IETF Logo Mail Archive

Re: [http-state] [Technical Errata Reported] RFC6265 (3663)

Dave Thaler <dthaler@microsoft.com> Tue, 18 June 2013 01:06 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AF1621F8C40 for <http-state@ietfa.amsl.com>; Mon, 17 Jun 2013 18:06:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.492
X-Spam-Level:
X-Spam-Status: No, score=-99.492 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEO-f2JQ7ihJ for <http-state@ietfa.amsl.com>; Mon, 17 Jun 2013 18:06:20 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0244.outbound.protection.outlook.com [207.46.163.244]) by ietfa.amsl.com (Postfix) with ESMTP id F376F21F9446 for <http-state@ietf.org>; Mon, 17 Jun 2013 18:06:17 -0700 (PDT)
Received: from BL2FFO11FD027.protection.gbl (10.173.161.204) by BL2FFO11HUB013.protection.gbl (10.173.160.105) with Microsoft SMTP Server (TLS) id 15.0.707.0; Tue, 18 Jun 2013 01:06:15 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD027.mail.protection.outlook.com (10.173.161.106) with Microsoft SMTP Server (TLS) id 15.0.707.0 via Frontend Transport; Tue, 18 Jun 2013 01:06:15 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.48) with Microsoft SMTP Server (TLS) id 14.3.136.1; Tue, 18 Jun 2013 01:06:08 +0000
Received: from mail110-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE009.bigfish.com (10.43.70.59) with Microsoft SMTP Server id 14.1.225.23; Tue, 18 Jun 2013 01:05:05 +0000
Received: from mail110-ch1 (localhost [127.0.0.1]) by mail110-ch1-R.bigfish.com (Postfix) with ESMTP id 487AF42059C for <http-state@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 18 Jun 2013 01:05:05 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -19
X-BigFish: PS-19(zz98dI9371Ic89bh542I1432Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah1954cbh8275bh8275dh1cd15eiz31h2a8h668h839h947hd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: softfail (mail110-ch1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=dthaler@microsoft.com; helo=BL2PRD0310HT001.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB270; H:BY2PR03MB269.namprd03.prod.outlook.com; LANG:en;
Received: from mail110-ch1 (localhost.localdomain [127.0.0.1]) by mail110-ch1 (MessageSwitch) id 1371517503279594_2016; Tue, 18 Jun 2013 01:05:03 +0000 (UTC)
Received: from CH1EHSMHS040.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252]) by mail110-ch1.bigfish.com (Postfix) with ESMTP id 413A03E005C; Tue, 18 Jun 2013 01:05:03 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS040.bigfish.com (10.43.69.249) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 18 Jun 2013 01:05:03 +0000
Received: from BY2PR03MB270.namprd03.prod.outlook.com (10.242.37.12) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.324.0; Tue, 18 Jun 2013 01:05:02 +0000
Received: from BY2PR03MB269.namprd03.prod.outlook.com (10.242.37.11) by BY2PR03MB270.namprd03.prod.outlook.com (10.242.37.12) with Microsoft SMTP Server (TLS) id 15.0.702.21; Tue, 18 Jun 2013 01:05:00 +0000
Received: from BY2PR03MB269.namprd03.prod.outlook.com ([169.254.5.25]) by BY2PR03MB269.namprd03.prod.outlook.com ([169.254.5.25]) with mapi id 15.00.0702.005; Tue, 18 Jun 2013 01:05:00 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>, RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [http-state] [Technical Errata Reported] RFC6265 (3663)
Thread-Index: AQHOa7sntVkCaDRzOU+sK+oTCvibR5k6oD8AgAABf9CAAAV0AA==
Date: Tue, 18 Jun 2013 01:04:59 +0000
Message-ID: <32084f57d08e414b99c66bcddd53e9ee@BY2PR03MB269.namprd03.prod.outlook.com>
References: <20130618002830.7DF236211A@rfc-editor.org> <7mavr8hhrqsfmcqt77181vqc3g3nl25s1d@hive.bjoern.hoehrmann.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:1a:3:925:1d8f:38f:c47b]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB270.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%QTI.QUALCOMM.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%KINGSMOUNTAIN.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%COMPUTER.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%RFC-EDITOR.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%EECS.BERKELEY.EDU$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC105.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC105.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(377454002)(199002)(24454002)(13464003)(51704005)(74366001)(69226001)(46102001)(53806001)(47736001)(81542001)(76576001)(80022001)(23756003)(74662001)(47976001)(76796001)(74502001)(74706001)(33646001)(50466002)(76786001)(74876001)(47446002)(81342001)(50986001)(77096001)(63696002)(54316002)(65816001)(31966008)(51856001)(44976003)(47776003)(77982001)(56776001)(79102001)(20776003)(59766001)(54356001)(6806003)(4396001)(15202345002)(16601075002)(49866001)(56816003)(74316001)(76482001)(16676001)(24736002)(3826001)(18886065002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB013; H:TK5EX14HUBC105.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0881A7A935
X-Mailman-Approved-At: Wed, 19 Jun 2013 15:18:57 -0700
Cc: "http-state@ietf.org" <http-state@ietf.org>, "presnick@qti.qualcomm.com" <presnick@qti.qualcomm.com>, "barryleiba@computer.org" <barryleiba@computer.org>, "abarth@eecs.berkeley.edu" <abarth@eecs.berkeley.edu>
Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 01:06:25 -0000

