Re: Delete-Cookie header?? from Yoav Weiss on 2025-02-24 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Mon, 24 Feb 2025 11:54:55 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Joakim Erdfelt <joakim@webtide.com>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick Meenan <patmeenan@gmail.com>, Steven Bingler <bingler@google.com>, רועי ברקאי <roybarkayyosef@gmail.com>, Watson Ladd <watsonbladd@gmail.com>, Yoav Weiss <yoav@yoav.ws>, Rory Hewitt <rory.hewitt@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>
Message-ID: <CALYmMaddLYrYuee=eBVv+8XSJPcdZ4epARJP2d8E7mkpEu-o+g@mail.gmail.com>

On Mon, Feb 24, 2025 at 11:46 AM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Feb 24, 2025 at 11:33 AM Joakim Erdfelt <joakim@webtide.com>
> wrote:
> > On Mon, Feb 24, 2025 at 4:19 AM Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> One aspect the draft does not go into is that the value space of a
> cookie name is wider than SFV token. In particular when we look at the
> cookies that can be created, not just those servers should create. E.g., a
> cookie can be named <blah> (including the angle brackets), but you cannot
> delete that cookie with this proposal.
> >
> > Having `<` and `>` in the cookie-name isn't to spec.
>
> It's indeed non-conforming for a server to produce such a cookie (as
> per section 4), but the cookie RFC also requires user agents to
> support it (as per section 5) if servers violate the requirements.
> Hence you can definitely encounter such cookies in the wild.
>

What's the best way to handle that? Take a list of SF strings?

Received on Monday, 24 February 2025 10:55:10 UTC