348cb6d023b08@mail.gmail.com> <CB794A2E-2F2F-4CE4-8B15-BBE1A1E1B50F@apple.com> <alpine.DEB.2.00.1003032150381.3143@tvnag.unkk.fr> <5c4444771003031516u445525d1le174512ef46bad30@mail.gmail.com> <alpine.DEB.2.00.1003040019500.3143@tvnag.unkk.fr>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 3 Mar 2010 15:32:01 -0800
X-Google-Sender-Auth: 3bffbe05553135ab
Message-ID: <5c4444771003031532q50c574e3wdb2098a0b6d142f0@mail.gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 11: Character encoding for non-ASCII cookies values
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 23:41:38 -0000

On Wed, Mar 3, 2010 at 3:27 PM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Wed, 3 Mar 2010, Adam Barth wrote:
>>> Isn't the RFC2616 'token' a bit too strict for cookie-value ? The
>>> netscape spec is _very_ liberal ("a sequence of characters excluding
>>> semi-colon, comma and white space") so the current wording is a great deal
>>> more restrictive.
>>
>> To which wording are you referring?  We recommend that servers send only
>> tokens but require that user agent process a wide range of exotic
>> characters.
>
> Oh. That's not very clear with the current wording methinks.
>
> I read the section 4.1.1 and it says that servers "SHOULD NOT send
> Set-Cookie headers that fail to conform to the following". Where is the text
> saying that clients MUST accept all those other characters?

It's a consequence of the parsing algorithm in
<http://tools.ietf.org/html/draft-ietf-httpstate-cookie-04#section-5.2>.
 In particular, how the name-value-pair and the cookie-value are
extracted from the set-cookie-string.

Adam