Message260028
The issue I'm currently running into, is that although browsers correctly ignore invalid Set-Cookie values, they allow 'any CHAR except CTLs or ";"' in cookie values set via document.cookie.
So, if you say document.cookie = 'key=va"lue; path=/', the browser will happily pass 'key=va"lue;' to the server on future requests.
So, I like the behavior of this patch, which skips over these invalid cookies and continues parsing. I've cleaned the patch up a little, but it should be the same logically. |
|
Date |
User |
Action |
Args |
2016-02-10 18:12:52 | collinanderson | set | recipients:
+ collinanderson, pitrou, r.david.murray, martin.panter, Tim.Graham, Pathangi Jatinshravan, harris |
2016-02-10 18:12:52 | collinanderson | set | messageid: <1455127972.02.0.303234100231.issue25228@psf.upfronthosting.co.za> |
2016-02-10 18:12:51 | collinanderson | link | issue25228 messages |
2016-02-10 18:12:51 | collinanderson | create | |
|