net/http: document that SetCookie can quote the value #37055
Comments
cagedmantis
added
the
NeedsInvestigation
|
Change https://golang.org/cl/221677 mentions this issue: |
|
The quotes are allowed by RFC 6265. We could quote every value on Mondays and be compliant to the spec. The fact that the cookie value might be quoted is implicit in "a Set-Cookie header". The whole idea of providing dedicated cookie handling functions in net/http is to free the user from parsing Cookie and Set-Cookie headers himself. The value might be quoted or not but net/http, all relevant browsers and all cookie handling libraries in other languages transparently handle quoted and unquoted values. I do not see why the user needs to be informed about this particular detail of the generated Set-Cookie header. Other details are also not mentioned as they are regulated by the relevant spec (e.g. time zone of the expires field). I do not think that this behaviour should be documented: Once documented it cannot be changed anymore. The documentation states
but does not specify what exactly is considered "invalid", simply because this is a moving target: If every browser properly handles some character X and most other HTTP libraries allow X then net/http has tried to also allow X. What values are considered valid/invalid and which one need quoting has changed several times. These changes have allowed users to use Go with existing browsers and existing legacy systems. If we fix what is quoted we loos the ability to accommodate for future changes. I don't think this should be documented:
|
|
Now that the proposal #46370, to add a |
The
SetCookiefunction quotes the value if it contains spaces or commas but this behavior is not documented inSetCookiedocumentation:The text was updated successfully, but these errors were encountered: