On Jan 22, 2010, at 7:04 PM, Luke Plant wrote: > Well, it depends on what you call the 'spec'. What spec says that > commas in values is invalid? > > The 'spec' linked to on that WebKit bug is a preliminary Netscape > document, which, as far as I can tell, eventually turned into RFC > 2109, which surely has got to be regarded as more authoritative. RFC > 2965 (which proposes Set-Cookie2) supposedly obsoletes RFC 2109, but I > don't know think it is really used much. [1] > > As I noted on the bug [2], RFC 2109 allows values to be quoted, in > which case Django is behaving correctly, and it is some browsers that > are not. > > Our implementation of this is in fact done entirely by Python's > standard library Cookie module [3]. It handles everything I can throw > at it (newlines, UTF8, throws exceptions with illegal cookie names > etc.). It's kind of unlikely that we've found a bug in it. > > Of course, it doesn't mean we shouldn't fix things to avoid this bug. > But to do so would require some kind of encoding, which is almost > certainly going to cause breakage of some kind with existing cookies. > Turbogears' solution would be backwards compatible in most cases, but > not all. > > (BTW, if we implemented this change, the nicer way to do is to > subclass Cookie and override Cookie.value_encode() and value_decode(), > rather than the way that Turbogears does it) > > Personally, I favour fixing our messages implementation so that it > isn't an issue (which is easy, it seems, see details on #12470), and > possibly just putting a note into our cookie documentation that some > old WebKit based browsers have a bug that means they do not correctly > handle a cookie value containing a comma followed by a space. > > An argument in favour of this lazy approach is that this issue, for > both ourselves and Turbogears, has only ever come up in the context of > using cookies for messages. Presumably that means that developers are > rarely storing extended human readable text strings in cookies outside > of this kind of usage, so outside of the messages app it is probably > not something we need to worry about. > > Luke
Whats the downside of fixing this at the core cookie handling level? I agree with Luke and only ran across this bug when the new messaging framework dropped. However if we are going to fix the problem, and I do think it's a problem even if its a browser bug, should we just fix it at the core level and handle all cookies down the road? Would previously stored cookies that are not url quoted even fail when trying to unquote? Maybe I'm wrong but this seems pretty backwards compatible. Sean -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
