Re: Set-Cookie and commas in extension attributes from Nick Harper on 2021-01-15 (ietf-http-wg@w3.org from January to March 2021)

From: Nick Harper <ietf@nharper.org>
Date: Thu, 14 Jan 2021 22:01:25 -0800
To: Martin Thomson <mt@lowentropy.net>
Cc: ietf-http-wg@w3.org
Message-ID: <CACcvr==wD9PtNLxruFr355XtrGYb5QB44hnqkWuy7neBLnS0eA@mail.gmail.com>

I would imagine that the recipient would only parse the first cookie in the
header and the remainder would be treated as unknown extensions and
ignored. The following section has a note calling out Set-Cookie and that
multiple field lines shouldn’t be combined into one for that particular
header.

On Thu, Jan 14, 2021 at 9:50 PM Martin Thomson <mt@lowentropy.net> wrote:

> Just confirming this, but it appears as though comma is a valid character
> in an extension to Set-Cookie.  What happens if an intermediary combines
> two Set-Cookie header fields as permitted by the core specification[1]?
>
> [1]
> https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#field.lines
>
>

Received on Friday, 15 January 2021 06:01:48 UTC