Re: [http-state] Netscape Cookie spec allowed chars

"Roy T. Fielding" <fielding@gbiv.com> Thu, 24 February 2011 03:30 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gbiv.com; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns; s=gbiv.com; b=Xo+kQnrFUksUbif7 nnLXWfWw1l/SKNw16oeYk1w2d+VUdxEu8VjeG/yQ10NT5xlDw7c9+IxB2wCvjNnI rklKqEYfQZEiRWdK5siCkvXcThk9bvqGpe9REhhb7+EH65UjzuqOGG2/A4sNYB/0 X0QeqZrf6zW4/3/0jdCvm4Y9+aU=
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <4D659252.3090407@KingsMountain.com>
Date: Wed, 23 Feb 2011 19:31:12 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <E20D5E19-DD27-47FB-87E3-204783CFB19E@gbiv.com>
References: <4D659252.3090407@KingsMountain.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: IETF HTTP State WG <http-state@ietf.org>
Subject: Re: [http-state] Netscape Cookie spec allowed chars
Precedence: list

On Feb 23, 2011, at 3:03 PM, =JeffH wrote:

> Roy said..
> >
> > Therefore, I would like you to change the ABNF so that it
> > reflects the reality of (Set-)Cookie usage on the Internet,
> > ...
> >  Changing it to
> >
> >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF
> >
> > or just the minimum
> >
> >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E
> >
> > returns the definition to the original Netscape spec (at
> > least in the first case)
> 
> 
> Just so we all know for sure what the paraphrased (above) primary source actually says, here's the as-is spec being cited and a brief analysis of what it means...
> 
> 
> [NSCP-COOKIE] "PERSISTENT CLIENT STATE HTTP COOKIES
> Preliminary Specification - Use with caution"...
> <http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html> 
> 
> ###
>  Syntax of the Set-Cookie HTTP Response Header
> 
>    This is the format a CGI script would use to add to the HTTP
>    headers a new piece of data which is to be stored by the client
>    for later retrieval.
> 
>    Set-Cookie: NAME=VALUE; expires=DATE;
>    path=PATH; domain=DOMAIN_NAME; secure
> 
>    NAME=VALUE
>          This string is a sequence of characters excluding semi-colon,
>          comma and white space. If there is a need to place such data
>          in the name or value, some encoding method such as URL style
>          %XX encoding is recommended, though no encoding is defined or
>          required.
> 
>          This is the only required attribute on the Set-Cookie header.
> ###
> 
> Operative statement from the above quote..
> 
> "..characters excluding semi-colon, comma and white space."
> 
> (note also that the text above is only explicitly referring to the "NAME=VALUE" production; it apparently has been commonly interpreted as referring to the entire value string of the "Set-Cookie" HTTP response header; note also that it apparently assumes "characters" means "octets", and when it says "whitespace" it is meaning the set of chars from the ASCII charset typically referred to as that (although that isn't necessarily a rigidly defined set [WS]))
> 
> 
> As noted in the table below, the above operative statement has some ambiguities. For example, it doesn't explicitly include the high-bit-set chars %x80-FF, though apparently many have assumed it does.

Right, but it also defines it as an HTTP Response Header,
and (at the time Lou wrote that spec) all such header fields
forbid CTLs (other than WS) and allowed "Recipients of header
field TEXT containing octets outside the US-ASCII character set
may assume that they represent ISO-8859-1 characters."

Hence, it does say exactly the production that I suggested,
if you know the context, and well-written implementations
generally do exclude %x00-20, ";", ",", and %x7E when
processing what looks to be a Netscape-style cookie.

....Roy

[http-state] Netscape Cookie spec allowed chars =JeffH
Re: [http-state] Netscape Cookie spec allowed cha… Roy T. Fielding