R. David Murray <rdmur...@bitdance.com> added the comment: Thanks for taking a crack at this. IMO the thing that needs to be fixed here is that receiving an invalid cookie makes it difficult to receive the valid cookies. I'd love to accept your patch, but "silently ignore" sounds like a bad idea and is something we try to avoid in Python where practical. In the email package we have a mechanism for reporting RFC violations (the defects attribute). And we make as much sense of the input as we can, even if it is invalid, and preserve it. We even allow generation of some RFC-invalid stuff, though we have plans to make applications work harder to do that in the future.
So I think your harder fix (accept the RFC-invalid cookies as long as there is some sensible way to parse them, but reject creating them) is the right approach. I could also see the possibility of accepting a feature request for adding the ability to explicitly create RFC-invalid cookies, if someone can demonstrate a use case for doing so. Other possible follow-on feature requests would be a 'defects' facility and/or a way to explicitly request that non-compliant cookies be ignored. Note that in suggesting we reject creating RFC-invalid cookies by default I am not expressing an opinion on the relevance of the RFCs to cookie processing "in the wild". Given that there is a standard and we are talking about what to do on generation, the obvious answer (by Postel's law) is that we ought to generate standards-compliant cookies. Also note that I have not looked at the referenced rfc (here is what I believe is the official link: http://tools.ietf.org/html/rfc6265). ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue2193> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
