Cookies, RFC compliance, and Pale Moon

Frequently Asked Questions about the Pale Moon browser and their answers.
User avatar
Pale Moon guru
Pale Moon guru
Posts: 29954
Joined: 2011-08-28, 17:27
Location: Tranås, SE

Cookies, RFC compliance, and Pale Moon

Post by Moonchild » 2016-02-09, 02:24

Since we've been running into some web compatibility issues due to cookie gating, this FAQ entry which is a multiple FAQ entry in one.

What are acceptable cookie values?
RFC 6265 § 4.1.1 is very clear about what acceptable cookie values are:

Code: Select all

   Servers SHOULD NOT send Set-Cookie headers that fail to conform to
   the following grammar:
 cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                       ; US-ASCII characters excluding CTLs,
                       ; whitespace DQUOTE, comma, semicolon,
                       ; and backslash
Since commas are excluded, you cannot use cookies to store e.g. JSON blobs, CSV lists, or similar. They can also not contain whitespace (including spaces!) so you have to think very carefully what you are or are not allowed to store in a cookie.

What cookie values does Pale Moon accept?
Pale Moon 25 and below didn't restrict cookie values, but unsanitized values could potentially lead to (security) issues.
Pale Moon 26.0 Follows the RFC, with the exception of spaces (for known web compatibility issues) and double quotes (since enclosing a value in double quotes is allowed by the RFC), and therefore restricts values outside of these characters and enforces what the RFC recommends.

Pale Moon 26.1 and later will (temporarily) be made more lenient to increase web compatibility, similar to what was done with cookie names, but it still remains non-compliant for servers to (attempt to) set these cookie values with disallowed characters. Our goal is and will be (and remain) to adhere to the standards wherever feasible and this may be made more strict in the future, if webmasters show to be responsible in applying best practice.

What should webmasters do?
Even if other (popular) browsers may not be as strict in enforcing compliance in their cookies, striving for RFC-compliance would be a very good thing in this case. Just because "the most popular browsers" allow it doesn't make it correct. Please audit your cookie use and adjust where necessary.

The same RFC also provides a hint for storing arbitrary data in cookie values:

Code: Select all

   To maximize compatibility with user agents, servers that wish to
   store arbitrary data in a cookie-value SHOULD encode that data, for
   example, using Base64 [RFC4648].
One could also, for example, URLencode data (%20 for space, %2C for comma, etc.)
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss