Comments (9)
hum, yeah, we should probably do one or the other. Or maybe both, with a strict mode that toggles between the two.
I'm curious how you ran into this (?)
from set-cookie-parser.
Actually, there's already a silent flag; lets make it just follow the RFC and drop the cookie, but have it log about dropping an invalid cookie unless the silent flag is set. Can you put up a PR to do that?
from set-cookie-parser.
I'm a bit cautious changing the behavior to drop the cookie. I'm not sure what will break for other projects depending on this if we do it this way?
A strict mode could be an option for this, and making sure that it follows the spec completely.
Could we maybe have three modes? Sloppy / non-strict (as it is now), strict, and a mode that mimics the browser behavior (like what I saw in Chrome/Firefox). That would of course be a big change to the current simplistic API that you have created.
I saw it because I'm using it for a project listing the cookies on a website. Previously I just grabbed the cookies directly from the browser, but changing it to look at set-cookie headers instead, I noticed a mismatch on some sites between the new and old code. The way that browsers interpret the cookies was the culprit.
I've also opened a bug in the Chromium tracker for this. So interested in hearing their reasoning behind this behavior.
I'd be happy to do a PR for it when it's decided how the behavior should be 🙏🏼
from set-cookie-parser.
I don't really like having 3 modes, but I could live with 2, and I suppose we could call it a semver major change on the off chance that someone is depending on the current behavior.
I'm curious to hear what Chromium folks say about this - could you link to the bug? My guess is that they're going to say that the current behavior is the de-facto standard and not change the implementation. (Or perhaps there's a newer RFC that covers it?)
from set-cookie-parser.
As far as I can see, there isn't an RFC that obsoletes 6265.
Investigating a bit more, you are right that it looks like they chose to implement it de-facto because of IE/Netscape, and therefore it doesn't match 6265 completely. Looking at https://bugzilla.mozilla.org/show_bug.cgi?id=270710 they write:
In general Mozilla wants to comply with standards. In the specific case of
cookies the historical implementations (Netscape and IE) have *never* strictly
matched the standards, and that even though it was Netscape who contributed the
standard in the first place.
Every time we've attempted to tighten up and match some aspect of the standard
that wasn't enforced before we've broken sites, and since they "work" in IE and
Netscape 4.x it's Mozilla that's considered at fault and we're forced to give in.
My Chromium issue is here: https://bugs.chromium.org/p/chromium/issues/detail?id=1346543
So I think it boils down to essentially: Do we want set-cookie-parser to parse it at browsers do? Or do we want it to strictly follow the RFC?
In my opinion, it could maybe be this option:
- Strict mode parses it exactly as the RFC (i.e. the cookie would be invalid/ignored)
- Non-strict would parse it as browsers (so changing the current behavior to have empty name, and set the value instead)
I can work on a PR on Monday if we agree on this 👍
It would be a major version because it essentially changes the behavior of the default non-strict mode.
from set-cookie-parser.
Okay, I got an update now from the Chromium team.
There is actually a new RFC that obsoletes 6265, but it's in draft, so it didn't come up in my searches.
It is called 6265bis, and have the following change:
3. If the name-value-pair string lacks a %x3D ("=") character, then
the name string is empty, and the value string is the value of
name-value-pair.
Otherwise, the name string consists of the characters up to, but
not including, the first %x3D ("=") character, and the (possibly
empty) value string consists of the characters after the first
%x3D ("=") character.
... so looks like they're actually changing the RFC to cover how it's de-facto implemented (which is nice..).
In this case, would it make sense to update the behavior in set-cookie-parser to this? I think it's mainly relevant for this library to parse like browsers do?
I'd be happy to do it.
from set-cookie-parser.
Aah, yeah, let's do that. And add a reference to 6265bis in the readme. Thank you for doing the legwork!
from set-cookie-parser.
I'll do! No problem :-) Happy to help.
from set-cookie-parser.
Feel free to comment on it.
I assume you decide on the versioning once merged.
from set-cookie-parser.
Related Issues (20)
- Reverse mechanism? HOT 1
- set-cookie-header -> set-cookie-parser HOT 1
- Split cookies string HOT 4
- const keyword in strict mode breaks Safari 9.x HOT 4
- Feature Request: Get cookie by name HOT 1
- map option does not work in 2.2.1 HOT 2
- Thanks for the RN explanation
- Add sameSite option HOT 7
- export the parseString function HOT 3
- How could access Set-Cookie from header? HOT 1
- parseCookieString doesn't return map HOT 6
- [React-Native] cannot parse expires HOT 4
- Returning Empty Object Error? HOT 2
- Document how stringify set-cookie-parser object HOT 3
- distribute ESM version HOT 6
- Add support for getSetCookie() method HOT 1
- Support for multiple cookies in one string HOT 4
- Wrong parsing: parser can't split cookies HOT 1
- Cookie parsing from string not working as expected HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from set-cookie-parser.