[http-state] Netscape Cookie spec allowed chars
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 23 February 2011 23:03 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF9A53A6920 for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMYbvkvEz+Ec for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:01 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id F11D03A688E for <http-state@ietf.org>; Wed, 23 Feb 2011 15:02:59 -0800 (PST)
Received: (qmail 19606 invoked by uid 0); 23 Feb 2011 23:03:48 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 23 Feb 2011 23:03:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=OeaBoYYyTFPr+Qz+6uea5SQaXVJkFuZsQGTDL1KTM8KaOJr08X/prLoTmcFdqKfZ93OosXP/3xg+D2eTkJtpzZA+HlnFbB1CvmnTD+NdEWB0bowqoHy43hKXtRHNSNKe;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.169]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PsNkJ-0002MT-GV for http-state@ietf.org; Wed, 23 Feb 2011 16:03:47 -0700
Message-ID: <4D659252.3090407@KingsMountain.com>
Date: Wed, 23 Feb 2011 15:03:46 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [http-state] Netscape Cookie spec allowed chars
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 23:03:02 -0000
Roy said.. > > Therefore, I would like you to change the ABNF so that it > reflects the reality of (Set-)Cookie usage on the Internet, > ... > Changing it to > > cookie-value = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF > > or just the minimum > > cookie-value = %x21-2B / %x2D-3A / %x3C-7E > > returns the definition to the original Netscape spec (at > least in the first case) Just so we all know for sure what the paraphrased (above) primary source actually says, here's the as-is spec being cited and a brief analysis of what it means... [NSCP-COOKIE] "PERSISTENT CLIENT STATE HTTP COOKIES Preliminary Specification - Use with caution"... <http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html> ### Syntax of the Set-Cookie HTTP Response Header This is the format a CGI script would use to add to the HTTP headers a new piece of data which is to be stored by the client for later retrieval. Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure NAME=VALUE This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required. This is the only required attribute on the Set-Cookie header. ### Operative statement from the above quote.. "..characters excluding semi-colon, comma and white space." (note also that the text above is only explicitly referring to the "NAME=VALUE" production; it apparently has been commonly interpreted as referring to the entire value string of the "Set-Cookie" HTTP response header; note also that it apparently assumes "characters" means "octets", and when it says "whitespace" it is meaning the set of chars from the ASCII charset typically referred to as that (although that isn't necessarily a rigidly defined set [WS])) As noted in the table below, the above operative statement has some ambiguities. For example, it doesn't explicitly include the high-bit-set chars %x80-FF, though apparently many have assumed it does. ---------------------------------------- Original Netscape Cookie spec Allowed Characters ( [ASCII] (assumed) ) ---------------------------------------- Decimal Hex Symbol(s) ---------------------------------------- ; %x00-20 -- non-printing control chars (excluded ?) ; and whitespace ( BS, HT, LF, VT, FF, CR, SP ; all excluded ? correct list of ; "whitespace" chars as assumed by ; [NSCP-COOKIE] authors ? ) ; %x21-2B: 33-43 21-2B ! " # $ % & ' ( ) * + ; 44 2C , (excluded) ; %x2D-3A: 45-47 2D-2F - . / 48-57 30-39 0 - 9 58 3A : ; 59 3B ; (excluded) ; %x3C-7E: 60-64 3C-40 < = > ? @ 65-90 41-5A A-Z 91-96 5B-60 [ \ ] ^ _ ` 97-122 61-7A a-z 123-126 7B-7E { | } ~ ; 127 7F DEL (excluded ?) ; %x80-FF: 128-256 80-FF high-bit-set chars (included ?) See also: [ASCII] ASCII (American Standard Code for Information Interchange) Code http://www.december.com/html/spec/asciiall.html [WS] Whitespace character https://secure.wikimedia.org/wikipedia/en/wiki/Whitespace_character --- end