- From: Watson Ladd <watsonbladd@gmail.com>
- Date: Mon, 25 Nov 2024 09:52:52 -0500
- To: Stefan Eissing <stefan@eissing.org>
- Cc: Yoav Weiss <yoav.weiss@shopify.com>, Stenberg Daniel <daniel@haxx.se>, David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 25, 2024 at 5:05 AM Stefan Eissing <stefan@eissing.org> wrote: > > > > > Am 25.11.2024 um 10:41 schrieb Yoav Weiss <yoav.weiss@shopify.com>: > > > > Thanks for sharing this, David! > > > > I'm wondering if folks have thoughts regarding: "In truth, the true fix for this issue almost certainly lies in the IETF HTTP Working Group updating the cookie specification to both align with itself and to be strict on how systems handling cookies should behave. Whether non-ASCII characters should be allowed should be identical regardless of whether server-side or on user agents. " > > > > It seems to me that regardless of what we'd specify here, browsers won't be able to ship further restrictions without breaking *some* websites, and that certain non-ascii chars may be easier to block than others. So I think experimentation and implementation would have to guide any efforts on that front. > > Agree. I would also like to point out that a standard is about how cookie *should* work sanely on the interwebs to the benefit of overall safety and interoperability. That implementations allow for quirks under certain conditions/configurations has always been the case with standards meeting the real world. > > We do not spec HTTP/1.x to allow for \n only terminated header lines, just because there are deployments that do this and implementations that can be configured to accept it. We can also write an informational doc saying what the easy and interopreable subset is. > > Cheers, > Stefan > > > On Sat, Nov 23, 2024 at 11:36 AM Daniel Stenberg <daniel@haxx.se> wrote: > > On Thu, 21 Nov 2024, David Schinazi wrote: > > > > > April King just published a really cool blog post [1] about cookies. In > > > particular, it mentions some ways in which our cookie specifications could > > > be improved. If you're interested in cookies, I highly recommend giving it a > > > read. > > > > Thanks David. I would like to just mention that I have previously raised > > several of those remarks against the cookie spec(s): > > > > - the inexplicable different syntaxes for the two ends. I seem to be the only > > person who insists that this is still a bad idea for a spec and I have > > accepted my defeat. > > > > - which octets should be allowed in identifiers and content - even very > > recent 6265bis edits have changed these so right now I can't even say where > > we are. > > > > -- > > > > / daniel.haxx.se > > > > -- Astra mortemque praestare gradatim
Received on Monday, 25 November 2024 14:53:09 UTC