You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Per @chlily1's comment in #1210 (comment), it'd be worth updating the 'Storage Model' section to add restrictions on cookie-name, cookie-value, and the attribute values to account for characters that would break serialization... Specifically, we should add that:
cookie-name should not contain = or ;.
cookie-value should not contain ;
the attribute values should not contain ;
Although it's not possible for those characters to appear in cookies constructed by parsing Set-Cookie headers, these values could be introduced via cookies from non-HTTP APIs.
Also, should there be a step in the Storage Model that removes leading and trailing whitespace from cookie-name, cookie-value, and the attribute values (to further close the gap between what can be created via Set-Cookie header parsing and via non-HTTP APIs)?
(also per @chlily1's comment, a better way to mitigate this would be to extract out the logic common to the Set-Cookie header parsing section and the Storage Model section and reference that in both places)