Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22

Adam Barth <ietf@adambarth.com> Thu, 24 February 2011 21:50 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3679F3A680D for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 13:50:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.823
X-Spam-Level:
X-Spam-Status: No, score=-2.823 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-S3bNIWAkHe for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 13:50:27 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id 9A1C33A6807 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:50:26 -0800 (PST)
Received: by iyj8 with SMTP id 8so616097iyj.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:51:17 -0800 (PST)
Received: by 10.231.169.74 with SMTP id x10mr2261441iby.26.1298584276973; Thu, 24 Feb 2011 13:51:16 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id d21sm8787618ibg.9.2011.02.24.13.51.15 (version=SSLv3 cipher=OTHER); Thu, 24 Feb 2011 13:51:16 -0800 (PST)
Received: by iyj8 with SMTP id 8so616069iyj.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:51:15 -0800 (PST)
Received: by 10.231.180.30 with SMTP id bs30mr1691718ibb.171.1298584275083; Thu, 24 Feb 2011 13:51:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Thu, 24 Feb 2011 13:50:44 -0800 (PST)
In-Reply-To: <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <AANLkTi=qBVkGwMHqAidtwP5_A8pPrF-Y9MV4jgYS5_QM@mail.gmail.com> <7384878F-C44A-42A4-9694-1BB1C18AA5E6@gbiv.com> <AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com> <49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com> <AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com> <AANLkTikzB=VORtn7xiG2JY8ymTjk4epC9huZTC-s0nzq@mail.gmail.com> <4D5AEE94.6010303@gmx.de> <AANLkTimkmZ99qDcXB6=-PGtXq6WQ7+RSreRwsBAHryEj@mail.gmail.com> <DA7A626A-9613-4A49-8A46-8096F7F465B4@gbiv.com> <AANLkTi=aX26NgDx3J0zk6a6H-Fg-9hyuBhfwvVW5nBiH@mail.gmail.com> <AANLkTinnySHEXvaQSxoUAKNaPWThDWdJwnhvCdVfa5Vr@mail.gmail.com> <1E7DE6DF-864A-48AF-B9A3-698DEF4B3B2D@gbiv.com> <4D6590F4.6010505@stpeter.im> <94DA5CF6-88AB-43BD-99AE-921BCA98C7A3@gbiv.com> <AANLkTikxOBCgiAwvg3z2DwyHtJXhTK1=6ipTo16csKr9@mail.gmail.com> <4D66C718.3000300@stpeter.im> <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 24 Feb 2011 13:50:44 -0800
Message-ID: <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: iesg@iesg.org, http-state <http-state@ietf.org>
Subject: Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 21:50:28 -0000

On Thu, Feb 24, 2011 at 1:31 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Feb 24, 2011, at 1:01 PM, Peter Saint-Andre wrote:
>> On 2/23/11 10:16 PM, Adam Barth wrote:
>>> On Wed, Feb 23, 2011 at 5:01 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>>> On Feb 23, 2011, at 2:57 PM, Peter Saint-Andre wrote:
>>>>> On 2/23/11 3:07 PM, Roy T. Fielding wrote:
>>>>>
>>>>> <snip/>
>>>>>
>>>>>> Therefore, I would like you to change the ABNF so that it
>>>>>> reflects the reality of (Set-)Cookie usage on the Internet,
>>>>>> for the same reason that you have insisted the algorithm
>>>>>> for user agent parsing reflects reality.  Changing the ABNF
>>>>>> to include base64 does not do that -- it is just another
>>>>>> fantasy production that differs from all prior specs of
>>>>>> the cookie algorithm.  Changing it to
>>>>>>
>>>>>> cookie-value      = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF
>>>>>>
>>>>>> or just the minimum
>>>>>>
>>>>>> cookie-value      = %x21-2B / %x2D-3A / %x3C-7E
>>>>>
>>>>> Hi Roy,
>>>>>
>>>>> The latter seems fine, and in conversation with Adam he indicated to me
>>>>> that he would not object to such a change.
>>>>
>>>> Okay by me.
>>>
>>> One nit: I would exclude %x22 because there are interoperability
>>> problems with cookie-values that contain %x22.
>>
>> So:
>>
>> cookie-value    = %x21 / %x23-2B / %x2D-3A / %x3C-7E
>>
>> If there are no objections, I'll add an RFC Editor note to that effect.
>
> There have already been objections -- that is what started this thread.
>
> %x22 is DQUOTE.  I am not aware of any interoperability concerns
> with the use of DQUOTE in opaque cookie values, though I can
> understand why they might be a concern.  However, use of them as
> a quoted-string value (where browsers store the DQUOTEs as more
> opaque data) is extremely common because the past two RFCs defined
> the value as token / quoted-string.
>
> I just noticed a grammar bug in my suggestion. It should have been
>
>  cookie-value      = *( %x21-2B / %x2D-3A / %x3C-7E )
>
> If we would like to limit the use of DQUOTE to how it was limited
> in prior RFCs (matching outer pair), then I suggest
>
>  cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
>  cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-7E
>
> since that does cover all current usage that I am aware of and
> doesn't allow for odd usages of DQUOTE that might be misinterpreted
> by parsers that did not implement the Netscape spec but did
> implement one of the RFCs.

DQUOTE is a cargo cult.  Matching DQUOTEs, as above, are less
problematic although they do have interoperability problems.  For
example, some user agents will incorrectly parse

Set-Cookie: foo="bar\"; Secure

(allowed by the grammar above) and will not interpret this header as
containing a Secure cookie.  If you insist on DQUOTE, we'll probably
be better off excluding %x5C from cookie-octet.

On Thu, Feb 24, 2011 at 1:46 PM, Remy Lebeau <remy@lebeausoftware.org> wrote:
> My original problem with DQUOTE handling, and is still a concern for me, is that the current draft does not allow the use of DQUOTE around attribute values at all, let alone around cookie values. DQUOTE around attribute values is common to see because it is part of RFC 2109, and it cannot be treated as opaque data like it can in cookie values. The grammer rules for parsing attributes must allow for recognizing and removing DQUOTE when extracting attribute values.

Based on data about how cookies are used on the Internet and studying
the behavior of existing user agents, we need only tolerate DQUOTE in
the Expires attribute, which the current draft does.  In no case is it
advantageous for a server to send DQUOTE.

Adam