- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 24 Feb 2025 12:30:03 +0100
- To: Yoav Weiss <yoav.weiss@shopify.com>
- Cc: Joakim Erdfelt <joakim@webtide.com>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick Meenan <patmeenan@gmail.com>, Steven Bingler <bingler@google.com>, רועי ברקאי <roybarkayyosef@gmail.com>, Watson Ladd <watsonbladd@gmail.com>, Yoav Weiss <yoav@yoav.ws>, Rory Hewitt <rory.hewitt@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Colin Bendell <colin.bendell@shopify.com>
On Mon, Feb 24, 2025 at 11:54 AM Yoav Weiss <yoav.weiss@shopify.com> wrote: > On Mon, Feb 24, 2025 at 11:46 AM Anne van Kesteren <annevk@annevk.nl> wrote: >> It's indeed non-conforming for a server to produce such a cookie (as >> per section 4), but the cookie RFC also requires user agents to >> support it (as per section 5) if servers violate the requirements. >> Hence you can definitely encounter such cookies in the wild. > > What's the best way to handle that? Take a list of SF strings? I think there's at least two somewhat reasonable solutions here: 1. We only allow tokens and call this out as an intentional limitation of Delete-Cookie to further encourage servers to ensure they only produce "valid" cookies. 2. We allow both tokens and strings. I would probably opt for 1 personally given that 2 is an easy upgrade if we decide there is a need for it in the future.
Received on Monday, 24 February 2025 11:30:21 UTC