Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
Adam Barth <ietf@adambarth.com> Thu, 24 February 2011 21:50 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3679F3A680D for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 13:50:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.823
X-Spam-Level:
X-Spam-Status: No, score=-2.823 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m-S3bNIWAkHe for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 13:50:27 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by core3.amsl.com (Postfix) with ESMTP id 9A1C33A6807 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:50:26 -0800 (PST)
Received: by iyj8 with SMTP id 8so616097iyj.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:51:17 -0800 (PST)
Received: by 10.231.169.74 with SMTP id x10mr2261441iby.26.1298584276973; Thu, 24 Feb 2011 13:51:16 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id d21sm8787618ibg.9.2011.02.24.13.51.15 (version=SSLv3 cipher=OTHER); Thu, 24 Feb 2011 13:51:16 -0800 (PST)
Received: by iyj8 with SMTP id 8so616069iyj.31 for <http-state@ietf.org>; Thu, 24 Feb 2011 13:51:15 -0800 (PST)
Received: by 10.231.180.30 with SMTP id bs30mr1691718ibb.171.1298584275083; Thu, 24 Feb 2011 13:51:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.40.7 with HTTP; Thu, 24 Feb 2011 13:50:44 -0800 (PST)
In-Reply-To: <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <AANLkTi=qBVkGwMHqAidtwP5_A8pPrF-Y9MV4jgYS5_QM@mail.gmail.com> <7384878F-C44A-42A4-9694-1BB1C18AA5E6@gbiv.com> <AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com> <49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com> <AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com> <AANLkTikzB=VORtn7xiG2JY8ymTjk4epC9huZTC-s0nzq@mail.gmail.com> <4D5AEE94.6010303@gmx.de> <AANLkTimkmZ99qDcXB6=-PGtXq6WQ7+RSreRwsBAHryEj@mail.gmail.com> <DA7A626A-9613-4A49-8A46-8096F7F465B4@gbiv.com> <AANLkTi=aX26NgDx3J0zk6a6H-Fg-9hyuBhfwvVW5nBiH@mail.gmail.com> <AANLkTinnySHEXvaQSxoUAKNaPWThDWdJwnhvCdVfa5Vr@mail.gmail.com> <1E7DE6DF-864A-48AF-B9A3-698DEF4B3B2D@gbiv.com> <4D6590F4.6010505@stpeter.im> <94DA5CF6-88AB-43BD-99AE-921BCA98C7A3@gbiv.com> <AANLkTikxOBCgiAwvg3z2DwyHtJXhTK1=6ipTo16csKr9@mail.gmail.com> <4D66C718.3000300@stpeter.im> <1CE31B7F-5D95-4CFE-B9A1-FBCC9461E472@gbiv.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 24 Feb 2011 13:50:44 -0800
Message-ID: <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: iesg@iesg.org, http-state <http-state@ietf.org>
Subject: Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 21:50:28 -0000
On Thu, Feb 24, 2011 at 1:31 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > On Feb 24, 2011, at 1:01 PM, Peter Saint-Andre wrote: >> On 2/23/11 10:16 PM, Adam Barth wrote: >>> On Wed, Feb 23, 2011 at 5:01 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >>>> On Feb 23, 2011, at 2:57 PM, Peter Saint-Andre wrote: >>>>> On 2/23/11 3:07 PM, Roy T. Fielding wrote: >>>>> >>>>> <snip/> >>>>> >>>>>> Therefore, I would like you to change the ABNF so that it >>>>>> reflects the reality of (Set-)Cookie usage on the Internet, >>>>>> for the same reason that you have insisted the algorithm >>>>>> for user agent parsing reflects reality. Changing the ABNF >>>>>> to include base64 does not do that -- it is just another >>>>>> fantasy production that differs from all prior specs of >>>>>> the cookie algorithm. Changing it to >>>>>> >>>>>> cookie-value = %x21-2B / %x2D-3A / %x3C-7E / %x80-FF >>>>>> >>>>>> or just the minimum >>>>>> >>>>>> cookie-value = %x21-2B / %x2D-3A / %x3C-7E >>>>> >>>>> Hi Roy, >>>>> >>>>> The latter seems fine, and in conversation with Adam he indicated to me >>>>> that he would not object to such a change. >>>> >>>> Okay by me. >>> >>> One nit: I would exclude %x22 because there are interoperability >>> problems with cookie-values that contain %x22. >> >> So: >> >> cookie-value = %x21 / %x23-2B / %x2D-3A / %x3C-7E >> >> If there are no objections, I'll add an RFC Editor note to that effect. > > There have already been objections -- that is what started this thread. > > %x22 is DQUOTE. I am not aware of any interoperability concerns > with the use of DQUOTE in opaque cookie values, though I can > understand why they might be a concern. However, use of them as > a quoted-string value (where browsers store the DQUOTEs as more > opaque data) is extremely common because the past two RFCs defined > the value as token / quoted-string. > > I just noticed a grammar bug in my suggestion. It should have been > > cookie-value = *( %x21-2B / %x2D-3A / %x3C-7E ) > > If we would like to limit the use of DQUOTE to how it was limited > in prior RFCs (matching outer pair), then I suggest > > cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) > cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-7E > > since that does cover all current usage that I am aware of and > doesn't allow for odd usages of DQUOTE that might be misinterpreted > by parsers that did not implement the Netscape spec but did > implement one of the RFCs. DQUOTE is a cargo cult. Matching DQUOTEs, as above, are less problematic although they do have interoperability problems. For example, some user agents will incorrectly parse Set-Cookie: foo="bar\"; Secure (allowed by the grammar above) and will not interpret this header as containing a Secure cookie. If you insist on DQUOTE, we'll probably be better off excluding %x5C from cookie-octet. On Thu, Feb 24, 2011 at 1:46 PM, Remy Lebeau <remy@lebeausoftware.org> wrote: > My original problem with DQUOTE handling, and is still a concern for me, is that the current draft does not allow the use of DQUOTE around attribute values at all, let alone around cookie values. DQUOTE around attribute values is common to see because it is part of RFC 2109, and it cannot be treated as opaque data like it can in cookie values. The grammer rules for parsing attributes must allow for recognizing and removing DQUOTE when extracting attribute values. Based on data about how cookies are used on the Internet and studying the behavior of existing user agents, we need only tolerate DQUOTE in the Expires attribute, which the current draft does. In no case is it advantageous for a server to send DQUOTE. Adam
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- [http-state] Is this an omission in the parser ru… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Julian Reschke
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Roy T. Fielding
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Peter Saint-Andre
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Peter Saint-Andre
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Roy T. Fielding
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Roy T. Fielding
- Re: [http-state] Is this an omission in the parse… Julian Reschke
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Julian Reschke
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Roy T. Fielding
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Adam Barth
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- Re: [http-state] Is this an omission in the parse… Dan Winship
- Re: [http-state] Is this an omission in the parse… Remy Lebeau
- [http-state] parser rules of draft-ietf-httpstate… Roy T. Fielding
- Re: [http-state] parser rules of draft-ietf-https… Peter Saint-Andre
- Re: [http-state] parser rules of draft-ietf-https… Roy T. Fielding
- Re: [http-state] parser rules of draft-ietf-https… Adam Barth
- Re: [http-state] parser rules of draft-ietf-https… Peter Saint-Andre
- Re: [http-state] parser rules of draft-ietf-https… Roy T. Fielding
- Re: [http-state] parser rules of draft-ietf-https… Remy Lebeau
- Re: [http-state] parser rules of draft-ietf-https… Adam Barth
- Re: [http-state] parser rules of draft-ietf-https… Roy T. Fielding
- Re: [http-state] parser rules of draft-ietf-https… Adam Barth
- Re: [http-state] parser rules of draft-ietf-https… Dan Winship
- Re: [http-state] parser rules of draft-ietf-https… Adam Barth
- Re: [http-state] parser rules of draft-ietf-https… Peter Saint-Andre