[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] url: Wrap cookie headers in url-http--encode-string.
From: |
Toke Høiland-Jørgensen |
Subject: |
Re: [PATCH] url: Wrap cookie headers in url-http--encode-string. |
Date: |
Fri, 09 Sep 2016 21:56:44 +0200 |
Eli Zaretskii <address@hidden> writes:
>> From: Alain Schneble <address@hidden>
>> CC: <address@hidden>, <address@hidden>, <address@hidden>,
>> <address@hidden>
>> Date: Fri, 9 Sep 2016 21:47:23 +0200
>>
>> > That's not the issue. The issue is whether a cookie-value can
>> > legitimately have non-ASCII characters. If it can, then we must
>> > _encode_ the cookie-value, as that is the only correct way of getting
>> > a unibyte string from non-ASCII characters. And you pointed to an RFC
>> > that seems to say non-ASCII characters in cookies are possible.
>>
>> Yes true, but I thought that maybe fixing this as described could be a
>> viable non-invasive alternative for the upcoming 25.1 release.
>
> It wouldn't be safe if cookies could include non-ASCII characters.
Well, according to this:
http://stackoverflow.com/a/1969339
Safari, at least, will reject non-ASCII cookies. Which implies that in
practice no sites will use non-ASCII values because they would break.
How would url react if it loaded a page that contained a non-ASCII
cookie string, is really the question to be asking here. Presumably
there's some kind of input sanitation somewhere?
-Toke
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., (continued)
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Alain Schneble, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Toke Høiland-Jørgensen, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Eli Zaretskii, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Alain Schneble, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Eli Zaretskii, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Alain Schneble, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Eli Zaretskii, 2016/09/09
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string.,
Toke Høiland-Jørgensen <=
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Eli Zaretskii, 2016/09/10
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Dmitry Gutov, 2016/09/10
- Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Eli Zaretskii, 2016/09/10
- distinguishing multibyte/unibyte ASCII (was: [PATCH] url: Wrap cookie headers in url-http--encode-string.), Stefan Monnier, 2016/09/09
- Re: distinguishing multibyte/unibyte ASCII, Toke Høiland-Jørgensen, 2016/09/09
- Re: distinguishing multibyte/unibyte ASCII, Stefan Monnier, 2016/09/09
- Re: distinguishing multibyte/unibyte ASCII, Alain Schneble, 2016/09/09
- Re: distinguishing multibyte/unibyte ASCII (was: [PATCH] url: Wrap cookie headers in url-http--encode-string.), Eli Zaretskii, 2016/09/10
Re: [PATCH] url: Wrap cookie headers in url-http--encode-string., Lars Ingebrigtsen, 2016/09/07