Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Sun, 30 May 2010 21:48 UTC
Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 819313A6782 for <http-state@core3.amsl.com>; Sun, 30 May 2010 14:48:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojQcFd0gwRIN for <http-state@core3.amsl.com>; Sun, 30 May 2010 14:48:14 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 5BFD63A692D for <http-state@ietf.org>; Sun, 30 May 2010 14:48:14 -0700 (PDT)
Received: from acorna (30.169.202.84.customer.cdi.no [84.202.169.30]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o4ULlx7T010410 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 30 May 2010 21:48:00 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Adam Barth <ietf@adambarth.com>
References: <op.vdfzz8lovqd7e2@killashandra.oslo.osa> <AANLkTimlI-W0XCSff8Q4Lmh4AFs4PaY76N1QAxJAHZ7R@mail.gmail.com>
Date: Sun, 30 May 2010 23:47:57 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.vdjf57bmqrq7tp@acorna>
In-Reply-To: <AANLkTimlI-W0XCSff8Q4Lmh4AFs4PaY76N1QAxJAHZ7R@mail.gmail.com>
User-Agent: Opera Mail/10.53 (Win32)
Cc: "http-state@ietf.org" <http-state@ietf.org>
Subject: Re: [http-state] Comments on draft-ietf-httpstate-cookie-08
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 May 2010 21:48:16 -0000
On Sun, 30 May 2010 22:48:16 +0200, Adam Barth <ietf@adambarth.com> wrote: > On Fri, May 28, 2010 at 6:05 PM, Yngve Nysaeter Pettersen > <yngve@opera.com> wrote: >> Here are some more comments about the httpstate draft. > >> - %XX escaping and path compares. Maybe add a reference to the URI >> compare >> definition in 2616? > > Can you provide a test case that demonstrates that %-escaping is > relevant in this context? My testing shows that user agents ignore > %-escaping in the Path attribute. Now, some user agents canonicalize > %-escaping in URLs, but that's a matter best left to another working > group, IMHO. target URI is /foo/%41/bar, path is /foo/a/ >> As for the server-side, when sending this header >> >> Cookie: name1="foo1; name2=bar"; name3=foo2"2; name4=bar"4; name5=foo >> >> to Django 1.1 or the Python 2.6 Cookie module, the result is the >> following >> set of cookies: >> >> name1="foo1; name2=bar" >> name3=foo2 >> name4=bar >> name5=foo > > That's only an issue if Django sends a Set-Cookie header that > generates that Cookie header. If somewhere there's a Django server > that does send such a Set-Cookie header, the author of that server is > likely expecting the Cookie header to parse that way because that's > how it works for the majority of user agents. If they aren't > expecting that parsing, they'll discover it as soon as they test their > site with any version of IE. You are assuming that Django is the only framework involved in the system. And AFAICT this behavior comes from *Python's* module for cookie handling, and is *not* Django-only, meaning that potentially all Python based systems could encounter this problem. And keep in mind that this was just the frameworks I had immediately at hand, it may well be (probably very likely) that other frameworks are behaving in the same fashion. I think it is quite possible that a parser such as Django/Python's can be integrated into an existing system that under some circumstances use unbalance quotes by another system. If so, testing might not reveal the issue until much later. One possibility is that the cookie's value is directly or indirectly derived from user input (which could be very dangerous in any case). > By contrast, if we adopt Opera's parsing of the Set-Cookie header, > then we're much more likely to cause interoperability problems for > sites that rely on the more common parsing. Not too frequently I suspect; I can recall only one, maybe two, cases (and the one I remember showed up in my mailbox last week) >> The situation for this particular value syntax is already undefined, and >> while it is a corner case, it can have unanticipated effects, >> particularly >> in combination with different cookie ordering algorithms. Putting the >> server >> administrators on notice about the issue should hopefully increase >> interoperability because they can then avoid the problematic cases. > > The behavior for this particular value syntax is indeed defined. You By "undefined" I mean that there are already deployed systems that behave in different fashions from what might be expected if unbalanced quotes are used. Perhaps "the result is unpredicatable" would be a better description. > can find the definition in Section 5. We're already advising server > administrators not to use double-quotes. That's the most helpful Not in that many words, but it is admittedly implied by the token specification of cookie-value. I think that in this case it is better to have a little redundancy by pointing out that this is one character where the "opaque" part is ignored by a number of clients (and may be ignored by serverside frameworks), and we are not just talking about Opera, we are also talking about a major client like FireFox 3.6 and earlier versions (whether or not nightlies have changed behavior in this area) -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
- [http-state] Comments on draft-ietf-httpstate-coo… Yngve Nysaeter Pettersen
- Re: [http-state] Comments on draft-ietf-httpstate… Bjoern Hoehrmann
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth
- Re: [http-state] Comments on draft-ietf-httpstate… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] Comments on draft-ietf-httpstate… Adam Barth