W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Cookie crumbling in -09

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 16 Nov 2013 09:02:13 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131116080213.GF11858@1wt.eu>
Hi Martin,

On Fri, Nov 15, 2013 at 11:52:02AM -0800, Martin Thomson wrote:
> I've just added some text to the editor's draft [1] around special
> handling of the cookie header field.  This will allow clients to
> squeeze out a little more compression efficiency.
> 
> After the gaffe earlier this week with -08, I wanted to publicize this
> a little.  This is the only substantial change between -07 and the
> imminent -09 in the main specification.
> 
> There are, of course, other compression-related changes coming in HPACK.
> 
> [1] https://github.com/http2/http2-spec/commit/b9a62379e29174bada803fb27e2a6d36b69513f0

This part looks strange to me :

  If there are multiple Cookie header fields after decompression,
  these MUST be concatenated into a single octet string using the
  two octet delimiter of 0x3B, 0x20 (the ASCII string "; ").

Indeed, right now applications correctly handle cookie as a list
of values which can be aggregated using commas like any other header
field. Thus, why make a special case of this cookie header and force
implementations to parse requests to see if there are multiple
occurrences and merge them differently than what is done for other
header fields ? I'd rather suggest that if there are multiple Cookie
header fields after decompression, they MAY be concatenated into a
single octet string using commas just like any other header field
(0x2C 0x20).

What do you think ?

Willy
Received on Saturday, 16 November 2013 08:02:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC