cookie: reject cookie names or content with TAB characters #9659
Conversation
TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)" Cookies with TABs in the names are rejected by Firefox and Chrome. TABs in content are stripped out by Firefox, while Chrome discards the whole cookie. TABs in cookies also cause issues in saved netscape cookie files. Reported-by: Trail of Bits
bagder
force-pushed
the
bagder/cookie-tab
branch
from
24858fa
to
64ee510
Compare
|
According to httpwg/http-extensions#2262 the browsers are now adapting to new language in 6265bis (that was not present in 6265) which more than previously encourages implementers to allow TABs in there. I'm not a fan, but it seems they have made up their minds. In the name of (future) interop, we probably need to keep the support and instead fix the file saving end. |
|
The opposite take, that instead encodes the TABs in name and values then saving, is in #9662 |
|
Decision: we merge this PR: we start rejecting cookies with tab in name or value since they are not accepted widely and thus do not interoperate between clients and they break the cookie file when saved so they do not even work correctly with curl. If the unlikely event happens and this behavior changes drastically in the future, we can consider going back and then take the #9662 route instead. |
TABs in name and content seem allowed by RFC 6265: "the algorithm strips leading and trailing whitespace from the cookie name and value (but maintains internal whitespace)"
Cookies with TABs in the names are rejected by Firefox and Chrome.
TABs in content are stripped out by Firefox, while Chrome discards the whole cookie.
TABs in cookies also cause issues in saved netscape cookie files.