Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)

Julian Reschke <julian.reschke@gmx.de> Wed, 03 February 2010 08:50 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FAF83A6AB9 for <http-state@core3.amsl.com>; Wed, 3 Feb 2010 00:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.459
X-Spam-Level:
X-Spam-Status: No, score=-3.459 tagged_above=-999 required=5 tests=[AWL=-0.860, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONEzosQdZ-nc for <http-state@core3.amsl.com>; Wed, 3 Feb 2010 00:50:31 -0800 (PST)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by core3.amsl.com (Postfix) with SMTP id AFF9A3A6AB2 for <http-state@ietf.org>; Wed, 3 Feb 2010 00:50:30 -0800 (PST)
Received: (qmail invoked by alias); 03 Feb 2010 08:51:08 -0000
Received: from p508FC23D.dip.t-dialin.net (EHLO [192.168.178.33]) [80.143.194.61] by mail.gmx.net (mp018) with SMTP; 03 Feb 2010 09:51:08 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19OESchC4JOEaj9ZYqz6mDODc0DHXvk7PpoCb7Sht cemClnTOZsEbBl
Message-ID: <4B6938F1.100@gmx.de>
Date: Wed, 03 Feb 2010 09:50:57 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060516 Thunderbird/1.5.0.4 Mnenhy/0.7.4.666
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <7789133a1002011014x5d587436j663a73bc92270a65@mail.gmail.com> <143E98B7-BFA6-4F77-9685-E57FFD2449A6@apple.com> <7789133a1002021737v2a50be07u3eea61a2fe870c79@mail.gmail.com> <4B6926FC.5030107@gmx.de> <67660F71-01A3-4B66-B546-B740A1314E49@apple.com> <7789133a1002022348h57a61611me73b95e110c72ea3@mail.gmail.com> <4B692D7C.900@gmx.de> <7789133a1002030006r1d9b1bech491fa7826587eaff@mail.gmail.com> <7789133a1002030008n4f4e294fn548c359133d7734b@mail.gmail.com> <4B692F9F.7040602@gmx.de> <7789133a1002030034w5400ddb8k61bf9d7be880c2c0@mail.gmail.com>
In-Reply-To: <7789133a1002030034w5400ddb8k61bf9d7be880c2c0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.60999999999999999
Cc: http-state@ietf.org
Subject: Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 08:50:34 -0000

Adam Barth wrote:
> On Wed, Feb 3, 2010 at 12:11 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
>> Adam Barth wrote:
>>> ...
>>> Those cases being charset0001, charset0002, and charset0003.  One
>>> possible explanation is that Safari rejects cookies that have
>>> non-ASCII characters in their values.
>>> ...
>> ...which I think is not really a bug, according to the specs.
> 
> I'm not sure that's the most important consideration.
> 
>> Unless that affects Safari's interoperability, I'd strongly recommend to
>> consider making this the recommended behavior.
> 
> Why?  Ideally, a justification would be an evidence-based argument we
> could use to convince the implementors of IE, Firefox, Chrome, and
> Opera that the benefits of changing their behavior out-weighs the
> costs.
> 
> In general, I'm very reluctant to specify a behavior that conflicts
> with IE, Firefox, Chrome, and Opera.  In specific, IE has something
> like 99% market share in some Asian markets.  The fact that this issue
> affects Asian markets disproportionately means the pressure to be
> IE-like is even greater than usual.
> ...

On the other hand, why require something that's known not be in use (if 
that is the case)?

If you allow non-ASCII characters (or actually require support), you'll 
also have to figure out how existing server and client based APIs are to 
deal with them (so what encoding is it?).

Best regards, Julian