From 49ff7cffb125608a9e96bdbf24bc9c3ab1f0fd57 Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Mon, 1 Apr 2024 08:23:10 -0400 Subject: [PATCH] Improve `[trusted-]set-cookie` scriptlets As per RFC 6265 the characters ", should be encoded but apparently browsers don't care. Remove them from the set of characters which presence trigger encoding. Related feedback: https://github.com/uBlockOrigin/uBlock-issues/issues/3178#issuecomment-2029622321 --- assets/resources/scriptlets.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/assets/resources/scriptlets.js b/assets/resources/scriptlets.js index bbef27248c87c..c4ec45164cbf6 100644 --- a/assets/resources/scriptlets.js +++ b/assets/resources/scriptlets.js @@ -975,7 +975,9 @@ function setCookieFn( name = encodeURIComponent(name); } // https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1 - if ( /[^!#-+\--:<-[\]-~]/.test(value) ) { + // The characters [",] are given a pass from the RFC requirements because + // apparently browsers do not follow the RFC to the letter. + if ( /[^!-:<-[\]-~]/.test(value) ) { value = encodeURIComponent(value); }