- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 24 Feb 2025 15:53:20 +0100
- To: ietf-http-wg@w3.org
Am 24.02.2025 um 12:30 schrieb Anne van Kesteren: > On Mon, Feb 24, 2025 at 11:54 AM Yoav Weiss <yoav.weiss@shopify.com> wrote: >> On Mon, Feb 24, 2025 at 11:46 AM Anne van Kesteren <annevk@annevk.nl> wrote: >>> It's indeed non-conforming for a server to produce such a cookie (as >>> per section 4), but the cookie RFC also requires user agents to >>> support it (as per section 5) if servers violate the requirements. >>> Hence you can definitely encounter such cookies in the wild. >> >> What's the best way to handle that? Take a list of SF strings? > > I think there's at least two somewhat reasonable solutions here: > > 1. We only allow tokens and call this out as an intentional limitation > of Delete-Cookie to further encourage servers to ensure they only > produce "valid" cookies. > 2. We allow both tokens and strings. > > I would probably opt for 1 personally given that 2 is an easy upgrade > if we decide there is a need for it in the future. FWIW, I had the same thought this morning, checked 6265bis and was happy (with that nagging feeling that the ABNF might not tell the full truth). And yes, I concluded the same thing as Option 1 :-) Best regards, Julian PS: I hear mnot screaming already, but allowing both tokens and strings could fix that later.
Received on Monday, 24 February 2025 14:53:24 UTC