[Webkit-unassigned] [Bug 6063] Safari/JavaScript calculates wrong request URL

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Sat Mar 25 07:21:26 PST 2006 

http://bugzilla.opendarwin.org/show_bug.cgi?id=6063





------- Comment #7 from opendarwin-2004 at ryandesign.com  2006-03-25 07:21 PDT -------
I have researched this and come to the following conclusions:

1. When the dixons.nl server doesn't receive the "Dixons" cookie in that POST
request, it redirects to "http://www.dixons.nl.aspx". That's the site's
problem, not WebKit's or Safari's.

2. When Safari / WebKit encounters a Set-Cookie header where it doesn't
understand the "expires" section, it ignores the cookie. Firefox accepts it and
makes it expire at the end of the session, which seems like the more reasonable
behavior. PHP example (you must reload once):

echo $_COOKIE['ExpiresCookie'];
header('Set-Cookie: ExpiresCookie=foo; expires=bar');

3. When Safari / WebKit encounters a Set-Cookie header where the *value* of the
cookie contains the string "expires=" *and* the cookie is actually trying to
set its expiration, it gets confused and ignores the cookie:

echo $_COOKIE['ExpiresCookie2'];
header('Set-Cookie: ExpiresCookie2=expires=; expires=Sun, 22-Jan-2010 11:18:06
GMT');

This is what's happening to dixons.nl because their cookie value contains
"expires=".


Further observations:

4. The cookie spec in RFCs 2109 and 2965 makes no statement as to how or
whether the value portion of a cookie in a Set-Cookie or Set-Cookie2 header
should be encoded.

5. This document on cookies which was last modified in August 2005 by the
authors of Curl http://curl.haxx.se/rfc/cookie_spec.html states that the value
of a cookie in a Set-Cookie header should not contain a comma, semicolon or
whitespace, but that if such values need to be used, no particular encoding is
recommended nor even required.

6. When a cookie value contains a comma, Safari / WebKit throws away the comma
and everything after it. Firefox accepts the entire cookie value:

echo $_COOKIE['CommaCookie'];
header('Set-Cookie: CommaCookie=Hello, world');

7. When a cookie value contains a semicolon, Safari / WebKit and Firefox both
throw away the semicolon and everything after it:

echo $_COOKIE['SemiCookie'];
header('Set-Cookie: SemiCookie=Hello; world');

8. Cookie values containing spaces are no problem for Safari / WebKit or
Firefox:

echo $_COOKIE['SpaceCookie'];
header('Set-Cookie: SpaceCookie=Hello world');


I tested this with the latest nightly WebKit build as of this writing, and
Firefox 1.5.0.1, on Mac OS X 10.4.5 on a PowerBook G4. I do not know enough
about the separation of Safari and WebKit to say which component has the bug.


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list