import from UXP: [network] Align cookie checks with RFC 6265 (bis) (03875cd60)

2026-05-29 16:10:41 +00:00 · 2022-12-16 11:30:36 +08:00
parent 4c8dff22cf
commit c9f2355ce5
1 changed files with 5 additions and 16 deletions
@@ -3466,25 +3466,14 @@ nsCookieService::SetCookieInternal(nsIURI                        *aHostURI,

  // Reject cookie if value contains an RFC 6265 disallowed character.
  // See RFC 6265 section 4.1.1
-  // XXX: For now we allow for web compatibility (see issue #357):
-  // 0x20 (Space)
-  // 0x22 (DQUOTE)
-  // 0x2C (Comma)
-  // 0x5C (Backslash)
+  // 0x09 (htab) Explicitly allowed per RFC 6265 (bis) section 5.6. Chrome erroneously rejects this.
+  // 0x3B (;) forbidden to avoid cookie-spoofing by adding a separator inside a name or value
  //
-  // FIXME: Before removing DQUOTE from the exceptions list:
-  // DQUOTE *cookie-octet DQUOTE is permitted and would fail if just removed.
-  // This needs better checking for first and last character allowing
-  // DQUOTE but not in the actual value.
-  //
-  // This only applies to cookies set via the Set-Cookie header, since
-  // document.cookie is defined to be UTF-8.
  const char illegalCharacters[] = { 
-      0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
+      0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x0A, 0x0B,
      0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
-      0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, /* 0x20, 0x22, */
-      /* 0x2C, */ 0x3B, /* 0x5C, */ 0x7F, 0x00 };
-  if (aFromHttp && (cookieAttributes.value.FindCharInSet(illegalCharacters, 0) != -1)) {
+      0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x3B, 0x7F, 0x00 };
+  if (cookieAttributes.value.FindCharInSet(illegalCharacters, 0) != -1) {
    COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "invalid value character");
    return newCookie;
  }