W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: HTTPOnly Cookies Specification

From: Dan Winship <dan.winship@gmail.com>
Date: Mon, 24 Nov 2008 13:53:50 -0500
Message-ID: <492AF83E.7040405@gmail.com>
To: yngve@opera.com
CC: Bil Corry <bil@corry.biz>, HTTP Working Group <ietf-http-wg@w3.org>

Yngve Nysaeter Pettersen wrote:
> The Netscape spec and the RFCs (2109, 2965, 2964) specify how cookies
> are parsed (syntactically), how their arguments are to be interpreted,
> and how the cookies are to be picked when sending.

RFC 2109 is nearly irrelevant in the real world, and 2965 is
*completely* irrelevant. The Netscape spec is fairly accurate (as long
as you ignore the grammar for the "expires" parameter, which only about
1/3 of cookies obey), though as you noted later, it is now only
available via archive.org and other caches.

> For the most part there is AFAIK no major, and very few minor
> differences between the browsers in the processing and picking part.

Right, but the way the browsers do it doesn't completely match what the
Netscape spec says. (Eg, if browsers actually obeyed the restriction
that cookie values can't have commas in them, then we wouldn't need the
special "don't merge Set-Cookies headers" warning in 2616bis, because it
would be possible for browsers to unmerge merged headers.) It's exactly
the same situation as with HTML5; the "real" specification of cookie
behavior is not RFC 2109 or the Netscape spec, it's "what Firefox and IE
do". The fact that this isn't documented (and isn't trivial to figure
out) makes it difficult for anyone else to implement cookie-handling in
a way that's fully compatible with the web.

-- Dan
Received on Monday, 24 November 2008 18:54:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT