What are acceptable cookie values?
RFC 6265 § 4.1.1 is very clear about what acceptable cookie values are:
Code: Select all
Servers SHOULD NOT send Set-Cookie headers that fail to conform to
the following grammar:
[...]
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace DQUOTE, comma, semicolon,
; and backslash
What cookie values does Pale Moon accept?
Pale Moon 25 and below didn't restrict cookie values, but unsanitized values could potentially lead to (security) issues.
Pale Moon 26.0 Follows the RFC, with the exception of spaces (for known web compatibility issues) and double quotes (since enclosing a value in double quotes is allowed by the RFC), and therefore restricts values outside of these characters and enforces what the RFC recommends.
Pale Moon 26.1 and later will (temporarily) be made more lenient to increase web compatibility, similar to what was done with cookie names, but it still remains non-compliant for servers to (attempt to) set these cookie values with disallowed characters. Our goal is and will be (and remain) to adhere to the standards wherever feasible and this may be made more strict in the future, if webmasters show to be responsible in applying best practice.
What should webmasters do?
Even if other (popular) browsers may not be as strict in enforcing compliance in their cookies, striving for RFC-compliance would be a very good thing in this case. Just because "the most popular browsers" allow it doesn't make it correct. Please audit your cookie use and adjust where necessary.
The same RFC also provides a hint for storing arbitrary data in cookie values:
Code: Select all
To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648].