Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHOULD NOT #2980

Open
sbingler opened this issue Jan 28, 2025 · 2 comments
Open

SHOULD NOT #2980

sbingler opened this issue Jan 28, 2025 · 2 comments
Labels
6265bis

Comments

@sbingler
Copy link
Collaborator

Comment by @fpalombini

Section 3:

Origin servers SHOULD NOT fold multiple Set-Cookie header fields into a single header field.

I wonder why this is a SHOULD NOT and not a MUST NOT. I do see this was a SHOULD NOT in the original RFC 6265. If it's the case that it has been kept as a SHOULD NOT because existing implementations do it despite this recommendation, I suggest explicitly motivate it here (for example by adding a note, as it has been done in other sections of the document).
@sbingler
Copy link
Collaborator Author

sbingler commented Jan 29, 2025
edited
Loading

@mikewest

Do you have any more context as to why this is a "SHOULD NOT" instead of a "MUST NOT"?

Looking at the mail list for RFC6265 I found https://mailarchive.ietf.org/arch/msg/http-state/FwQWLsmRynEwtCKxOgUOWjFa7gE/

[S3 P4] It seems like there should be an all-caps requirement here, e.g., that "Origin servers MUST NOT fold multiple Set-Cookie header fields into a single header field".

Origin servers certainly can fold multiple Set-Cookie header fields
into a single header field if they desire. However, doing so changes
the semantics. Given the bytes on the wire, there's no experiment we
can run to see if the origin server did or did not perform this
folding. Therefore, a MUST-level requirement is inappropriate.

As I understand it, folding would cause multiple Set-Cooking header values to be considered instead as setting one cookie with many attributes. Is there a situation where this is "acceptable or even useful", to quote RFC 2119? It seems to me like folding is virtually guaranteed to be a bug.

Ok. I've changed this to a SHOULD. I suspect, actually, that this
requirement already exists in the document (in an obtuse way) because
the recommend grammar for servers won't produce a "," in the right
syntactic surrounds to be a folded Set-Cookie header.

Sounds like it's this way because it's a bad idea but we can't check/enforce that it hasn't occurred.

@mnot
Copy link
Member

mnot commented Jan 29, 2025

For what it's worth -- SHOULD vs MUST does not depend on whether it can be tested/enforced; it's whether there are exceptions to the rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6265bis
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mnot @sbingler