emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] url: Wrap cookie headers in url-http--encode-string.


From: Toke Høiland-Jørgensen
Subject: Re: [PATCH] url: Wrap cookie headers in url-http--encode-string.
Date: Fri, 09 Sep 2016 21:56:44 +0200

Eli Zaretskii <address@hidden> writes:

>> From: Alain Schneble <address@hidden>
>> CC: <address@hidden>, <address@hidden>, <address@hidden>,
>>      <address@hidden>
>> Date: Fri, 9 Sep 2016 21:47:23 +0200
>> 
>> > That's not the issue.  The issue is whether a cookie-value can
>> > legitimately have non-ASCII characters.  If it can, then we must
>> > _encode_ the cookie-value, as that is the only correct way of getting
>> > a unibyte string from non-ASCII characters.  And you pointed to an RFC
>> > that seems to say non-ASCII characters in cookies are possible.
>> 
>> Yes true, but I thought that maybe fixing this as described could be a
>> viable non-invasive alternative for the upcoming 25.1 release.
>
> It wouldn't be safe if cookies could include non-ASCII characters.

Well, according to this:

http://stackoverflow.com/a/1969339

Safari, at least, will reject non-ASCII cookies. Which implies that in
practice no sites will use non-ASCII values because they would break.

How would url react if it loaded a page that contained a non-ASCII
cookie string, is really the question to be asking here. Presumably
there's some kind of input sanitation somewhere?

-Toke



reply via email to

[Prev in Thread] Current Thread [Next in Thread]