- From: Matt Metzger <matthew.metzger@shopify.com>
- Date: Mon, 24 Feb 2025 13:33:52 -0500
- To: ietf-http-wg@w3.org
- Message-ID: <CABHwnFTzjJhRKAvWUYSFgzvoZk3eAQKnJrVp6UsPjo_iQy8=Dg@mail.gmail.com>
On Mon, Feb 24, 2025 at 11:54 AM Yoav Weiss <yoav.weiss@shopify.com> wrote: > On Mon, Feb 24, 2025 at 11:46 AM Anne van Kesteren <annevk@annevk.nl> wrote: >> It's indeed non-conforming for a server to produce such a cookie (as >> per section 4), but the cookie RFC also requires user agents to >> support it (as per section 5) if servers violate the requirements. >> Hence you can definitely encounter such cookies in the wild. > > What's the best way to handle that? Take a list of SF strings? I lean heavily towards ensuring Delete-Cookie can remove both valid and invalid cookies; because it's quite likely this will be used to clean up cookies which originated from sources beyond control of the server issuing the Delete-Cookie. In those cases, the validity of those cookies may be beyond control as well. A few examples: * Cookies that were set by third party JS * Cookies that were set by a different application on the same host (path based routing to disparate services) * Cookies that were tossed upward from a subdomain (eg. `forum.example.com` issuing a `Set-Cookie: something=bad; Domain=example.com`)
Received on Tuesday, 25 February 2025 09:54:29 UTC