Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cookie: reject cookie names or content with TAB characters #9659

Closed
wants to merge 3 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Oct 6, 2022

TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)"

Cookies with TABs in the names are rejected by Firefox and Chrome.

TABs in content are stripped out by Firefox, while Chrome discards the whole cookie.

TABs in cookies also cause issues in saved netscape cookie files.

bagder added 3 commits Oct 6, 2022
TABs in name and content seem allowed by RFC 6265: "the algorithm strips
leading and trailing whitespace from the cookie name and value (but
maintains internal whitespace)"

Cookies with TABs in the names are rejected by Firefox and Chrome.

TABs in content are stripped out by Firefox, while Chrome discards the
whole cookie.

TABs in cookies also cause issues in saved netscape cookie files.

Reported-by: Trail of Bits
@bagder
Copy link
Member Author

bagder commented Oct 6, 2022

According to httpwg/http-extensions#2262 the browsers are now adapting to new language in 6265bis (that was not present in 6265) which more than previously encourages implementers to allow TABs in there.

I'm not a fan, but it seems they have made up their minds. In the name of (future) interop, we probably need to keep the support and instead fix the file saving end.

@bagder
Copy link
Member Author

bagder commented Oct 7, 2022

The opposite take, that instead encodes the TABs in name and values then saving, is in #9662

@bagder
Copy link
Member Author

bagder commented Oct 14, 2022

Decision: we merge this PR: we start rejecting cookies with tab in name or value since they are not accepted widely and thus do not interoperate between clients and they break the cookie file when saved so they do not even work correctly with curl.

If the unlikely event happens and this behavior changes drastically in the future, we can consider going back and then take the #9662 route instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants