net/http: implementation of cookies does not conform to RFC 6265 for double-quoted values #46443
For the RFC 6265, the double-quotes are part of the cookie value but the functions and methods in the standard library that operates on cookies treat them as if they were not part of it.
The syntax in the RFC 6265 is
but it has been implemented in the standard library as
The author of the RFC 6265 has confirmed in https://lists.w3.org/Archives/Public/ietf-http-wg/2017JanMar/0229.html that this was the intent.
The draft https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02 added this note to the spec
and in the appendix reports this discussion https://issues.apache.org/jira/browse/HTTPCLIENT-1006.
The text was updated successfully, but these errors were encountered:
This is wrong. The optional double-quotes around a cookie are not part of the value. The standard library is correct.
What version of Go are you using (
RFC 6265 is quite clear that double-quotes are part of the
After some investigation, with this message I will explain the source of the problem
and its consequences
Also, I will propose some solutions.
Source of the problem
A type that implements the
So, if a
is sent to the server as
Note that all the major browsers, latest and older versions, do not alter the cookie value sent to the server.
I propose three alternative solutions
a) Standard compliant cookies received with a
b) Add a
c) Change the meaning of the
This issue is about a simple question: Does net/http.Cookie.Value represent the "semantic value" of a cookie or does it represent the raw data that RFC 6265 calls the "cookie-value".
RFC 6265 is not clear here (as it make much statements about how values should be interpreted) but common interpretation has been that the semantic value of a cookie can be optionally enclosed in double quotes or not enclosed. See e.g. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie stating "A cookie-value can optionally be wrapped in double quotes". This interpretation is shared by net/http which treats the double quotes as not being part of the value.
Unfortunately net/http.Cookie mentions RFC 6265 and maybe this lead to this confusion here. I still think that
This is obviously not something we can or should do.
This seems like the simplest way to preserve double-quoted
We could safely change
Preserving the ability to round-trip a
@neild I agree, the only viable option is b. Even if we could break existing users, this option does not force you to manage surrounding DQUOTE characters if you don't want to, and also allows you to adds surrounding DQUOTE characters if you need to.
It's a good question. I honestly think no one knows. I also found this similar old issue #10195, closed but not solved.