Open ii64 opened 8 months ago
(attn @neild)
Just adding an extra context here of what Chromium did, is basically allowing "
and some others:
Effectivly changing the grammar to:
cookie-value = *cookie-value-octet
cookie-value-octet = %x20-3A / %x3C-7E / %x80-FF
; octets excluding CTLs and ";"
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cookies/parsed_cookie.cc
a reference to the chromium implementation
Is this a duplicate of #46443 ?
Is this a duplicate of #46443 ?
No, this one is expecting an interface for cookie validation for cookie-value
grammar customability.
If I understand correctly this issue, Go also doesn't support any non-ascii values in the cookie value. E.g:
package main
import (
"fmt"
"net/http"
)
func main() {
var resp http.Response
resp.Header = map[string][]string{
"Set-Cookie": {
"emoji=å∫∂ƒ§πø¥†®€æ; path=/; secure",
"text=hello world!; path=/; secure",
},
}
for _, c := range resp.Cookies() {
fmt.Printf("%+#v\n", c)
}
}
will print only the second cookie.
I have experienced a similar problem with backslashes. Backslashes are not allowed in cookie-value but web browsers has no problem with it. You can check this behavior accessing the url httpbin-url-test which sets a cookie value using backslashes to scape unicode characters. It will be nice if a custom validator for cookie values could be implemented.
Related code: https://github.com/golang/go/blob/30b6fd60a63c738c2736e83b6a6886a032e6f269/src/net/http/cookie.go#L472
Go version
go version go1.22.0 linux/amd64
Output of
go env
in your module/workspace:What did you do?
I was trying to get any valid cookies given in HTTP response header specifically via
Set-Cookie
header entry. https://go.dev/play/p/M8hiEzF_n97What did you see happen?
In the example code, the
Cookies
method excludeutid
because it has quotation mark chars inside cookie-value. Looking at the RFC in the comment, https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1Quotation mark
"
OR in hex 0x22 is excluded, which is already expected behaviour:However, for web browsers that behaviour is totally fine.
What did you expect to see?
Interface for custom validation for valid cookies