You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It looks like you have taken the current RegExp for cookie values ([^;]+) from issue 7 on the original Google Project. The original poster there mentioned using RFC 2965. RFC 2965 does not allow cookie values to “contain any ASCII character except semicolon.” This is only true when the value is quoted ("value"), else it is very restrictive.
RFC 2965 is currently obsolete and superseded by RFC 6265. It defines exactly what characters are allowed in cookies, specifically in section 4.1.1, and makes the current RegExp completely wrong. The original RegExp by Haineault came closer, actually.
The main problem with only disallowing the semicolon (;), as you do, is that you allow all kinds of Unicode characters to be matched. Characters that should not be a part of a cookie value.
If you want to save 2 chars of your JavaScript you can use [!#$%&'()*+\-./0-9:<=>?@A-Z[\]^_a-z{|}~]instead of[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]`.
I think it would be great to have a library independent script for managing cookies in an easy and correct way. This could be it, but it needs some maintenance done.
The text was updated successfully, but these errors were encountered:
Thanks for your thoughtful comment. If you put this change into a pull request, I'll merge it in as it seems to be a straightforward and logical request.
It looks like you have taken the current RegExp for cookie values (
[^;]+
) from issue 7 on the original Google Project. The original poster there mentioned using RFC 2965. RFC 2965 does not allow cookie values to “contain any ASCII character except semicolon.” This is only true when the value is quoted ("value"
), else it is very restrictive.RFC 2965 is currently obsolete and superseded by RFC 6265. It defines exactly what characters are allowed in cookies, specifically in section 4.1.1, and makes the current RegExp completely wrong. The original RegExp by Haineault came closer, actually.
The main problem with only disallowing the semicolon (
;
), as you do, is that you allow all kinds of Unicode characters to be matched. Characters that should not be a part of a cookie value.The official definition:
This can easily be converted to RegExp:
If you want to save 2 chars of your JavaScript you can use
[!#$%&'()*+\-./0-9:<=>?@A-Z[\]^_
a-z{|}~]instead of
[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]`.Test case
Feature request
Could you check whether
key
is a valid value when doing.set()
? Here is the RegExp:Or if you don’t like the hex values:
I think it would be great to have a library independent script for managing cookies in an easy and correct way. This could be it, but it needs some maintenance done.
The text was updated successfully, but these errors were encountered: