IETF Logo Mail Archive

Re: [http-state] nameless valueless cookies, and http vs javascript

Adam Barth <ietf@adambarth.com> Sun, 06 December 2009 02:10 UTC

Return-Path: <adam@adambarth.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 25CCA3A683F for <http-state@core3.amsl.com>; Sat, 5 Dec 2009 18:10:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhmXYGfGzWAw for <http-state@core3.amsl.com>; Sat, 5 Dec 2009 18:10:32 -0800 (PST)
Received: from mail-px0-f180.google.com (mail-px0-f180.google.com [209.85.216.180]) by core3.amsl.com (Postfix) with ESMTP id 16D7A3A65A6 for <http-state@ietf.org>; Sat, 5 Dec 2009 18:10:31 -0800 (PST)
Received: by pxi10 with SMTP id 10so986484pxi.31 for <http-state@ietf.org>; Sat, 05 Dec 2009 18:10:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.142.62.34 with SMTP id k34mr581417wfa.258.1260065420064; Sat, 05 Dec 2009 18:10:20 -0800 (PST)
In-Reply-To: <4B1591AB.5050708@gmail.com>
References: <4B1591AB.5050708@gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 05 Dec 2009 18:10:00 -0800
Message-ID: <7789133a0912051810p3a85f0fctc20bf385e6b2cc07@mail.gmail.com>
To: Dan Winship <dan.winship@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] nameless valueless cookies, and http vs javascript
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2009 02:10:33 -0000

These are great cases.  Thanks.  (dwitte, there's a question for you
at the bottom.)

On Tue, Dec 1, 2009 at 1:59 PM, Dan Winship <dan.winship@gmail.com> wrote:
> The spec allows for a cookie in Set-Cookie to have both a 0-length name
> and a 0-length value (which can be expressed as either "Set-Cookie: " or
> "Set-Cookie: ="). Later it says that:
>
>   the user agent SHOULD attach exactly one HTTP header named Cookie if
>   the cookie-string (defined below) for that URI is non-empty.
>
> But this is not quite right, because it would imply that if you had an
> "empty" cookie and also some non-empty cookies, that you *would* emit
> the empty cookie as well. Eg:
>
>    test:
>      Set-Cookie: a=b
>      Set-Cookie: =
>      Set-Cookie: c=d
>
>    expected:
>      Cookie: a=b; ; c=d
>
> but Firefox outputs "Cookie: a=b; c=d". Assuming other browsers behave
> the same, we need to add something like "either the cookie name or
> cookie value or both is non-empty" to the cookie-list requirements in
> 5.3 part 1. (And then perhaps change the "cookie-string is non-empty"
> rule to "cookie-list is non-empty".)

Here's how some browser behave:

Test Case 0020:

Set-Cookie: a=b
Set-Cookie: =
Set-Cookie: c=d

Internet Explorer, Firefox, Safari, Opera: a=b; c=d
Chrome: a=b; ; c=d

It seems clear we should do as you suggest and spec the
IE/Firefox/Safari/Opera behavior.  I've add two more tests (0021 and
0022) that show the cookie is elided only when it would be represented
by the empty string.

Given the considerations below, I've left the empty/empty cookie in
the model of the state store, but elided it during serialization.

> Another issue: we test that "Set-Cookie: =" and "Set-Cookie: " don't
> cause cookies to be emitted, but we don't test how they interact with
> previous Set-Cookies. The current rules suggest:
>
>    test:
>      Set-Cookie: foo
>      Set-Cookie:
>
>    expected:
>      (empty)

Now test 0023

> and
>
>    test:
>      Set-Cookie: foo
>      Set-Cookie: =
>
>    expected:
>      (empty)

Now test 0024

> Firefox gives the expected answer on the second one, but gives "Cookie:
> foo" on the first, suggesting that it just completely ignores the blank
> Set-Cookie header.

Here's the compatibility matrix:

0023:
(empty): Internet Explorer, Safari,
foo: Firefox, Chrome

0024:
(empty): Internet Explorer, Firefox, Safari, Chrome

> However, if you do it in JavaScript, you get the
> expected answer either way:
>
>      >>> document.cookie="foo"
>      >>> document.cookie
>      "foo"
>      >>> document.cookie=""
>      >>> document.cookie
>      ""
>
> The fact that this works this way in javascript is intentional
> (https://bugzilla.mozilla.org/show_bug.cgi?id=169091#c16). I'm not sure
> if the different behavior via HTTP is intentional or not.

Interesting.  It's clear we have the right behavior for 0024 because
everyone agrees.  I don't have a strong opinion about what to do with
0023.

dwitte, what do you think?

Adam

v2.23.0 | Report a Bug | By Email