Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The comma-delimited combined value definition does not support Set-Cookie headers #345

Closed
malisas opened this issue Jul 29, 2016 · 11 comments
Closed

The comma-delimited combined value definition does not support Set-Cookie headers #345

malisas opened this issue Jul 29, 2016 · 11 comments
Labels
clarification Standard could be clearer

Comments

@malisas
Copy link

malisas commented Jul 29, 2016

The spec says:

A combined value, given a name (name) and header list (list), is the values of all headers in list whose name is name, separated from each other by ,, in order.

This properly follows the HTTP/1.1 Message Syntax and Routing Standards, which says:

A recipient MAY combine multiple header fields with the same field
name into one "field-name: field-value" pair, without changing the
semantics of the message, by appending each subsequent field value to
the combined field value in order, separated by a comma.

However, headers with the name Set-Cookie are discussed as a special case:

Note: In practice, the "Set-Cookie" header field ([RFC6265]) often
appears multiple times in a response message and does not use the
list syntax, violating the above requirements on multiple header
fields with the same name. Since it cannot be combined into a
single field-value, recipients ought to handle "Set-Cookie" as a
special case while processing header fields. (See Appendix A.2.3
of [Kri2001] for details.)

The Set-Cookie header field is defined here. A couple of its sub-rules, specifically path-value and extension-av, allow commas as part of the elements. This means that header-field values for Set-Cookie names should not be comma-delimited.

Also to note from "HTTP State Management Mechanism" from the latter link above:

Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.2 for
how user agents handle this case.)

Conclusion: The Fetch spec should be updated with an exception for handling the Set-Cookie header name case

(please double-check my interpretation, I could be wrong!)
@malisas malisas mentioned this issue Jul 29, 2016
Merged
5 tasks
@annevk
Copy link
Member

annevk commented Aug 4, 2016

We don't expose Set-Cookie so this isn't really a problem for the API, but there's probably a few things that could be clarified here, agreed.

@malisas
Copy link
Author

malisas commented Aug 4, 2016

Ah ok, thank you!

@malisas malisas closed this as completed Aug 4, 2016
@annevk
Copy link
Member

annevk commented Aug 4, 2016

I do think we should clarify this so I'm going to reopen. Hope you don't mind.

@annevk annevk reopened this Aug 4, 2016
annevk added a commit that referenced this issue Apr 19, 2018
@annevk
Clarify how Headers does not support Set-Cookie
5b89338 
Fixes #345.
@annevk annevk mentioned this issue Apr 19, 2018
Merged
@annevk
Copy link
Member

annevk commented Apr 19, 2018

I finally posted a clarification in #714.

@annevk annevk added the clarification Standard could be clearer label Apr 19, 2018
@kentonv
Copy link

kentonv commented Jun 12, 2018

FWIW, Cloudflare Workers needs to break spec here, because in our environment Set-Cookie very much is accessible and intended to be accessed from JavaScript. Our plan for now is to special-case Set-Cookie in calls to append().

@annevk
Copy link
Member

annevk commented Jun 12, 2018

That would still result in a broken get() and enumeration.

@kentonv
Copy link

kentonv commented Jun 12, 2018

@annevk Yes. It's less obvious what to do about those, so we haven't come up with anything. Looking at practical use cases, fixing append() seems to be the most pressing need -- lots of people want to add cookies in Workers, but we haven't seen anyone who cares to inspect cookies coming from upstream.

@annevk
Copy link
Member

annevk commented Jun 13, 2018
edited
Loading

It seems somewhat inevitable that eventually code gets complex enough that it needs inspection. I suppose when returning instead of "combined value" you could use something else that uses \n to combine the headers. (I'm not sure why you need to special case append() btw other than allowing this header. It doesn't eagerly combine at least as currently defined.)

@kentonv
Copy link

kentonv commented Jun 13, 2018

Oh hmm... @harrishancock did we misread this? It looks like append() actually doesn't specify that same-named headers should be combined. It's only on get() that this happens. https://fetch.spec.whatwg.org/#concept-header-list-append

@harrishancock
Copy link
Contributor

@kentonv This is embarrassing but I think we didn't realize we fixed it while fixing the passthrough case. D:

@kentonv
Copy link

kentonv commented Jun 15, 2018

Hah. Indeed, it turns out that our implementation is correct and append('Set-Cookie', ...) works just fine, but somehow we developed the urban legend that it wouldn't work.

annevk added a commit that referenced this issue Jul 23, 2018
@annevk
Clarify how Headers does not support Set-Cookie
7ab665e 
Fixes #345.
noamr added a commit to noamr/fetch that referenced this issue Sep 2, 2022
@noamr
Add more timing iformation about (interim) responses
dc4e6d9 
See w3c/resource-timing#345

Since early hints have landed, there are additional useful timestamps
that are currently not exposed:

- First interim response start (e.g. when we received a 103)
  as a different timestamp from the final response start
  (e.g. when we received the 200)

- Final headers received (when the last header has been received and
  we're ready for the body)

- First bytes of the body received

The naming in whatwg#345 is not finalized yet, but it's clear that these
are the 3 interesting timestamps. This PR exposes those for later
use by resource timing.
@noamr noamr mentioned this issue Sep 2, 2022
Merged
3 tasks
noamr added a commit to noamr/fetch that referenced this issue Nov 28, 2022
@noamr
Add more timing iformation about (interim) responses
e0df145 
See w3c/resource-timing#345

Since early hints have landed, there are additional useful timestamps
that are currently not exposed:

- First interim response start (e.g. when we received a 103)
  as a different timestamp from the final response start
  (e.g. when we received the 200)

- Final headers received (when the last header has been received and
  we're ready for the body)

- First bytes of the body received

The naming in whatwg#345 is not finalized yet, but it's clear that these
are the 3 interesting timestamps. This PR exposes those for later
use by resource timing.
noamr added a commit to noamr/fetch that referenced this issue May 4, 2023
@noamr
Add more timing iformation about (interim) responses
a18e4e3 
See w3c/resource-timing#345

Since early hints have landed, there are additional useful timestamps
that are currently not exposed:

- First interim response start (e.g. when we received a 103)
  as a different timestamp from the final response start
  (e.g. when we received the 200)

- Final headers received (when the last header has been received and
  we're ready for the body)

- First bytes of the body received

The naming in whatwg#345 is not finalized yet, but it's clear that these
are the 3 interesting timestamps. This PR exposes those for later
use by resource timing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification Standard could be clearer
Milestone
No milestone
Development

No branches or pull requests
4 participants
@harrishancock @annevk @kentonv @malisas