- From: Yoav Weiss <yoav.weiss@shopify.com>
- Date: Mon, 25 Nov 2024 10:41:00 +0100
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CALYmMacbzkS-Zu1Ky-TS8NSq4aOtZeGg2Sz27yjvRvoBHHfUFg@mail.gmail.com>
Thanks for sharing this, David! I'm wondering if folks have thoughts regarding: "In truth, the true fix for this issue almost certainly lies in the IETF HTTP Working Group updating the cookie specification to both align with itself and to be strict on how systems handling cookies should behave. Whether non-ASCII characters should be allowed should be identical regardless of whether server-side or on user agents. " It seems to me that regardless of what we'd specify here, browsers won't be able to ship further restrictions without breaking *some* websites, and that certain non-ascii chars may be easier to block than others. So I think experimentation and implementation would have to guide any efforts on that front. On Sat, Nov 23, 2024 at 11:36 AM Daniel Stenberg <daniel@haxx.se> wrote: > On Thu, 21 Nov 2024, David Schinazi wrote: > > > April King just published a really cool blog post [1] about cookies. In > > particular, it mentions some ways in which our cookie specifications > could > > be improved. If you're interested in cookies, I highly recommend giving > it a > > read. > > Thanks David. I would like to just mention that I have previously raised > several of those remarks against the cookie spec(s): > > - the inexplicable different syntaxes for the two ends. I seem to be the > only > person who insists that this is still a bad idea for a spec and I have > accepted my defeat. > > - which octets should be allowed in identifiers and content - even very > recent 6265bis edits have changed these so right now I can't even say > where > we are. > > -- > > / daniel.haxx.se > >
Received on Monday, 25 November 2024 09:41:15 UTC