On Mon, Mar 7, 2016 at 4:37 AM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Mon, 7 Mar 2016, Mike West wrote:
>
> I'm confused. Are there clients that process things in the reverse order
>> from what RFC6265 lays out?
>>
>
> I'm sure there are several. The curl one just happens to be the one I know
> the best.
>
> I mean, according to the algorithm I quoted in the previous response,
>> `Priority=Low; favcolor=blue` _is_ a cookie named `Priority`. Just like
>> `Max-Age=1; favcolor=blue` is a cookie named `Max-Age` today. I think
>> that's the way browsers process cookies today. Does `curl` do things
>> differently?
>>
>
> It does! It basically detects a set of names used for properties and
> treats the first unknown name value pair on the header as the cookie name,
> in a left-to-right order on the header.
>
> (I'm not suggesting it is a "proper" or "good" implementation, just that
> it works with the vast majority of sites using cookies and it was written
> long before we created RFC 6265 and I guess nobody felt the need to update
> it since to that aspect.)
It might be worth improving the libcurl implementation to match RFC6265.
The vast majority of user agents using the parsing approach described in
RFC6265. Having a hard-coded list of attribute names makes it (even more)
difficult to extend and improve cookies over time. Regardless of what you
think of this particular extension, I think most people would agree that
extensibility in protocols is valuable.
Adam