Description
For the RFC 6265, the double-quotes are part of the cookie value but the functions and methods in the standard library that operates on cookies treat them as if they were not part of it.
The SetCookie
function does not allow to send a cookie, that conforms to the spec, with a double-quoted value and the (*Request).Cookie
method strips the quotes from the value despite the double-quotes are part of it.
The syntax in the RFC 6265 is
cookie-pair = cookie-name "=" cookie-value
...
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
but it has been implemented in the standard library as
cookie-pair = cookie-name "=" ( cookie-value / ( DQUOTE cookie-value DQUOTE ) )
...
cookie-value = *cookie-octet
The author of the RFC 6265 has confirmed in https://lists.w3.org/Archives/Public/ietf-http-wg/2017JanMar/0229.html that this was the intent.
The draft https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-02 added this note to the spec
Per the grammar above, the cookie-value MAY be wrapped in DQUOTE
characters. Note that in this case, the initial and trailing DQUOTE
characters are not stripped. They are part of the cookie-value, and
will be included in Cookie headers sent to the server.
and in the appendix reports this discussion https://issues.apache.org/jira/browse/HTTPCLIENT-1006.