Re: Delete-Cookie header??

On Tue, 25 Feb 2025, Daniel Veditz wrote:

>> The fact that the syntax is specified twice in the spec, and they are 
>> different, is a recipe for exactly this, and it has been so ever since 6265
>
> RFC 6265 did not create that problem, it tried to make sense of how the web 
> was already working.

I disagree quite strongly. It is not about who "created that problem". I don't 
even quite understand which problem that is.

Basically all client-server protocols have this nature of two sides of the 
story. That doesn't mean that we need to give in to that and document them 
separately from both sides as two different syntaxes. But the cookie spec 
does. I claim it confuses readers and makes the spec hard to read and 
repeatedly misunderstood.

But I have not managed to convince enough others about this so I accept that I 
am in the losing team on this and therefore 6265bis has the same setup.

> By documenting it, and arguing about the corner cases where implementations 
> diverged, we nudged implementations into much more consistent and compatible 
> behavior than existed before RFC 6265.

I am not arguing against 6265 or the need for a spec. If you believe that it 
seems I have completely missed to express my point. I have participated quite 
actively in both the making of 6265 as well as 6265bis.

The question is *how* to document.

You can count on me bringing up the subject again when we start working on the 
next cookie spec update.

-- 

  / daniel.haxx.se

Received on Tuesday, 25 February 2025 22:41:25 UTC