cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Incorrect handling of subdomain cookies.

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 28 Sep 2016 08:27:39 +0200 (CEST)

On Tue, 27 Sep 2016, Sergei Kuzmin wrote:

> Thanks for extensive explanation. What do you thing would be the best? Is it
> asking IETF for comment? Eventually it would be nice to match browsers
> behavior but not at expense of missing RFC guidelines. It's unclear whether
> to fix curl or major browsers.

The httpwg in the IETF will probably soon work on a "6265bis" document, that
is a revision and update of the RFC 6265 that we made a few years back[1].
This, to make it more accurately describe how cookies are de-facto used in the
real world. Even if we didn't manage it 100% with RFC 6265, it was still the
first cookie spec that was close to describing how cookies work on the web.
(And those old enough may remember me struggling against specifying some of
the browser behaviors as mandated[2].)

Web browsers will not change behavior due to RFC contents if they think/know
other browsers do it that way - web compatibility trumps basically anything.
I'd say it is much more likely that an updated spec will use wording that
makes the current browser behaviors compliant. Of course this is my guess
based on my many years working in the httpwg and with the browser people.

If there is more than one browser that works that way, it is best to just
admit defeat and switch over to behave like that...

[1] = https://daniel.haxx.se/blog/2011/04/28/the-cookie-rfc-6265/
[2] = https://daniel.haxx.se/blog/2010/01/20/cookie-order/

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-28