parseCookie: Support for stripping double quotes escapes.

Question

parseCookie: Support for stripping double quotes escapes.

dostiharise opened this issue 3 years ago · comments

Hari Krishna Ganji commented 3 years ago

The parseCookie snippet doesn't support cookie parameter values that are escaped using a double quote "

Example:

The header Set-Cookie: who-are-you="i-am-a-cookie"; Path=/ results in Cookie Name who-are-you and Cookie Value as "i-am-a-cookie".

When you read the cookie value, you may want to strip away the double-quote " from "i-am-a-cookie" and return i-am-a-cookie.

Refer here:

Alexander Heß · Answer 1 · Fri Dec 11 2020 21:11:47 GMT+0800 (China Standard Time)

I would like to do this.

Hari Krishna Ganji · Answer 2 · Sat Dec 12 2020 00:11:34 GMT+0800 (China Standard Time)

Great! @CreaTorAlexander you could raise a pull request. I can help review & validate your PR.

cc: @Chalarangelo, @fejes713

Alexander Heß · Answer 3 · Sat Dec 12 2020 00:19:54 GMT+0800 (China Standard Time)

So shall I just use the same example but with double quotes? Or ist there something else I have to think about?

Hari Krishna Ganji · Answer 4 · Sat Dec 12 2020 18:09:24 GMT+0800 (China Standard Time)

@CreaTorAlexander

I think editing the same snippet with necessary comments will help.

Once you have a PR, the maintainers will hopefully review and give you comments to improve.

Let's be ready to do multiple iterations. 🙂

I would add the necessary code that would strip away double quotes on left and right from the before decodeURIComponent is called and not after.

Hari Krishna Ganji · Answer 5 · Sat Dec 12 2020 18:11:31 GMT+0800 (China Standard Time)

Now that I think about it I am not sure if decodeURIComponent is the right solution.

Because the decode must actually take place inside the app logic, and the cookie parsing value must be treated as is.

🤔

Example:

If the cookie is who-i-am="%22Glitch%20in%20the%20Matrix%20" then I think the cookie value must be parsed as %22Glitch%20in%20the%20Matrix%20.

And the application logic consuming the value must take care of the decodeURIComponent.

The reason is many times you don't control the server side API, and the client logic must be able to parse a Cookie value as is, and method consuming the value could take care of decoding.

I may be wrong here, though. 🙂

For now let's just strip the double quote.

Alexander Heß · Answer 6 · Sat Dec 12 2020 18:58:36 GMT+0800 (China Standard Time)

Are leading empty spaces are possible in Cookie Values?
who-are-you= "i-am-a-cookie"

Hari Krishna Ganji · Answer 7 · Sat Dec 12 2020 19:31:04 GMT+0800 (China Standard Time)

No. Spaces are not allowed.

You can refer here: HTTP Cookie.

Alexander Heß · Answer 8 · Sat Dec 12 2020 21:03:05 GMT+0800 (China Standard Time)

Ok well, ty

Angelos Chalaris · Answer 9 · Fri Apr 02 2021 18:10:50 GMT+0800 (China Standard Time)

This issue is invalid. Cookie values should be parsed as-is and it's upon the developer to handle anything after that. The snippet does what it says on the box - parses the cookie. Edge-cases and additional handling is out of scope.