[http-state] nameless valueless cookies, and http vs javascript
Dan Winship <dan.winship@gmail.com> Tue, 01 December 2009 21:59 UTC
Return-Path: <dan.winship@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 750073A6997 for <http-state@core3.amsl.com>; Tue, 1 Dec 2009 13:59:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id icIgS6j-xPLw for <http-state@core3.amsl.com>; Tue, 1 Dec 2009 13:59:05 -0800 (PST)
Received: from mysterion.org (mysterion.org [69.25.196.35]) by core3.amsl.com (Postfix) with ESMTP id 7C37A3A699C for <http-state@ietf.org>; Tue, 1 Dec 2009 13:59:05 -0800 (PST)
Received: from x61.home.mysterion.org (c-76-111-61-212.hsd1.ga.comcast.net [76.111.61.212]) by mysterion.org (Postfix) with ESMTPA id 1BE12802AE for <http-state@ietf.org>; Tue, 1 Dec 2009 16:58:56 -0500 (EST)
Message-ID: <4B1591AB.5050708@gmail.com>
Date: Tue, 01 Dec 2009 16:59:07 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4pre) Gecko/20090922 Fedora/3.0-3.9.b4.fc12 Thunderbird/3.0b4
MIME-Version: 1.0
To: http-state <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [http-state] nameless valueless cookies, and http vs javascript
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 21:59:06 -0000
The spec allows for a cookie in Set-Cookie to have both a 0-length name and a 0-length value (which can be expressed as either "Set-Cookie: " or "Set-Cookie: ="). Later it says that: the user agent SHOULD attach exactly one HTTP header named Cookie if the cookie-string (defined below) for that URI is non-empty. But this is not quite right, because it would imply that if you had an "empty" cookie and also some non-empty cookies, that you *would* emit the empty cookie as well. Eg: test: Set-Cookie: a=b Set-Cookie: = Set-Cookie: c=d expected: Cookie: a=b; ; c=d but Firefox outputs "Cookie: a=b; c=d". Assuming other browsers behave the same, we need to add something like "either the cookie name or cookie value or both is non-empty" to the cookie-list requirements in 5.3 part 1. (And then perhaps change the "cookie-string is non-empty" rule to "cookie-list is non-empty".) Another issue: we test that "Set-Cookie: =" and "Set-Cookie: " don't cause cookies to be emitted, but we don't test how they interact with previous Set-Cookies. The current rules suggest: test: Set-Cookie: foo Set-Cookie: expected: (empty) and test: Set-Cookie: foo Set-Cookie: = expected: (empty) Firefox gives the expected answer on the second one, but gives "Cookie: foo" on the first, suggesting that it just completely ignores the blank Set-Cookie header. However, if you do it in JavaScript, you get the expected answer either way: >>> document.cookie="foo" >>> document.cookie "foo" >>> document.cookie="" >>> document.cookie "" The fact that this works this way in javascript is intentional (https://bugzilla.mozilla.org/show_bug.cgi?id=169091#c16). I'm not sure if the different behavior via HTTP is intentional or not. -- Dan
- [http-state] nameless valueless cookies, and http… Dan Winship
- Re: [http-state] nameless valueless cookies, and … Adam Barth
- Re: [http-state] nameless valueless cookies, and … Dan Witte
- Re: [http-state] nameless valueless cookies, and … Adam Barth
- Re: [http-state] nameless valueless cookies, and … Roy T. Fielding
- Re: [http-state] nameless valueless cookies, and … Adam Barth