Cookie parsing and standards

January 10, 2009

r7810 -- CookieMonster quote parsing changes and tests.

Cookies are rough. At some point when we were nearing launch, cookie handling for Amazon broke. After investigation it was found out they had changed the date format for their cookies into a form we didn't parse, managing a sort of mid-endian date/time mixture where the date straddled the time. Normally the right thing to do in these situations is "whatever Firefox does, exactly" but the code in question is a bit on the gnarly side.

In particular from the commit message, note "We had previously tried to match Firefox, but after long discussions we decided it makes more sense to match Internet Explorer and Safari. This means not explicitly handling quoted-string as proposed in the newer RFCs."

Standards are also rough: oftentimes you either follow what's on the paper or you make websites work. I always think of this remark from jwz:

What's a "de facto standard?" It's what we call a standard. What's a "de jure standard?" It's what we call a wish.

For more interesting reading, be sure to browse the review comments for this change, and in particular the bits from lcamtuf.