-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CookieStore allows you to set a cookie with no name and value #149
Comments
Thanks for pointing out this issue and providing context @DCtheTall! @mikewest as the cookies RFC author, what would your recommendation be? |
Yes, thanks @DCtheTall ! It sounds like the rest of the world got a little bit less broken while we had this in progress, and can catch up. I agree that we should make My reading of httpwg/http-extensions#159 is that to align we would still allow A new step in https://wicg.github.io/cookie-store/#set-a-cookie should take care of it, e.g.:If name’s length is 0 and value's length is 0, then return failure. https://wicg.github.io/cookie-store/#intro-opinions needs a rewrite/update (but that was already the case) |
@inexorabletash thanks for the response. I wonder if https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06#section-5.4 also needs to be updated with a step to ignore cookies with no name and value, but I think there is probably a better place to discuss that 😅 |
|
@mikewest thanks, I'll have a PR put together for this repository shortly and I'll open a bug for 5.4 of rfc6265bis. I agree that I think the assumption that a restriction in 5.3 will automatically apply to any cookie running through the algorithm in 5.4, which APIs like this one show is not always the case 😄 |
It has recently come to my attention that it is possible to set a cookie with the
cookieStore
API using empty name and value strings. This is not spec compliant with how most browsers parseSet-Cookie
headers.In Chrome, it is currently it is possible to set a cookie using the following:
I have not tested in other browsers but can get back to you on that if others are interested.
As discussed here, Safari, Firefox, and now Chrome ignore cookies set with
""
or"="
. I think the CookieStore API should mirror this behavior as well. The Promise returned byset('', '')
should either be rejected or resolve and the cookie is ignored (imho I think the former is more appropriate).There are currently web platform tests that exercise this behavior which I believe need to be changed as well.
The text was updated successfully, but these errors were encountered: