Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?

Peter Saint-Andre <stpeter@stpeter.im> Mon, 14 February 2011 23:41 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 545B93A6DA9 for <http-state@core3.amsl.com>; Mon, 14 Feb 2011 15:41:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jr4KhVxYIjw8 for <http-state@core3.amsl.com>; Mon, 14 Feb 2011 15:41:00 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id AC9543A6D7C for <http-state@ietf.org>; Mon, 14 Feb 2011 15:41:00 -0800 (PST)
Received: from dhcp-64-101-72-185.cisco.com (dhcp-64-101-72-185.cisco.com [64.101.72.185]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 03ECB400F6; Mon, 14 Feb 2011 16:59:22 -0700 (MST)
Message-ID: <4D59BDA3.1070004@stpeter.im>
Date: Mon, 14 Feb 2011 16:41:23 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <20110204184735.26023.qmail@mm01.prod.mesa1.secureserver.net> <AANLkTi=qBVkGwMHqAidtwP5_A8pPrF-Y9MV4jgYS5_QM@mail.gmail.com> <7384878F-C44A-42A4-9694-1BB1C18AA5E6@gbiv.com> <AANLkTinFq7bE_e3SSgdjuFvZ8hGn1xy4Hc1VKwc=vp1D@mail.gmail.com> <4D5489E9.10001@stpeter.im> <AANLkTimSA3gPV7e3hUr-dB5-SPt+SXrb5qShGE-2A3Qw@mail.gmail.com>
In-Reply-To: <AANLkTimSA3gPV7e3hUr-dB5-SPt+SXrb5qShGE-2A3Qw@mail.gmail.com>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms010502070706050908030902"
Cc: http-state@ietf.org
Subject: Re: [http-state] Is this an omission in the parser rules of draft-ietf-httpstate-cookie-21?
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 23:41:02 -0000

On 2/10/11 6:09 PM, Adam Barth wrote:
> On Thu, Feb 10, 2011 at 4:59 PM, Peter Saint-Andre <stpeter@stpeter.im>; wrote:
>> On 2/4/11 12:29 PM, Adam Barth wrote:
>>> On Fri, Feb 4, 2011 at 11:24 AM, Roy T. Fielding <fielding@gbiv.com>; wrote:
>>>> On Feb 4, 2011, at 10:51 AM, Adam Barth wrote:
>>>>> On Fri, Feb 4, 2011 at 10:47 AM, Remy Lebeau <remy@lebeausoftware.org>; wrote:
>>>>>> -------- Original Message --------
>>>>>> Subject: Re: [http-state] Is this an omission in the parser rules of
>>>>>> draft-ietf-httpstate-cookie-21?
>>>>>> From: Adam Barth
>>>>>> Date: Fri, February 04, 2011 10:19 am
>>>>>> To: Remy Lebeau
>>>>>> Cc: http-state@ietf.org
>>>>>>
>>>>>>> The draft gives user agents precise
>>>>>>> instructions for how to parse all
>>>>>>> manner of cookies, including cookies with
>>>>>>> values that contain quote characters. That
>>>>>>> information is contained in Section 5
>>>>>>
>>>>>> I have re-read Section 5 and I do not see its grammar or parsing rules
>>>>>> accounting for quoted-string values at all. It only says to remove WSP
>>>>>> characters surrounding extracted names and values, and quote characters
>>>>>> are not part of the WSP definition. So what am I missing? Where exactly
>>>>>> does it say how to unquote a quoted-string used in attribute values?
>>>>>
>>>>> Precisely.  It does not say to unquote a quoted-string because that's
>>>>> not how cookies work.  The role of the quote character is cookies is
>>>>> identical to the role of the "!" character.  That is, neither play a
>>>>> special role in the protocol.  Any representations by the contrary by
>>>>> 2109 or any other document are fiction and have only caused pain and
>>>>> misery in the world.
>>>>
>>>> That may be, but the grammar for server generation of set-cookie
>>>> values is clearly wrong because use of DQUOTE in cookie values is
>>>> common (roughly 10% of the values in my browser cookie store) and
>>>> previously defined, even if we consider DQUOTE to be part of the
>>>> value string.  Let's just change the generating grammar for value to
>>>> match how cookies are actually parsed and only exclude characters
>>>> that are known to cause failures.
>>>
>>> The grammar is not used for parsing.  Parsing is defined in Section 5,
>>> not Section 4.
>>
>> Right. And I think the revised text in version -21 (with revisions to
>> address the IESG comment from Robert Sparks) makes that fairly clear.
>>
>> Adam, did you propose specific text addressing Dan Winship's original
>> issue about "cookie-value=token"? As far as I can see, that's the only
>> substantive issue raised in this thread, but I admit that I might have
>> missed something.
> 
> Sure:
> 
> diff --git a/drafts/cookie.xml b/drafts/cookie.xml
> index e0a53f3..17cc0a5 100644
> --- a/drafts/cookie.xml
> +++ b/drafts/cookie.xml
> @@ -335,7 +335,8 @@ set-cookie-header = "Set-Cookie:" SP set-cookie-string
>  set-cookie-string = cookie-pair *( ";" SP cookie-av )
>  cookie-pair       = cookie-name "=" cookie-value
>  cookie-name       = token
> -cookie-value      = token / ""
> +cookie-value      = token / *base64-character
> +base64-character  = ALPHA / DIGIT / "+" / "/" / "="
>  token             = <token, defined in [RFC2616], Section 2.2>
> 
>  cookie-av         = expires-av / max-age-av / domain-av /
> @@ -370,7 +371,7 @@ extension-av      = <any CHAR except CTLs or ";">
> 
>            <t>To maximize compatibility with user agents, servers that wish to
>            store arbitrary data in a cookie-value SHOULD encode that data, for
> -          example, using Base 16 <xref target="RFC4648" />.</t>
> +          example, using Base64 <xref target="RFC4648" />.</t>
> 
>            <t>The portions of the set-cookie-string produced by the cookie-av
>            term are known as attributes.  To maximize compatibility with user

WFM, and that seems to capture list discussion.

Adam, I'll follow up with the remaining IESG members this week and
perhaps ask you to submit a revised I-D so we can finish this off. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/