Revisit encoding/decoding implementation #608
Conversation
Our RFC 6265 based cookie name + value encoding was based on the requirements for server implementers, and as such too strict. We need to look at RFC 6265 section 5.2, requirements for user agents. But even the algorithm described in section 5.2 isn't that relevant for us, in that we had to follow the steps when writing a cookie with this library. This is left to the browser vendors who have to implement the setter functionality behind `document.cookie`. All we have to do is avoid surprises when said algorithm is being followed while `document.cookie = ...` is being executed with the cookie string we're constructing. It means we have to encode ";" and "=" in the cookie name, and ";" in the cookie value. Follow-up to discussion in #595.
Wrong! Same mistake again. This is making the assumption that servers adhering to RFC 6265 would use percent-encoding to encode the forbidden characters mentioned in the spec, but the spec doesn't say anything about how those characters should be encoded. It mentions Base64 in fact:
|
|
So.. we are going to apply the minimal encoding/decoding, for |
- Renaming (it's no longer a RFC 6265 converter really - whatever that would mean in the first place: the spec doesn't demand percent-encoding...) - Removing redundant/unnecessary tests
carhartl
force-pushed
the
encoding-decoding-revisited
branch
from
219c40e
to
059a490
Compare
|
I have no idea why the pr check fails in Travis, while the one for push passes... |
|
Need to verify if SERVER_SIDE.md fixes still hold true |
Can change the README to |
I looked at these and I think so.. or they've been wrong even before these changes here: for instance what confused me was that the docs suggest to escape parens for Tomcat: var TomcatCookies = Cookies.withConverter({
write: function (value) {
return (
Cookies.converter
.write(value)
// Encode the parens that are interpreted incorrectly by Tomcat
.replace(/[()]/g, escape)
)
},
read: Cookies.converter.read
})
|
carhartl
force-pushed
the
encoding-decoding-revisited
branch
from
059a490
to
2280d95
Compare
Our RFC 6265 based cookie name + value encoding was based on the
requirements for server implementers, and as such too strict.
We need to look at RFC 6265 section 5.2, requirements for user agents.
But even the algorithm described in section 5.2 isn't that relevant
for us, in that we had to follow the steps when writing a cookie with
this library. This is left to the browser vendors who have to implement
the setter functionality behind
document.cookie. All we have to do isavoid surprises when said algorithm is being followed while
document.cookie = ...is being executed with the cookie string we'reconstructing.
It means we have to encode ";" and "=" in the cookie name, and ";" in
the cookie value.
Follow-up to discussion in #595.
Closes #590, #595.
Open question: should we be liberal in what we accept/read, that is applydecodeURIComponent()to the cookie value, in case we get a server-side written cookie that adheres to RFC 6265? Since we will use percent encoding for ";" in the value we could support that without a lot of effort. An advantage might be that this way we'd be reading v2 cookies without a problem, making the transition from v2 -> v3 not require a cookie migration. Or would we leave that to the user who would have to implement a converter for a complete percent decoding?The upside is that we're again well-below 700kb for the gzipped size of the library.
PS: I would probably also want to rename the "rfc6265" converter to something else now as part of this... basically they're semicolon converters now.