Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?

"Roy T. Fielding" <> Fri, 04 February 2011 19:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5EB793A68FC for <>; Fri, 4 Feb 2011 11:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -103.142
X-Spam-Status: No, score=-103.142 tagged_above=-999 required=5 tests=[AWL=-0.543, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id agzeTQLTD0ar for <>; Fri, 4 Feb 2011 11:22:52 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 463163A6A1E for <>; Fri, 4 Feb 2011 11:22:47 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 105E167C06E; Fri, 4 Feb 2011 11:26:13 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns;; b=6LO9mz1xTxsoeHq0 gDKor6Rg8BUmAd+4O+wo6aZMRF7uz2voF5S2LDloMSO7/KBIDvJ/DU1Bw6BZf8vY DnM2e5WUYK5pq94yk7fdaIlcEccMJZxWyQvwdo1qzV4wihauW59C4ZrAG6byOEi0 w9QKDb9O+5IcE6p74g1PovYSkMg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to;; bh=qyJr7FHjKYZXGKvpK12Dq1Fsxq8=; b=PbMZ/ynPPbSVrcIJgm+PKFDWHDw6 KGnUA0/esw4jOyiVH6gzz5EI9WA+VsoJcjykPqJuUfpN9eCFv9/t9qlc82HE20PA BrMiZ21XdeAHBuj8z/o4A00zlA8oAGGS/lOzvBWEc7xfN1B1GzTklNIfvCbeaPin 29rVlBOUz2vIsO0=
Received: from [] ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id B70CA67C069; Fri, 4 Feb 2011 11:26:12 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <>
In-Reply-To: <>
Date: Fri, 4 Feb 2011 11:24:38 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Adam Barth <>
X-Mailer: Apple Mail (2.1082)
Subject: Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Feb 2011 19:22:53 -0000

On Feb 4, 2011, at 10:51 AM, Adam Barth wrote:

> On Fri, Feb 4, 2011 at 10:47 AM, Remy Lebeau <> wrote:
>> -------- Original Message --------
>> Subject: Re: [http-state] Is this an omission in the parser rules of
>> draft-ietf-httpstate-cookie-21?
>> From: Adam Barth
>> Date: Fri, February 04, 2011 10:19 am
>> To: Remy Lebeau
>> Cc:
>>> The draft gives user agents precise
>>> instructions for how to parse all
>>> manner of cookies, including cookies with
>>> values that contain quote characters. That
>>> information is contained in Section 5
>> I have re-read Section 5 and I do not see its grammar or parsing rules
>> accounting for quoted-string values at all. It only says to remove WSP
>> characters surrounding extracted names and values, and quote characters
>> are not part of the WSP definition. So what am I missing? Where exactly
>> does it say how to unquote a quoted-string used in attribute values?
> Precisely.  It does not say to unquote a quoted-string because that's
> not how cookies work.  The role of the quote character is cookies is
> identical to the role of the "!" character.  That is, neither play a
> special role in the protocol.  Any representations by the contrary by
> 2109 or any other document are fiction and have only caused pain and
> misery in the world.

That may be, but the grammar for server generation of set-cookie
values is clearly wrong because use of DQUOTE in cookie values is
common (roughly 10% of the values in my browser cookie store) and
previously defined, even if we consider DQUOTE to be part of the
value string.  Let's just change the generating grammar for value to
match how cookies are actually parsed and only exclude characters
that are known to cause failures.