annevk
commented
2 years ago Are browsers consistent across attributes for this? If not, this might be risky to change, but it's still worth settling on a set of rules for new attributes.
Open sbingler opened 2 years ago
annevk
commented
2 years ago Are browsers consistent across attributes for this? If not, this might be risky to change, but it's still worth settling on a set of rules for new attributes.
sbingler
commented
2 years ago Chrome has recently aligned with the other browsers on how an empty Domain attribute is handled #1332 , so there is at least one where we were inconsistent.
A number of cookies attributes accept values which must conform to some requirement of the attribute. These values can be more freeform such as
DomainorPathor must be an item from an enumerated set such asSameSite's{None, Lax, Strict}.We've had some recent issues trying to clarify how an attribute should handle value it doesn't understand or are invalid such as https://github.com/httpwg/http-extensions/issues/1757 and https://github.com/httpwg/http-extensions/issues/1332.
Rather than attack these piecewise, we should consider examining all applicable attributes and determine a reasonable course of action for bad input: Drop the cookie, ignore the attribute, use some default, use the most recent valid input of the attribute*, etc.
* I.e.:
Set-Cookie: foo=bar; ExampleAttribute=valid1; ExampleAttribute=valid2; ExampleAttribute=invalidthe cookie processing logic would extractvalid2as it's the last value it understood.