Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)

Maciej Stachowiak <> Wed, 03 February 2010 00:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C94723A680F for <>; Tue, 2 Feb 2010 16:26:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.588
X-Spam-Status: No, score=-106.588 tagged_above=-999 required=5 tests=[AWL=0.011, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1zCqW0P9msKr for <>; Tue, 2 Feb 2010 16:26:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EAB4B3A6A44 for <>; Tue, 2 Feb 2010 16:26:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 24B7383369A9 for <>; Tue, 2 Feb 2010 16:27:15 -0800 (PST)
X-AuditID: 11807130-b7b0aae00000102c-07-4b68c2e2e1b4
Received: from ( []) by (Apple SCV relay) with SMTP id FA.E5.04140.3E2C86B4; Tue, 2 Feb 2010 16:27:15 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [] ( []) by (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <> for; Tue, 02 Feb 2010 16:27:14 -0800 (PST)
From: Maciej Stachowiak <>
In-reply-to: <>
Date: Tue, 02 Feb 2010 16:27:14 -0800
Message-id: <>
References: <> <> <> <>
To: Adam Barth <>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Subject: Re: [http-state] non-ASCII cookie values (was Re: Closing Ticket 3: Public Suffixes)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2010 00:26:35 -0000

On Feb 1, 2010, at 10:54 PM, Adam Barth wrote:

> On Mon, Feb 1, 2010 at 9:07 PM, David Morris <> wrote:
>> On Mon, 1 Feb 2010, Maciej Stachowiak wrote:
>>> But there are two ways in which it matters:
>>> 1) A header with non-ASCII bytes get set via Set-Cookie, then read through a JS API such as document.cookie. document.cookie gives a UTF-16 encoded string, so at this point the server has to decide how to interpret non-ASCII bytes in the cookie value.
>>> 2) If you set a cookie via document.cookie and include non-ASCII characters in the value, what bytes get sent?
>> Seems to me that the platform providing the document.cookie object is
>> responsible for making any value placed in the cookie: header correct.
> That seems like a wise course of action.  This document understands
> octet sequences.  HTML5 should define how to translate those octet
> sequences into JavaScript characters (when reading document.cookie)
> and how to perform the reverse translation (when writing
> document.cookie).

HTML5 does not spec this detail and apparently expects the cookie spec to expose a string interface, not an octet-sequence interface:

I think defining conversion between octet sequence and string could plausibly go in either spec. I think the cookie spec would be a better place, because other string-oriented interfaces from web platform specs to cookies (if any) should probably use the same conversion, and browser UI for managing cookies should probably use the same conversion too. So it would be a useful thing to define even if it's not used by the network protocol. However, if you don't think it should be in the cookie spec, I can file a bug against HTML5.