-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Note that cookie serialisation algorithm may produce output that doesn't match cookie-string #1210
Comments
Can you clarify what a fix would look like? Bonus points for a PR. 😅 (I mean, I can also attempt a PR, just not clear on what the recommended fix would be) |
You attempting would probably be as good as me attempting! |
I'm skeptical, however willing to try! And now I think I actually understand the bug report (and didn't when I commented). @gsnedders is saying that the ABNF in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-4.2.1 has a bug, since
But nameless and valueless cookies exist. |
I think maybe this can be solved by making the following changes: This is pretty simple to grok: This is supposed to convey "a nameless cookie, OR a valueless cookie (but not both)" That should work for the following valid cookie-pairs:
If that's the route we go, then in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07#section-4.2.1 cookie-string = cookie-pair *( ";" SP cookie-pair ) That should work. However... unless we tweak Maybe we can just add an
|
Actually that won't fix the bug I described. 🙈 Maybe this super elegant solution (but the above ABNF would have to be tweaked):
|
FWIW nameless and valueless cookies are no longer RFC compliant after #1236. Up until then only Set-Cookie strings with empty names and empty values weren't accepted, but there were ways around this to get empty-name-empty-value cookies into user agents' cookie jar using the CookieStore API. |
There are nameless cookies and there are valueless cookies (and, as you said, there are no nameless-and-valueless cookies). FWIW, the syntax in section 4.1.1 where
Edit: To clarify, I'm thinking there's no accuracy issue with the spec as written, since if the server does things as recommended (and sends a cookie with name=value), then the user agent will respond as given by |
(love the ambiguities of english 😄 -- thanks for the explicit callout and pointer to #1236 @DCtheTall) |
In the nameless cookie case, it seems that an unhandled edge case arises because of the following, from the
To illustrate the problem with some examples:
One solution for this, which is currently specified by the Cookie Store API, is to forbid cookies with an empty name and a value containing '=' from being set. Limiting It seems like using the following in the
This would fix the issue in the example above (the resulting cookie lines would be
I'll submit a PR for this change. |
The empty-name-but-nonempty-value case is serialized as The Set-Cookie header can't produce a nameless cookie with value (Side note, more generally, this is getting out of hand and we should try to factor out common logic in the Storage Model and set-cookie-string parsing sections.) |
hmm, looks like there is a WPT for this case, but the expected output for it would be interpreted incorrectly :( Wouldn't Also, '=' is a valid base64 character, so not allowing it in |
Oh, my mistake, you're right that I would be a bit concerned about breaking stuff if this serialization changed. :-/ Theoretically there's a use case for this behavior... since |
Maybe we just fix this with a note cautioning against using nameless cookies, and point to this issue as a warning. |
Ideally we'd define server-side parsing of cookie-string (or at least recommend behaviour here for things that don't match cookie-string!), given this does cause problems for some servers (e.g. aio-libs/aiohttp#2683).
Until then we should at least make it clear that the "the algorithm to compute the cookie-string from a cookie store and a request-uri" can create things that don't match cookie-string (e.g., nameless cookies after #1144). There's a number of WPT expected results that don't match cookie-string.
The text was updated successfully, but these errors were encountered: