-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: accept cookies with space in the name #11519
Comments
CL https://golang.org/cl/11863 mentions this issue. |
Dealing with cookies from malformed web applications is always possible by manually processing the {Set,}Cookie header. This is painful as one has to reimplement the functionalities of net/http's cookie handling. But as it is doable there is no fundamental need weaken the standard library. IMHO there is a qualitative difference between malformed values and malformed names (e.g. almost no programming language allows names with spaces). The malformed values were allowed because such values are very common and work on all major browsers (with appropriate quoting). E.g. not all values are allowed, bytes with the high bit set are considered invalid (even if Firefox handles UTF-8 encoded cookie values very well) because they are not that common in the wwild. I didn't think it through, but I could imagine that allowing spaces in names could produce parsing ambiguities. So please no. |
True, it can be re-implemented locally. In that particular case (Google Bug 22245291) I'm also hoping to get the application fixed.
Where did we get the data that space in values was very common? can we check if space in name is common as well?
Space in cookie name works with Chrome 43. I also checked, it works in Firefox 38 and IE 11. If following major browsers implementation was an argument in the previous decision, maybe balance in favor of consistency and allow it.
Name and value are separated with There's also the case of spaces at the beginning or end but I think we can just trim, like the major browsers do. |
This was not a scientific statistic evaluation.
No, this statement is misleading. If any major browsers (and curl) wouldn't be able to handle spaces in cookie values Go probably wouldn't have allowed them. The support in major browsers works just in one direction: "No complete support in browser" ==> "No support in Go" cannot be reverted to state "Major browser support" ==> "Go should support it too." |
Does anybody want to argue for this with data? Otherwise I'm inclined to close the bug. |
Please close away. On 25 September 2015 at 04:13, Brad Fitzpatrick notifications@github.com
|
Hello,
net/http
does not allow space in cookie name. That's what the RFC mandates unfortunately broken web applications set cookies with names containing a space.Repro: http://play.golang.org/p/MhiJ2KKFqA
I see we're already flexible for values, so maybe we can be flexible for names too?
CL: https://go-review.googlesource.com/#/c/11863/
Thanks.
The text was updated successfully, but these errors were encountered: