Re: [http-state] Netscape Cookie spec allowed chars

"Roy T. Fielding" <fielding@gbiv.com> Thu, 24 February 2011 03:30 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABC4B3A67D6 for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 19:30:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPHtEctsaZEm for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 19:30:19 -0800 (PST)
Received: from homiemail-a28.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id 854753A67C2 for <http-state@ietf.org>; Wed, 23 Feb 2011 19:30:19 -0800 (PST)
Received: from homiemail-a28.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTP id 086301B4057; Wed, 23 Feb 2011 19:31:08 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gbiv.com; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns; s=gbiv.com; b=Xo+kQnrFUksUbif7 nnLXWfWw1l/SKNw16oeYk1w2d+VUdxEu8VjeG/yQ10NT5xlDw7c9+IxB2wCvjNnI rklKqEYfQZEiRWdK5siCkvXcThk9bvqGpe9REhhb7+EH65UjzuqOGG2/A4sNYB/0 X0QeqZrf6zW4/3/0jdCvm4Y9+aU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gbiv.com; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=gbiv.com; bh=1/bb0x93bEKTAJI/8QDt0VwtljY=; b=fGE5iZgP0nWxmMJlnZ/CcmUBXKuA 766XxaZTn/s6sGe4WsCIU/+vKhuvR+ymKy339aMFF6h9RqZmVNJlXyy38llCVgVt TPhQNbaE3mrAno7N55L+BSPXqZvbKJ1H5LI8Uc5aLi3rPWV0/21EmD6A0JmbVROO FSFbITu5VpczUlc=
Received: from kiwi.corp.day.com (wsip-98-189-13-228.oc.oc.cox.net [98.189.13.228]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTPSA id CFBA71B4009; Wed, 23 Feb 2011 19:31:07 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <4D659252.3090407@KingsMountain.com>
Date: Wed, 23 Feb 2011 19:31:12 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <E20D5E19-DD27-47FB-87E3-204783CFB19E@gbiv.com>
References: <4D659252.3090407@KingsMountain.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
X-Mailer: Apple Mail (2.1082)
Cc: IETF HTTP State WG <http-state@ietf.org>
Subject: Re: [http-state] Netscape Cookie spec allowed chars
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 03:30:23 -0000

On Feb 23, 2011, at 3:03 PM, =JeffH wrote:

> Roy said..
> >
> > Therefore, I would like you to change the ABNF so that it
> > reflects the reality of (Set-)Cookie usage on the Internet,
> > ...
> >  Changing it to
> >
> >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF
> >
> > or just the minimum
> >
> >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E
> >
> > returns the definition to the original Netscape spec (at
> > least in the first case)
> 
> 
> Just so we all know for sure what the paraphrased (above) primary source actually says, here's the as-is spec being cited and a brief analysis of what it means...
> 
> 
> [NSCP-COOKIE] "PERSISTENT CLIENT STATE HTTP COOKIES
> Preliminary Specification - Use with caution"...
> <http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html> 
> 
> ###
>  Syntax of the Set-Cookie HTTP Response Header
> 
>    This is the format a CGI script would use to add to the HTTP
>    headers a new piece of data which is to be stored by the client
>    for later retrieval.
> 
>    Set-Cookie: NAME=VALUE; expires=DATE;
>    path=PATH; domain=DOMAIN_NAME; secure
> 
>    NAME=VALUE
>          This string is a sequence of characters excluding semi-colon,
>          comma and white space. If there is a need to place such data
>          in the name or value, some encoding method such as URL style
>          %XX encoding is recommended, though no encoding is defined or
>          required.
> 
>          This is the only required attribute on the Set-Cookie header.
> ###
> 
> Operative statement from the above quote..
> 
> "..characters excluding semi-colon, comma and white space."
> 
> (note also that the text above is only explicitly referring to the "NAME=VALUE" production; it apparently has been commonly interpreted as referring to the entire value string of the "Set-Cookie" HTTP response header; note also that it apparently assumes "characters" means "octets", and when it says "whitespace" it is meaning the set of chars from the ASCII charset typically referred to as that (although that isn't necessarily a rigidly defined set [WS]))
> 
> 
> As noted in the table below, the above operative statement has some ambiguities. For example, it doesn't explicitly include the high-bit-set chars %x80-FF, though apparently many have assumed it does.

Right, but it also defines it as an HTTP Response Header,
and (at the time Lou wrote that spec) all such header fields
forbid CTLs (other than WS) and allowed "Recipients of header
field TEXT containing octets outside the US-ASCII character set
may assume that they represent ISO-8859-1 characters."

Hence, it does say exactly the production that I suggested,
if you know the context, and well-written implementations
generally do exclude %x00-20, ";", ",", and %x7E when
processing what looks to be a Netscape-style cookie.

....Roy