tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "Cookies" by KonstantinKolinko
Date Mon, 03 Feb 2014 20:48:10 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by KonstantinKolinko:
https://wiki.apache.org/tomcat/Cookies?action=diff&rev1=31&rev2=32

Comment:
I do not see how UTF-8 may be used when generating a cookie. Add a comment.

   G4 Use UTF-8 encoding for values::
   :: The value (which is a UCS-16 Java String) will be encoded using UTF-8 when being added
to the header. Application impact is that non-ASCII characters will no longer cause an IAE.
For V0 cookies, this is an extension to RFC6265 required to support HTML-5. V1 cookies already
allow 8-bit characters if quoted and this is likely to be needed to avoid an IAE as the value
would still be validated; it would be the application's responsibility to quote the value.
  
+  :: ''kkolinko'': Using UTF-8 in HTTP headers is not allowed by RFC 2616. On page 32 it
says:<<BR>>
+  `message-header = field-name ":" [ field-value ]`<<BR>>
+  `field-value    = *( field-content | LWS )`<<BR>>
+  `field-content  = <the OCTETs making up the field-value and consisting of either *TEXT
or combinations of token, separators, and quoted-string>`<<BR>>
+  The tokens are US-ASCII (0-127 minus CTLs or separators) (pages 16-17).<<BR>>
+  The TEXT is defined on page 16 where it says: "Words of *TEXT MAY contain characters from
character sets other than ISO-8859-1 [22] only when encoded according to the rules of RFC
2047 [14]."<<BR>>
+  The quoted-string is TEXT in double quotes (page 16).
+ 
+  :: ''kkolinko'': Javadoc for HttpServletResponse.setHeader() method also mentions that
the value of a header should be encoded according to RFC 2047. http://www.ietf.org/rfc/rfc2047.txt
+ 
   G5 Validate domain per RFC6265::
   :: The domain will now be validated per RFC1034 rather than simply as a value. Application
impact is that an invalid domain will now raise an IAE rather than be rejected by the browser.
No semantic validation (e.g. number of dots) will be performed. A valid domain name is a "token"
and so no quotation would be needed.
  

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message