> Ivan Nikulin posted a comparison about how different browsers parse and
> implement cookies at https://inikulin.github.io/cookie-compat/ (he found
> quite a few cases where they act differently from each other and from the
> spec)

Test 0017 says 'z=y, a=b' (input) -> 'z=y, a=b' (expected)
This is ok regarding Section 5.2, but not regarding the grammar definition in
4.1.1. If 5.2 obsoletes 4.1.1, why is there a grammar at all ?

Grammar in Section 4.1.1
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                      ; US-ASCII characters excluding CTLs,
                      ; whitespace DQUOTE, comma, semicolon,
                      ; and backslash
token = <token, defined in [RFC2616], Section 2.2>

A second question arises - some of the tests contain an escape backslash '\',
e.g. to escape double quotes within cookie-values. Where in the RFC is this
behavior documented - I just can't find it.

But assumed the backslash is documented, how does this fit to Rule 1. in
Section 5.2 "If the set-cookie-string contains a %x3B (";") character". This
means, you can't escape semicolon.

RFC the is irritating in these points. Did I miss a newer RFC that makes it a
bit clearer ?

I tend to use the grammar in section 4.1.1, IMO 5.2 should just be a helper.

Some insights by anyone ?

Tim

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html