Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Cool submission!

Per RFC 6265, which is the cookie spec you seem to use, the valid chars for cookie names is defined [1] by RFC 2616 (since obsoleted by the 723x series; but agreeing on this issue [2]).

The cookie name must be a 'token', which is incidentally the exact same rule as for HTTP header names. 'token' evaluates to one or more of the following ASCII visible characters:

    "!" / "#" / "$" / "%" / "&" / "'" / "*"
  / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
  / DIGIT (0-9) / ALPHA (A-Z, a-z)
Right now you allow any valid JSON object key to be set as a cookie name.

EDIT: To be more precise, your defaults are fine as they URLencode the key too, along with the value. But the defaults are overridable and affect both the cookie key and value simultaneously. Allowing the value encoding to be overridden would be useful, while allowing the name encoding to be overridden can cause the cookie to fall out of spec.

[1] https://tools.ietf.org/html/rfc2616#section-2.2

[2] https://tools.ietf.org/html/rfc7230#section-3.2.6



I URL-Encode it:

    var res = opt.encode(key) + '=' + encoded + ...
Where `opt.encode()` is defined as:

    function (val) {
      return encodeURIComponent(val);
    }
But from your comment I understand that this is not enough and I should dig deeper into this (though I find the RFC really dense/difficult to read).


I did more research and have a further follow-up. According to MDN [1], encodeURIComponent escapes all characters except the following:

  alphabetic, decimal digits, - _ . ! ~ * ' ( )
which means that out of the allowed ASCII characters in a cookie name:

   "!" / "#" / "$" / "%" / "&" / "'" / "*"
  / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
  / DIGIT (0-9) / ALPHA (A-Z, a-z)
the following matrix of behaviors results:

      Gets-Encoded? Is-Allowed?   Current-Behavior
  -----------------------------------------------------
  !   not-encoded   allowed       behavior-OK
  #   encoded       allowed       unnecessarily-encoded
  $   encoded       allowed       unnecessarily-encoded
  %   encoded       allowed       unnecessarily-encoded
  &   encoded       allowed       unnecessarily-encoded
  '   not-encoded   allowed       behavior-OK
  *   not-encoded   allowed       behavior-OK
  +   encoded       allowed       unnecessarily-encoded
  -   not-encoded   allowed       behavior-OK
  .   not-encoded   allowed       behavior-OK
  ^   encoded       allowed       unnecessarily-encoded
  _   not-encoded   allowed       behavior-OK
  `   encoded       allowed       unnecessarily-encoded
  |   encoded       allowed       unnecessarily-encoded
  ~   not-encoded   allowed       unnecessarily-encoded
  (   not-encoded   not-allowed   invalid-must-encode
  )   not-encoded   not-allowed   invalid-must-encode
[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...


For the edit:

I see, so I could add a `cookies.encodevalue()` and default it to `cookies.encode`. However, I think that'd just add too much noise to it so I will just add a warning. Thank you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: