- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 24 Feb 2025 11:45:51 +0100
- To: Joakim Erdfelt <joakim@webtide.com>
- Cc: Yoav Weiss <yoav.weiss@shopify.com>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick Meenan <patmeenan@gmail.com>, Steven Bingler <bingler@google.com>, רועי ברקאי <roybarkayyosef@gmail.com>, Watson Ladd <watsonbladd@gmail.com>, Yoav Weiss <yoav@yoav.ws>, Rory Hewitt <rory.hewitt@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>
On Mon, Feb 24, 2025 at 11:33 AM Joakim Erdfelt <joakim@webtide.com> wrote: > On Mon, Feb 24, 2025 at 4:19 AM Anne van Kesteren <annevk@annevk.nl> wrote: >> One aspect the draft does not go into is that the value space of a cookie name is wider than SFV token. In particular when we look at the cookies that can be created, not just those servers should create. E.g., a cookie can be named <blah> (including the angle brackets), but you cannot delete that cookie with this proposal. > > Having `<` and `>` in the cookie-name isn't to spec. It's indeed non-conforming for a server to produce such a cookie (as per section 4), but the cookie RFC also requires user agents to support it (as per section 5) if servers violate the requirements. Hence you can definitely encounter such cookies in the wild.
Received on Monday, 24 February 2025 10:46:09 UTC