Re: [http-state] Ticket 11: Character encoding for non-ASCII cookies values

"Roy T. Fielding" <fielding@gbiv.com> Wed, 03 March 2010 01:08 UTC

Return-Path: <fielding@gbiv.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 223853A89F9 for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 17:08:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnfVI+Ngj7fi for <http-state@core3.amsl.com>; Tue, 2 Mar 2010 17:08:24 -0800 (PST)
Received: from spaceymail-a2.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id 7A0193A887E for <http-state@ietf.org>; Tue, 2 Mar 2010 17:08:24 -0800 (PST)
Received: from rtf.corp.day.com (wsip-98-189-13-228.oc.oc.cox.net [98.189.13.228]) by spaceymail-a2.g.dreamhost.com (Postfix) with ESMTP id 9AB95EE3A4; Tue, 2 Mar 2010 17:08:25 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <5c4444771003021624qc0b00cet27e348cb6d023b08@mail.gmail.com>
Date: Tue, 2 Mar 2010 17:08:24 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <4BF4ABE3-7699-4D75-9E3C-48871CBA13E8@gbiv.com>
References: <5c4444771003021624qc0b00cet27e348cb6d023b08@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1077)
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Ticket 11: Character encoding for non-ASCII cookies values
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 01:08:25 -0000

On Mar 2, 2010, at 4:24 PM, Adam Barth wrote:

> The draft treats the cookie values as opaque octets throughout for use
> on the wire.  I've added a SHOULD-level requirement to use a UTF8 when
> converting the octets to characters (e.g., for use in the user agent's
> user interface).
> 
> Given that the encoding issue doesn't appear to affect
> interoperability on the wire, I think a SHOULD-level recommendation is
> appropriate here.  If specific APIs (e.g., document.cookie) have more
> specific needs, they can add additional requirements.
> 
> Thoughts?

I think that is fine if it is made clear that UTF-8 is only applicable
after the field value is extracted from the rest of the message.  I.e.,
the HTTP parser must be ASCII-based and thus not vulnerable to
invalid Unicode byte sequences.

....Roy