[whatwg/fetch] The comma-delimited combined value definition does not support Set-Cookie headers (#345) from Malisa on 2016-07-29 (public-webapps-github@w3.org from July 2016)

From: Malisa <notifications@github.com>
Date: Fri, 29 Jul 2016 10:08:36 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/345@github.com>

The [spec](https://fetch.spec.whatwg.org/#concept-header-value-combined) says: 

> A combined value, given a name (name) and header list (list), is the values of all headers in list whose name is name, separated from each other by `,`, in order.

This properly follows the [HTTP/1.1 Message Syntax and Routing Standards](https://tools.ietf.org/html/rfc7230#section-3.2.2), which says:
> A recipient MAY combine multiple header fields with the same field
   name into one "field-name: field-value" pair, without changing the
   semantics of the message, by appending each subsequent field value to
   the combined field value in order, separated by a comma.

However, headers with the name `Set-Cookie` are discussed as a special case:
> Note: In practice, the "Set-Cookie" header field ([RFC6265]) often
      appears multiple times in a response message and does not use the
      list syntax, violating the above requirements on multiple header
      fields with the same name.  Since it cannot be combined into a
      single field-value, recipients ought to handle "Set-Cookie" as a
      special case while processing header fields.  (See Appendix A.2.3
      of [Kri2001] for details.)

The `Set-Cookie` header field is defined [here](https://tools.ietf.org/html/rfc6265#section-4.1.1). A couple of its sub-rules, specifically `path-value` and `extension-av`, allow commas as part of the elements. This means that header-field values for `Set-Cookie` names should not be comma-delimited.

Also to note from "HTTP State Management Mechanism" from the latter link above:
> Servers SHOULD NOT include more than one Set-Cookie header field in
   the same response with the same cookie-name.  (See Section 5.2 for
   how user agents handle this case.)

**Conclusion: The Fetch spec should be updated with an exception for handling the `Set-Cookie` header name case**

(please double-check my interpretation, I could be wrong!)

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/345

Received on Friday, 29 July 2016 17:09:06 UTC