Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22

Peter Saint-Andre <stpeter@stpeter.im> Thu, 24 February 2011 22:40 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0F0B3A6867 for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:40:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.636
X-Spam-Level:
X-Spam-Status: No, score=-102.636 tagged_above=-999 required=5 tests=[AWL=-0.037, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3RBPvEuFLav for <http-state@core3.amsl.com>; Thu, 24 Feb 2011 14:40:47 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 8E64C3A67F1 for <http-state@ietf.org>; Thu, 24 Feb 2011 14:40:47 -0800 (PST)
Received: from dhcp-64-101-72-185.cisco.com (dhcp-64-101-72-185.cisco.com [64.101.72.185]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id BA0404011B; Thu, 24 Feb 2011 16:00:29 -0700 (MST)
Message-ID: <4D66DEA0.8050704@stpeter.im>
Date: Thu, 24 Feb 2011 15:41:36 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <49225418-A1AF-4299-8C4F-2E608D34265D@gbiv.com> <AANLkTimrJF3LFR4t4j=U2L33kFh+wf-R=sjjwexcmyPi@mail.gmail.com> <26240DE2-4DD3-4863-81B1-635D34BA4AE4@gbiv.com> <AANLkTikzB=VORtn7xiG2JY8ymTjk4epC9huZTC-s0nzq@mail.gmail.com> <4D5AEE94.6010303@gmx.de> <AANLkTimkmZ99qDcXB6=-PGtXq6WQ7+RSreRwsBAHryEj@mail.gmail.com> <DA7A626A-9613-4A49-8A46-8096F7F465B4@gbiv.com> <AANLkTi=aX26NgDx3J0zk6a6H-Fg-9hyuBhfwvVW5nBiH@mail.gmail.com> <AANLkTinnySHEXvaQSxoUAKNaPWThDWdJwnhvCdVfa5Vr@mail.gmail.com> <1E7DE6DF-864A-48AF-B9A3-698DEF4B3B2D@gbiv.com> <4D6590F4.6010505@stpeter.im> <94DA5CF6-88AB-43BD-99AE-921BCA98C7A3@gbiv.com> <AANLkTikxOBCgiAwvg3z2DwyHtJXhTK1=6ipTo16csKr9@mail.gmail.com> <4D66C718.3000300@stpeter.im> <AANLkTim18Lu-_8+OB_oXyRK_x6aPV++m2=ZgnahNSLvK@mail.gmail.com> <D2187615-4E0C-4C3B-B5C7-A0A8CCD9FA0F@gbiv.com> <AANLkTimSTYBD7Qx9G-hS7fSFGWj3_s6JJiih4ZXLDmDC@mail.gmail.com>
In-Reply-To: <AANLkTimSTYBD7Qx9G-hS7fSFGWj3_s6JJiih4ZXLDmDC@mail.gmail.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms060308070107030003010000"
Cc: "Roy T. Fielding" <fielding@gbiv.com>, http-state State WG <http-state@ietf.org>
Subject: Re: [http-state] parser rules of draft-ietf-httpstate-cookie-22
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 22:40:49 -0000

On 2/24/11 3:29 PM, Adam Barth wrote:
> On Thu, Feb 24, 2011 at 2:21 PM, Roy T. Fielding <fielding@gbiv.com>; wrote:
>> On Feb 24, 2011, at 1:50 PM, Adam Barth wrote:
>>> On Thu, Feb 24, 2011 at 1:31 PM, Roy T. Fielding <fielding@gbiv.com>; wrote:
>>>> If we would like to limit the use of DQUOTE to how it was limited
>>>> in prior RFCs (matching outer pair), then I suggest
>>>>
>>>>  cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
>>>>  cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-7E
>>>>
>>>> since that does cover all current usage that I am aware of and
>>>> doesn't allow for odd usages of DQUOTE that might be misinterpreted
>>>> by parsers that did not implement the Netscape spec but did
>>>> implement one of the RFCs.
>>>
>>> DQUOTE is a cargo cult.  Matching DQUOTEs, as above, are less
>>> problematic although they do have interoperability problems.  For
>>> example, some user agents will incorrectly parse
>>>
>>> Set-Cookie: foo="bar\"; Secure
>>>
>>> (allowed by the grammar above) and will not interpret this header as
>>> containing a Secure cookie.  If you insist on DQUOTE, we'll probably
>>> be better off excluding %x5C from cookie-octet.
>>
>> Right, that's because the RFCs allowed backslash quoting by referring
>> to the quoted-string production of HTTP.  Given the choice, I'd rather
>> lose backslash than DQUOTE.  I haven't seen any Windows pathnames
>> included in cookie values and sending such data would be unwise.
>> Excluding %x5C should be okay.
>>
>>  cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
>>  cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
>>                   ; ASCII characters excluding CTLs, whitespace,
>>                   ; DQUOTE, comma, semicolon, and backslash
> 
> Works for me.  Thanks Roy.

In the datatracker, I've updated the RFC Editor note accordingly.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/