[http-state] Netscape Cookie spec allowed chars

=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 23 February 2011 23:03 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF9A53A6920 for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.432
X-Spam-Level:
X-Spam-Status: No, score=-102.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qMYbvkvEz+Ec for <http-state@core3.amsl.com>; Wed, 23 Feb 2011 15:03:01 -0800 (PST)
Received: from oproxy1-pub.bluehost.com (oproxy1-pub.bluehost.com [66.147.249.253]) by core3.amsl.com (Postfix) with SMTP id F11D03A688E for <http-state@ietf.org>; Wed, 23 Feb 2011 15:02:59 -0800 (PST)
Received: (qmail 19606 invoked by uid 0); 23 Feb 2011 23:03:48 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy1.bluehost.com.bluehost.com with SMTP; 23 Feb 2011 23:03:47 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=OeaBoYYyTFPr+Qz+6uea5SQaXVJkFuZsQGTDL1KTM8KaOJr08X/prLoTmcFdqKfZ93OosXP/3xg+D2eTkJtpzZA+HlnFbB1CvmnTD+NdEWB0bowqoHy43hKXtRHNSNKe;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.169]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PsNkJ-0002MT-GV for http-state@ietf.org; Wed, 23 Feb 2011 16:03:47 -0700
Message-ID: <4D659252.3090407@KingsMountain.com>
Date: Wed, 23 Feb 2011 15:03:46 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: IETF HTTP State WG <http-state@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [http-state] Netscape Cookie spec allowed chars
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 23:03:02 -0000

Roy said..
 >
 > Therefore, I would like you to change the ABNF so that it
 > reflects the reality of (Set-)Cookie usage on the Internet,
 > ...
 >  Changing it to
 >
 >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF
 >
 > or just the minimum
 >
 >  cookie-value      = %x21-2B / %x2D-3A / %x3C-7E
 >
 > returns the definition to the original Netscape spec (at
 > least in the first case)


Just so we all know for sure what the paraphrased (above) primary source 
actually says, here's the as-is spec being cited and a brief analysis of what 
it means...


[NSCP-COOKIE] "PERSISTENT CLIENT STATE HTTP COOKIES
Preliminary Specification - Use with caution"...
<http://web.archive.org/web/20020803110822/http://wp.netscape.com/newsref/std/cookie_spec.html> 


###
   Syntax of the Set-Cookie HTTP Response Header

     This is the format a CGI script would use to add to the HTTP
     headers a new piece of data which is to be stored by the client
     for later retrieval.

     Set-Cookie: NAME=VALUE; expires=DATE;
     path=PATH; domain=DOMAIN_NAME; secure

     NAME=VALUE
           This string is a sequence of characters excluding semi-colon,
           comma and white space. If there is a need to place such data
           in the name or value, some encoding method such as URL style
           %XX encoding is recommended, though no encoding is defined or
           required.

           This is the only required attribute on the Set-Cookie header.
###

Operative statement from the above quote..

"..characters excluding semi-colon, comma and white space."

(note also that the text above is only explicitly referring to the "NAME=VALUE" 
production; it apparently has been commonly interpreted as referring to the 
entire value string of the "Set-Cookie" HTTP response header; note also that it 
apparently assumes "characters" means "octets", and when it says "whitespace" 
it is meaning the set of chars from the ASCII charset typically referred to as 
that (although that isn't necessarily a rigidly defined set [WS]))


As noted in the table below, the above operative statement has some 
ambiguities. For example, it doesn't explicitly include the high-bit-set chars 
%x80-FF, though apparently many have assumed it does.


----------------------------------------
Original Netscape Cookie spec
Allowed Characters ( [ASCII] (assumed) )
----------------------------------------
Decimal	    Hex       Symbol(s)
----------------------------------------

; %x00-20 -- non-printing control chars (excluded ?)
;            and whitespace ( BS, HT, LF, VT, FF, CR, SP
;                             all excluded ? correct list of
;                             "whitespace" chars as assumed by
;                             [NSCP-COOKIE] authors ? )

;  %x21-2B:

33-43       21-2B       ! " # $ % & ' ( ) * +


; 44          2C          , (excluded)

;  %x2D-3A:

45-47       2D-2F       - . /

48-57       30-39       0 - 9

58          3A          :

; 59          3B          ; (excluded)

;  %x3C-7E:

60-64       3C-40       < = > ? @

65-90       41-5A       A-Z

91-96       5B-60       [ \ ] ^ _ `

97-122      61-7A       a-z

123-126     7B-7E       { | } ~


; 127         7F        DEL  (excluded ?)

;  %x80-FF:

128-256     80-FF       high-bit-set chars  (included ?)


See also:

[ASCII]  ASCII (American Standard Code for Information Interchange) Code
          http://www.december.com/html/spec/asciiall.html

[WS]     Whitespace character
          https://secure.wikimedia.org/wikipedia/en/wiki/Whitespace_character


---
end