Open sbingler opened 2 years ago
Are browsers consistent across attributes for this? If not, this might be risky to change, but it's still worth settling on a set of rules for new attributes.
Chrome has recently aligned with the other browsers on how an empty Domain
attribute is handled #1332 , so there is at least one where we were inconsistent.
A number of cookies attributes accept values which must conform to some requirement of the attribute. These values can be more freeform such as
Domain
orPath
or must be an item from an enumerated set such asSameSite
's{None, Lax, Strict}
.We've had some recent issues trying to clarify how an attribute should handle value it doesn't understand or are invalid such as https://github.com/httpwg/http-extensions/issues/1757 and https://github.com/httpwg/http-extensions/issues/1332.
Rather than attack these piecewise, we should consider examining all applicable attributes and determine a reasonable course of action for bad input: Drop the cookie, ignore the attribute, use some default, use the most recent valid input of the attribute*, etc.
* I.e.:
Set-Cookie: foo=bar; ExampleAttribute=valid1; ExampleAttribute=valid2; ExampleAttribute=invalid
the cookie processing logic would extractvalid2
as it's the last value it understood.