I checked with one of the test teams at Microsoft and got this back:

> There is a gap in the RFCs 3986 and 6265. RFC 3986 talks about the URI path and equivalence of 
> encoded Unicode characters in the path section of the URI. However, RFC 6265 section 5.1.4 
> does not specifically state that the pre-fix match should be done on the unescaped URL path. 
> All the browsers we tested against (IE, Chrome, Firefox) do this case-sensitive prefix matching
> before sending the cookies to the other page.
>
> For IIS applications created with Unicode characters, IIS converts the escaped characters 
> (like %0D%0C) to lower case, and they are justified since the URI spec clearly calls out that they
> are equivalent. When one page re-directs to another in IIS application, the cookies set for the
> first page are not presented to the application on the other pages. This problem exists with 
> the cookie handling by all the browsers we tested against (IE, Chrome, Firefox). This is due to 
> the gap I explained above.

Hope the above info is useful.

-Dave

-----Original Message-----
From: Dave Thaler 
Sent: Monday, June 17, 2013 5:45 PM
To: 'Bjoern Hoehrmann'; RFC Errata System
Cc: abarth@eecs.berkeley.edu; barryleiba@computer.org; presnick@qti.qualcomm.com; Jeff.Hodges@kingsmountain.com; http-state@ietf.org
Subject: RE: [http-state] [Technical Errata Reported] RFC6265 (3663)

Thanks Bjoern.

Interesting, well in that case there may be an issue in the RFC 6265 algorithm for path matching.  
That's because it requires comparison for "identical" and "ab", "AB", "aB", and "Ab" are not "identical".

So 
http://www.example.com/%AB/foo
http://www.example.com/%ab/foo
http://www.example.com/%Ab/foo
http://www.example.com/%aB/foo

are all "equivalent" in the language of RFC 3986, but not "identical" and hence a cookie on one will not match the others.

It may still be worth having an errata noting the above issue, even if it's Hold For Document Update.

-Dave

-----Original Message-----
From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net] 
Sent: Monday, June 17, 2013 5:36 PM
To: RFC Errata System
Cc: abarth@eecs.berkeley.edu; barryleiba@computer.org; presnick@qti.qualcomm.com; Jeff.Hodges@kingsmountain.com; Dave Thaler; http-state@ietf.org
Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)

* RFC Errata System wrote:
>Notes
>-----
>HEXDIG is defined in [RFC5234], Appendix B.1 as
>  HEXDIG         =  DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
>Note that lower case a-f are not legal.

As per RFC 5234:

   NOTE:

      ABNF strings are case insensitive and the character set for these
      strings is US-ASCII.

   Hence:

         rulename = "abc"

   and:

         rulename = "aBc"

   will match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
   "ABC".
--
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email