Re: status of rfc6265bis?

Currently all the major browser engines agree and return the quotes as part
of the cookie, which seems to be what the spec says (DQUOTEs are part of
the cookie value). Most servers seem to work fine with this behavior and no
one knows what will break if browsers start handling this differently.

Browsers also allow, and some web applications use, spaces and UTF-8
sequences in cookies which are technically not valid cookie-octets; we
should probably make this part of the spec match reality if we can figure
out what that is.

-Dan Veditz

On Mon, Feb 13, 2017 at 3:45 AM, Julian Reschke <>

> Hi there,
> so what's going on here? It seems nothing has happened since early
> October? Are we still working on this?
> Related to that: there was recently a heated discussion over in <
>> about whether
> clients are supposed to round-trip the "quoted-string"-ness of a cookie. I
> think I know what the answer is, but it's certainly not clear enough in the
> existing spec. Feedback from our cookie experts would be awesome...
> Best regards, Julian

Received on Monday, 13 February 2017 16:24:37 UTC