Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22

Dan Winship <dan.winship@gmail.com> Thu, 24 February 2011 22:30 UTC

Return-Path: <dan.winship@gmail.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E1703A680D for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIQpnSn+GanK for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:30:24 -0800 (PST)
Received: from mysterion.org (li168-117.members.linode.com [173.230.128.117]) by core3.amsl.com (Postfix) with ESMTP id 860CC3A6808 for <http-state@ietf.org>; Thu, 24 Feb 2011 14:30:24 -0800 (PST)
Received: from desktop.home.mysterion.org (c-76-97-71-164.hsd1.ga.comcast.net [76.97.71.164]) by mysterion.org (Postfix) with ESMTPSA id EE0D934E5D; Thu, 24 Feb 2011 17:31:14 -0500 (EST)
Message-ID: <4D66DC31.1020200@gmail.com>
Date: Thu, 24 Feb 2011 17:31:13 -0500
From: Dan Winship <dan.winship@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com> <49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com> <AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com> <AANLkTikzB=VORtn7xiG2JY8ymTjk4epC9huZTC-s0nzq@mail.gmail.com> <4D5AEE94.6010303@gmx.de> <AANLkTimkmZ99qDcXB6=-PGtXq6WQ7+RSreRwsBAHryEj@mail.gmail.com> <DA7A626A-9613-4A49-8A46-8096F7F465B4@gbiv.com> <AANLkTi=aX26NgDx3J0zk6a6H-Fg-9hyuBhfwvVW5nBiH@mail.gmail.com> <AANLkTinnySHEXvaQSxoUAKNaPWThDWdJwnhvCdVfa5Vr@mail.gmail.com> <1E7DE6DF-864A-48AF-B9A3-698DEF4B3B2D@gbiv.com> <4D6590F4.6010505@stpeter.im> <94DA5CF6-88AB-43BD-99AE-921BCA98C7A3@gbiv.com> <AANLkTikxOBCgiAwvg3z2DwyHtJXhTK1=6ipTo16csKr9@mail.gmail.com> <4D66C718.3000300@stpeter.im> <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com> <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com>
In-Reply-To: <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "Roy T. Fielding" <fielding@gbiv.com>, iesg@iesg.org, http-state <http-state@ietf.org>
Subject: Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 22:30:25 -0000

On 02/24/2011 04:50 PM, Adam Barth wrote:
> DQUOTE is a cargo cult.  Matching DQUOTEs, as above, are less
> problematic although they do have interoperability problems.  For
> example, some user agents will incorrectly parse
> 
> Set-Cookie: foo="bar\"; Secure
> 
> (allowed by the grammar above) and will not interpret this header as
> containing a Secure cookie.  If you insist on DQUOTE, we'll probably
> be better off excluding %x5C from cookie-octet.

I currently have some cookies with \" in them.

Rather than trying to deal with this in the grammar, we could handle it
like Max-Age, and just add "WARNING: If the cookie-value starts with a
DQUOTE, some existing user agents will require it to be a valid
quoted-string."

-- Dan