- From: Dan Winship <dan.winship@gmail.com>
- Date: Mon, 24 Nov 2008 13:53:50 -0500
- To: yngve@opera.com
- CC: Bil Corry <bil@corry.biz>, HTTP Working Group <ietf-http-wg@w3.org>
Yngve Nysaeter Pettersen wrote: > The Netscape spec and the RFCs (2109, 2965, 2964) specify how cookies > are parsed (syntactically), how their arguments are to be interpreted, > and how the cookies are to be picked when sending. RFC 2109 is nearly irrelevant in the real world, and 2965 is *completely* irrelevant. The Netscape spec is fairly accurate (as long as you ignore the grammar for the "expires" parameter, which only about 1/3 of cookies obey), though as you noted later, it is now only available via archive.org and other caches. > For the most part there is AFAIK no major, and very few minor > differences between the browsers in the processing and picking part. Right, but the way the browsers do it doesn't completely match what the Netscape spec says. (Eg, if browsers actually obeyed the restriction that cookie values can't have commas in them, then we wouldn't need the special "don't merge Set-Cookies headers" warning in 2616bis, because it would be possible for browsers to unmerge merged headers.) It's exactly the same situation as with HTML5; the "real" specification of cookie behavior is not RFC 2109 or the Netscape spec, it's "what Firefox and IE do". The fact that this isn't documented (and isn't trivial to figure out) makes it difficult for anyone else to implement cookie-handling in a way that's fully compatible with the web. -- Dan
Received on Monday, 24 November 2008 18:54:25 UTC