Age | Commit message (Collapse) | Author |
|
We must not remove all domain attributes when we find an
empty domain attribute, we must only ignore this one particular
cookie-av. (RFC6265bis 5.3.3)
|
|
And explain that browsers may be more strict over TCP vs TLS.
|
|
Chromium and Firefox have both begun using "Lax" as the
default for non-Secure cookies.
|
|
|
|
Also do minor fixes to cow_cookie:parse_cookie/1. There
is a potential incompatibility from these changes, because
now a header "Cookie: foo" will be translated to a cookie
with an empty name and value "foo", instead of cookie name
"foo" and empty value. Also cookie names starting with $
are no longer ignored.
These fixes are necessary for the cookies test suite from
Web platform tests to work, and match the upcoming cookie
RFC.
|
|
It's supposed to be a map, not a proplist.
|
|
|
|
The SameSite cookie attribute has yet to appear in an official RFC, and
until recently was exclusive to Chrome. However, Firefox has recently
implemented it as well, so it seems prudent to support it.
|
|
|
|
Some cookies are seen in the wild consisting of just a name, without
even a "=" char. This allows parsing them as if they were written
"foo=", that is with an empty value.
Commit amended to add a few more test cases.
|
|
|
|
Previously, an error would be raised when explicitly passing a default
value for either “http_only” or “secure” option.
|
|
* Update copyright years.
* Update erlang.mk.
* Fix triq testing.
|
|
|
|
Google Analytics has been observed to set cookie values containing
commas. We therefore need to accept them for interoperability.
|
|
|
|
|
|
|