net/http: Allow double-quoted cookie values #10195
Comments
|
Proposed fix: https://go-review.googlesource.com/7803 |
|
And here's some code demonstrating the issue: https://play.golang.org/p/O4tC8fI8PY |
|
I think you read the RFC wrong. A cookie value may NOT contain a double quote. It even says so: A double quote is only encode the value of a cookie when necessary. (like it starting with a space)
Please describe the problem more. A client application shouldn't depend on a cookie being written as |
|
Thanks for the feedback Brad. I am OK with this being closed and I can set the HTTP headers directly like you said. Just for my own understanding, though, if you don't mind:
But you're referencing the cookie-octet here. There is also a cookie-value specification; this is what I was assuming should be allowed int he Value field for a cookie:
Am I misreading the RFC? Misunderstanding what Go's Cookie.Value field represents? |
|
Go's Cookie.Value is the unencoded value. The quoting in the RFC is for encoding it. This snippet should make it clear: http://play.golang.org/p/8vA9El_3iU Note that |
RFC 6265[1] allows cookie values to be double-quoted[2]. However, the current sanitization code strips the double quotes out of a double-quoted value (i.e., a value beginning with a double quote and ending with a double quote). Ironically, the sanitization code double quotes a value if it begins or ends with a space or comma. The RFC grammar specification allowing the surrounding double quotes is also included in the comments of the sanitizeCookieValue() function.
The inability to double-quote a cookie value is preventing me from duplicating the behavior of a legacy Java system I am replacing.
There was some tangentially related conversation for #7243, but that conversation did not address this issue specifically.
[1] http://tools.ietf.org/html/rfc6265
[2] cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
The text was updated successfully, but these errors were encountered: