Re: [http-state] Support of nameless cookies by user agents
Maciej Stachowiak <mjs@apple.com> Wed, 16 December 2009 06:59 UTC
Return-Path: <mjs@apple.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 156AF3A6813 for <http-state@core3.amsl.com>; Tue, 15 Dec 2009 22:59:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.811
X-Spam-Level:
X-Spam-Status: No, score=-106.811 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXDHHvL4UmyM for <http-state@core3.amsl.com>; Tue, 15 Dec 2009 22:59:00 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 60CFC3A67B2 for <http-state@ietf.org>; Tue, 15 Dec 2009 22:59:00 -0800 (PST)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out3.apple.com (Postfix) with ESMTP id DD1DE7D2312D for <http-state@ietf.org>; Tue, 15 Dec 2009 22:58:46 -0800 (PST)
X-AuditID: 1180711d-b7b18ae000001001-8e-4b28852641c2
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay13.apple.com (Apple SCV relay) with SMTP id 78.44.04097.625882B4; Tue, 15 Dec 2009 22:58:46 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Received: from [10.0.1.5] (c-69-181-42-237.hsd1.ca.comcast.net [69.181.42.237]) by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KUQ002ERGPWLL90@gertie.apple.com> for http-state@ietf.org; Tue, 15 Dec 2009 22:58:46 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <677B2D59-5B68-4D8B-978A-F6FE7A834C75@apple.com>
Date: Tue, 15 Dec 2009 22:58:44 -0800
Message-id: <9B4613BE-C07E-4B61-A4D8-2B81D7D9D07E@apple.com>
References: <7789133a0912152234w3d00f382t5bd22aab97abbb4@mail.gmail.com> <677B2D59-5B68-4D8B-978A-F6FE7A834C75@apple.com>
To: Maciej Stachowiak <mjs@apple.com>
X-Mailer: Apple Mail (2.1076)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: "Roy T. Fielding" <fielding@gbiv.com>, http-state <http-state@ietf.org>
Subject: Re: [http-state] Support of nameless cookies by user agents
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 06:59:01 -0000
On Dec 15, 2009, at 10:45 PM, Maciej Stachowiak wrote: > > On Dec 15, 2009, at 10:34 PM, Adam Barth wrote: > >> I'd like to apologize to Roy. I was mistaken about which user agents >> support nameless cookies. That was one of the first tests I wrote >> and >> I misremembered the results. Here's the compatibility matrix: >> >> Test 004: Set-Cookie: foo >> >> IE8, Firefox, Chrome: Cookie: foo >> Safari, cURL: (no header) >> Opera: Cookie: foo= >> >> I've added a TODO to the draft. > > > This agrees with my testing. And from script (not fully relevant to > the protocol, but perhaps of interest), document.cookie="foo" > creates a cookie named "foo" with an empty value, rather than a > nameless cookie, while document.cookie="" does nothing, so we would > have been hit by the Mozilla bankofamerica bug cited earlier. Side note: here is the bug where we added support for cookies without an = sign, implementing them as valueless rather than nameless, working around the lower level library: https://bugs.webkit.org/show_bug.cgi?id=6531 The nature of the workaround means that cookies with no equal sign are only supported in script, not on the wire, but if you set one in script it will get sent in outgoing Cookie headers. We have an internal bug to track adding support at the protocol level. I was not able to find a bug (either in the bug system or internal) that could be readily identified as needing nameless cookies to be treated nameless instead of valueless. However, it is possible we have a site compatibility bug that is in fact about that issue, but no one has yet diagnosed it. Regards, Maciej
- Re: [http-state] Support of nameless cookies by u… Maciej Stachowiak
- [http-state] Support of nameless cookies by user … Adam Barth
- Re: [http-state] Support of nameless cookies by u… Maciej Stachowiak
- Re: [http-state] Support of nameless cookies by u… Adam Barth
- Re: [http-state] Support of nameless cookies by u… Dan Witte