W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: NEW ISSUE: repeating non-list-type-headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 16 Jun 2008 13:20:41 +0200
Message-ID: <48564C89.3060609@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>

Hi.

It seems to me that we really should open a separate issue (*) for this 
one, so that it doesn't get lost.

BR, Julian

(*) As compared to: <http://tools.ietf.org/wg/httpbis/trac/ticket/93>.


Jamie Lokier wrote:
> Bjoern Hoehrmann wrote:
>> * Jamie Lokier wrote:
>>>>    Multiple message-header fields with the same field-name MUST NOT be
>>>>    present in a message unless the entire field-value for that
>>>>    header field is defined as a comma-separated list [i.e., #(values)].
>>> It would be clearer, but it would clash with reality.  All web servers
>>> and web clients use Set-Cookie, which is prohibited by that.
>> I re-read RFC 2109 and it seems you are mistaken, Set-Cookie as defined
>> there takes a comma-separated list.
> 
> RFC2109 is not implemented by anybody as far as I know.
> 
> Firstly, cookie _values_ in Set-Cookie may contain a comma which
> _mustn't_ be quoted because quotes are considered part of the value.
> When a value is unquoted, RFC2109 says it must match token syntax, but
> even today that's not conformed to.  And RFC2109 doesn't describe an
> "expires=" attribute, but of course nearly all cookies have one, and
> they don't have the "max-age=" attribute with RFC2109 recommands.
> Finally, as you note, unquoted comma in expires attributes - in fact
> quoting is not allowed historically for that either.
> 
> See how many RFC2109 non-compliances you can find in this header I got
> today from Google, for example.
> 
>   Set-Cookie: PREF=ID=823cb075fecf6437:TM=1195776675:LM=1195776675:S=WADqk8jBntt5y3gk; expires=Sun, 22-Nov-2009 00:11:15
> 
> (That nobody implements RFC2109 is implied in RFC2965, which obsoletes
> RFC2109 and in section 9 talks about using Set-Cookie2 alongside
> Netscape style Set-Cookies, not mentioning RFC2109 style Set-Cookiess.
> I think this reflects the observation at the time that the change of
> Set-Cookie syntax promoted in RFC2109 wasn't taken up, probably
> because it's not backward compatible.)
> 
>> There are a number of problems with commas in cookies, like unquoted
>> expires parameters and clients that can't parse the header properly,
> 
> Clients which parse the header according to RFC2109 are going to break
> quickly in the wild.  But worse: servers which send headers according
> to RFC2109 are going to break quickly in the wild too; there's no
> transition mechanism to clean it up, except Set-Cookie2, which hasn't
> taken off in a big way, although it might do so eventually.
> 
>> but this part of the specification is unlikely the right place to
>> highlight them. Am I missing something?
> 
> I think this is exactly the right place to highlight that generic HTTP
> message parsers need to handle Set-Cookie specially if they apply
> header folding in the common internet.  E.g. proxies have to get this
> right (which is why I proposed text which tells them to), as do
> generic HTTP processing modules that pass headers along on behalf of
> applications, in both servers and clients.
> 
> Where else would this logically go?  This is _the_ only standard text
> about how to parse multiple HTTP headers and fold duplicates.
> 
> It is such a common requirement to get this right in _generic_ HTTP
> header handling code, not code which handles cookies, and it's not
> going away.  Thus, imho, it's relevant to a HTTP specification, even
> if it has to go in the equivalent of RFC 2616 "19.3 Tolerant
> Applications"... except this isn't about tolerance.
> 
> It's not even anyone's implementation bug.  It was simply specified
> that way by Netscape, and everyone who uses cookies still uses that
> specification.
> 
> -- JAmie
> 
Received on Monday, 16 June 2008 11:21:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT