You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Parser for Set-Cookie header (function parse_set_cookie in http.lua) is currently assigning attributes without a value (such as Secure or HttpOnly) an artificial Boolean value of true (not string "true"). In contrast, attributes with explicitly empty values (...; attr=;...) are assigned a zero-length string as the value.
According to RFC 6265, section 5.2 these two cases should have the same outcome: empty value.
I am proposing to change the parser to assign a zero-length string to value-less attributes, which would have the following effect:
Pro
A parsed attribute always has a value of type string
Zero-length string is still interpreted as true in logical tests so this change should have negligible impact on existing code
There is no distinction between ...; attr;... and ...; attr=;..., which is what the RFC prescribes.
Con
There is no distinction between ...; attr;... and ...; attr=;..., so response member rawheader would have to be used if somebody truly needs to differentiate between the two cases.
I will implement the change in a few weeks unless anybody brings up concerns.
The text was updated successfully, but these errors were encountered:
Parser for
Set-Cookie
header (functionparse_set_cookie
inhttp.lua
) is currently assigning attributes without a value (such asSecure
orHttpOnly
) an artificial Boolean value oftrue
(not string"true"
). In contrast, attributes with explicitly empty values (...; attr=;...
) are assigned a zero-length string as the value.According to RFC 6265, section 5.2 these two cases should have the same outcome: empty value.
I am proposing to change the parser to assign a zero-length string to value-less attributes, which would have the following effect:
Pro
string
true
in logical tests so this change should have negligible impact on existing code...; attr;...
and...; attr=;...
, which is what the RFC prescribes.Con
...; attr;...
and...; attr=;...
, so response memberrawheader
would have to be used if somebody truly needs to differentiate between the two cases.I will implement the change in a few weeks unless anybody brings up concerns.
The text was updated successfully, but these errors were encountered: