Cookies specification compatibility issues
Reported by
ifaaan@gmail.com,
Apr 8 2016
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce the problem: In context of discussion in https://github.com/whatwg/html/issues/804 I've made a research of cookie RFC 6265 compatibility in major browsers: http://inikulin.github.io/cookie-compat. Tests that fail in all or majority of browsers are considered de facto standard. Related spec change was suggested: https://github.com/httpwg/http-extensions/issues/159. What is the expected behavior? What went wrong? Here are the test cases that fails only in Chrome or test result differs from de facto standard: -------------------- OPTIONAL_DOMAIN0042 (http://inikulin.github.io/cookie-compat/#OPTIONAL_DOMAIN0042) Set cookie: "foo=bar; domain=foo.example.org; domain=" Results URL: http://home.example.org:8888/cookie-parser-result?optional-domain0042 GOOD (Spec, Safari, IE, Edge): "" BAD (Chrome, Firefox): "foo=bar" -------------------- 0028 (http://inikulin.github.io/cookie-compat/#0028) Set cookie: "foo" "\t" GOOD (Firefox, IE, Edge): "" BAD (Chrome): "foo" First set-cookie creates "empty-key" cookie with value "foo". Second should overwrite "empty-key" cookie with empty string ("\t" should be stripped, but not ignored) -------------------- 0024 Set cookie: "foo" "=" GOOD (Firefox, IE, Edge): "" BAD (Chrome): "foo" Same as 0028 -------------------- 0023 Set cookie: "foo" "" GOOD (Firefox, IE, Edge): "" BAD (Chrome): "foo" Same as 0028 -------------------- 0025 Set cookie: "foo" "; bar" Same as 0028 -------------------- 0026 Set cookie: "foo" "" GOOD (Firefox, IE, Edge): "" BAD (Chrome): "foo" Same as 0028 -------------------- Did this work before? No Chrome version: 49.0.2623.110 Channel: stable OS Version: 6.3 Flash Version: Shockwave Flash 21.0 r0
,
Apr 11 2016
> It is unlikely that these are Mac-specific. Yes, it's not platform-specific. Just peeked Mac, since as far as I remember platform was a required field in wizard.
,
Apr 14 2016
,
Apr 14 2016
,
Aug 12 2016
,
Aug 12 2016
I'll take a look at this.
,
Aug 12 2016
A lot of these are us deliberately copying Firefox's quirks. In cases where other browsers get away with more closely adhering to the spec, we can presumably fix behavior, but in cases where all browsers behave in the same way, it may be better to make the spec reflect what all browsers do, just from a not breaking the world standpoint, unfortunate as it may be.
,
Aug 12 2016
Agreed overall, but these reported cases include only one where Chrome and Firefox behave identically to each other and differently from the majority of tested browsers. In the remaining four reported cases Chrome behaves differently from all the other tested browsers.
,
Aug 12 2016
As bsittler says, this report is only for the few cases that are unique to Chrome and Firefox. The full chart is fascinating: https://inikulin.github.io/cookie-compat/
,
Aug 12 2016
True. The ones that I think we may have to keep are the "Set-Cookie: blah" ones, though Safari's behavior is different enough there (At least for the "Set-Cookie: blah" / "Set-Cookie: JumboShrimp" case, that maybe we don't)
,
Aug 13 2016
I've uploaded https://codereview.chromium.org/2246613003/ to hopefully address the listed issues. A quick clarification, however. Perhaps I'm missing it on the chart, but should all attributes be treated the same as domain in OPTIONAL_DOMAIN0042? That is, for example, if I have: Set cookie: "foo=bar; expires=Sun, 18-Apr-2027 21:06:29 GMT; expires=" should we ignore the second expires?
,
Aug 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/03e6ff8c614040f60d1a1d818411870ddb3b90e4 commit 03e6ff8c614040f60d1a1d818411870ddb3b90e4 Author: jww <jww@chromium.org> Date: Wed Aug 17 19:19:58 2016 Update cookie value and attribute setting behavior to match other UAs This is an attempt to bring Chrome's cookie behavior in line with the majority of other major UAs, and thus are de facto standards. The specific updates are: 1. An empty domain attribute value should be ignored as a non-attribute rather than setting an empty attribute value. 2. An empty cookie line (or a cookie line with ignored characters) should be treated as setting an empty value for the empty-key. BUG= 601786 Review-Url: https://codereview.chromium.org/2246613003 Cr-Commit-Position: refs/heads/master@{#412608} [modify] https://crrev.com/03e6ff8c614040f60d1a1d818411870ddb3b90e4/chrome/browser/browsing_data/browsing_data_cookie_helper_unittest.cc [modify] https://crrev.com/03e6ff8c614040f60d1a1d818411870ddb3b90e4/net/cookies/cookie_store_unittest.h [modify] https://crrev.com/03e6ff8c614040f60d1a1d818411870ddb3b90e4/net/cookies/parsed_cookie.cc [modify] https://crrev.com/03e6ff8c614040f60d1a1d818411870ddb3b90e4/net/cookies/parsed_cookie.h [modify] https://crrev.com/03e6ff8c614040f60d1a1d818411870ddb3b90e4/net/cookies/parsed_cookie_unittest.cc
,
Aug 17 2016
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ellyjo...@chromium.org
, Apr 11 2016Labels: -OS-Mac