tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "Cookies" by KonstantinKolinko
Date Mon, 03 Feb 2014 20:48:10 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Cookies" page has been changed by KonstantinKolinko:

I do not see how UTF-8 may be used when generating a cookie. Add a comment.

   G4 Use UTF-8 encoding for values::
   :: The value (which is a UCS-16 Java String) will be encoded using UTF-8 when being added
to the header. Application impact is that non-ASCII characters will no longer cause an IAE.
For V0 cookies, this is an extension to RFC6265 required to support HTML-5. V1 cookies already
allow 8-bit characters if quoted and this is likely to be needed to avoid an IAE as the value
would still be validated; it would be the application's responsibility to quote the value.
+  :: ''kkolinko'': Using UTF-8 in HTTP headers is not allowed by RFC 2616. On page 32 it
+  `message-header = field-name ":" [ field-value ]`<<BR>>
+  `field-value    = *( field-content | LWS )`<<BR>>
+  `field-content  = <the OCTETs making up the field-value and consisting of either *TEXT
or combinations of token, separators, and quoted-string>`<<BR>>
+  The tokens are US-ASCII (0-127 minus CTLs or separators) (pages 16-17).<<BR>>
+  The TEXT is defined on page 16 where it says: "Words of *TEXT MAY contain characters from
character sets other than ISO-8859-1 [22] only when encoded according to the rules of RFC
2047 [14]."<<BR>>
+  The quoted-string is TEXT in double quotes (page 16).
+  :: ''kkolinko'': Javadoc for HttpServletResponse.setHeader() method also mentions that
the value of a header should be encoded according to RFC 2047.
   G5 Validate domain per RFC6265::
   :: The domain will now be validated per RFC1034 rather than simply as a value. Application
impact is that an invalid domain will now raise an IAE rather than be rejected by the browser.
No semantic validation (e.g. number of dots) will be performed. A valid domain name is a "token"
and so no quotation would be needed.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message