-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support no-value cookies? #1
Comments
One option (though it complicates the API slightly) would be to default to stricter https://tools.ietf.org/html/rfc6265#section-4.1 rules by default, but have a flag to permit relaxation to https://tools.ietf.org/html/rfc6265#section-5.2 rules when absolutely necessary for interoperability, e.g. ... {[' permissive ']: true} - similarly the read APIs could have an option to relax parsing ... {[' permissive ']: true} |
Another alternative to all this would be a radically simpler API - navigator.getCookies().then(jar => {...} ) which is merely an async read of document.cookie, and navigator.setCookie(string).then(() => {...}) which is merely an async write of document.cookie @cramforce what do you think? how much hand-holding, parsing assistance, etc. is actually useful? |
(that's more or less the original proposal by @slightlyoff from w3c/ServiceWorker#707 (comment) ) |
Forked that radically simpler API discussion to #8 |
See also this discussion of nameless and/or valueless cookies: https://www.ietf.org/mail-archive/web/http-state/current/msg00320.html The cookie RFC says valueless set-cookie attempts are ignored, but in fact browsers do not seem to ignore them. |
@abarth - do you have any idea whether valueless cookies are used in the real world? |
@bsittler If they exist in the wild, they're exceedingly rare. They certainly have cropped up at least once in the past. If you're defining a new API for cookies, I wouldn't worry about them. It's debatable whether folks implementing existing APIs (i.e., document.cookie and Set-Cookie) ought to worry about them. |
@inikulin did some excellent work on ferreting out implementation-vs.-spec and implementation-vs.-implementation behavior mismatches as part of whatwg/html#804 - one of the clearest signals I perceive in those results so far is that empty-name and empty-value cookies are not handled at all consistently across browsers. Omitting support for setting them is likely the right thing to do. For reads it's not clear to me what is best; we could omit them, we could treat them as anonymous cookies with values, or we could treat them as named cookies with no values. For the degenerate case of anonymous, valueless cookies I think the near-consensus among the implementations is to simply ignore them Edit: deep link to results page: http://inikulin.github.io/cookie-compat/ Edit 2: A few more observations:
|
The new explainer outlines a more restrictive API which disallows both reading and writing no-value cookies. Some of the other inconsistencies mentioned here are implicitly addressed by that outline (character set: always UTF-8 for reading and writing/USVString from script perspective, max-age: not present in the proposed API for writing cookies, multiple occurrence of the same attribute: not possible in the proposed API for writing cookies) but the rest still need to be addressed. |
Fixed explainer link |
Please stop spamming my inbox with notifications that you edited a post :(. We can all just see the new post... |
Will do, didn't realize! On Jul 27, 2016 10:39, "Domenic Denicola" [email protected] wrote:
|
Further reading of the cookie compatibility results from https://inikulin.github.io/cookie-compat/ makes it fairly obvious that there is de-facto standard behavior for Set-Cookie with no '=' across all browsers tested except Safari. Specifically, it is treated identically to the same Set-Cookie prefixed with '=', and updates the cookie with the empty-string name. I will go ahead and follow the majority behavior here in the polyfill and assume the spec will probably be changed to match that. |
Adopt handling common to all tested browsers other than Safari (source: https://inikulin.github.io/cookie-compat/ ) for no-name cookies: name is empty string if no name is present. Assume this will end up in the spec at some point. See also #1 Fix a bug that caused spurious non-reporting of similar cookie changes from separate CookeStores watched by the same CookieObserver
Apparently
document.cookie
supports cookies with no value viadocument.cookie = "foo"
. This is distinct on the wire (i.e. in the resulting HTTP headers) from cookies with value empty string (document.cookie = "foo="
).Is support for this needed, so that this API encompasses the entire cookie data model, or can we be stricter?
Related: whatwg/html#804
The text was updated successfully, but these errors were encountered: