net/http: Allow double-quoted cookie values

[bgmerrell]

RFC 6265[1] allows cookie values to be double-quoted[2]. However, the current sanitization code strips the double quotes out of a double-quoted value (i.e., a value beginning with a double quote and ending with a double quote). Ironically, the sanitization code double quotes a value if it begins or ends with a space or comma. The RFC grammar specification allowing the surrounding double quotes is also included in the comments of the sanitizeCookieValue() function.

The inability to double-quote a cookie value is preventing me from duplicating the behavior of a legacy Java system I am replacing.

There was some tangentially related conversation for #7243, but that conversation did not address this issue specifically.

[1] http://tools.ietf.org/html/rfc6265
[2] cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

[bgmerrell]

Proposed fix: https://go-review.googlesource.com/7803

[bgmerrell]

And here's some code demonstrating the issue: https://play.golang.org/p/O4tC8fI8PY

[bradfitz]

I think you read the RFC wrong.

A cookie value may NOT contain a double quote. It even says so:

 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash

A double quote is only encode the value of a cookie when necessary. (like it starting with a space)

The inability to double-quote a cookie value is preventing me from duplicating the behavior of a
legacy Java system I am replacing.

Please describe the problem more. A client application shouldn't depend on a cookie being written as foo=bar vs foo="bar". If it does, I think it's broken. You can read/write HTTP headers directly if you need to interoperate with a non-spec-compliant peer.

[bgmerrell]

Thanks for the feedback Brad. I am OK with this being closed and I can set the HTTP headers directly like you said.

Just for my own understanding, though, if you don't mind:

A cookie value may NOT contain a double quote. It even says so:

cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash

But you're referencing the cookie-octet here. There is also a cookie-value specification; this is what I was assuming should be allowed int he Value field for a cookie:

cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )

Am I misreading the RFC? Misunderstanding what Go's Cookie.Value field represents?

[bradfitz]

Go's Cookie.Value is the unencoded value.

The quoting in the RFC is for encoding it.

This snippet should make it clear: http://play.golang.org/p/8vA9El_3iU

Note that foo=bar and foo="bar" both yield a Cookie.Value of bar. The quotes are just there to encode and protect the real value. The final two examples make that more clear: notice the final value includes a trailing space in the Cookie.Value, but the third one doesn't.