Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Cookies" page has been changed by KonstantinKolinko: https://wiki.apache.org/tomcat/Cookies?action=diff&rev1=31&rev2=32 Comment: I do not see how UTF-8 may be used when generating a cookie. Add a comment. G4 Use UTF-8 encoding for values:: :: The value (which is a UCS-16 Java String) will be encoded using UTF-8 when being added to the header. Application impact is that non-ASCII characters will no longer cause an IAE. For V0 cookies, this is an extension to RFC6265 required to support HTML-5. V1 cookies already allow 8-bit characters if quoted and this is likely to be needed to avoid an IAE as the value would still be validated; it would be the application's responsibility to quote the value. + :: ''kkolinko'': Using UTF-8 in HTTP headers is not allowed by RFC 2616. On page 32 it says:<<BR>> + `message-header = field-name ":" [ field-value ]`<<BR>> + `field-value = *( field-content | LWS )`<<BR>> + `field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string>`<<BR>> + The tokens are US-ASCII (0-127 minus CTLs or separators) (pages 16-17).<<BR>> + The TEXT is defined on page 16 where it says: "Words of *TEXT MAY contain characters from character sets other than ISO-8859-1 [22] only when encoded according to the rules of RFC 2047 [14]."<<BR>> + The quoted-string is TEXT in double quotes (page 16). + + :: ''kkolinko'': Javadoc for HttpServletResponse.setHeader() method also mentions that the value of a header should be encoded according to RFC 2047. http://www.ietf.org/rfc/rfc2047.txt + G5 Validate domain per RFC6265:: :: The domain will now be validated per RFC1034 rather than simply as a value. Application impact is that an invalid domain will now raise an IAE rather than be rejected by the browser. No semantic validation (e.g. number of dots) will be performed. A valid domain name is a "token" and so no quotation would be needed. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
