Regular Expressions

[Zegnat]

It looks like you have taken the current RegExp for cookie values ([^;]+) from issue 7 on the original Google Project. The original poster there mentioned using RFC 2965. RFC 2965 does not allow cookie values to “contain any ASCII character except semicolon.” This is only true when the value is quoted ("value"), else it is very restrictive.

RFC 2965 is currently obsolete and superseded by RFC 6265. It defines exactly what characters are allowed in cookies, specifically in section 4.1.1, and makes the current RegExp completely wrong. The original RegExp by Haineault came closer, actually.

The main problem with only disallowing the semicolon (;), as you do, is that you allow all kinds of Unicode characters to be matched. Characters that should not be a part of a cookie value.

The official definition:

cookie-value      = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet      = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
                      ; US-ASCII characters excluding CTLs,
                      ; whitespace DQUOTE, comma, semicolon,
                      ; and backslash

This can easily be converted to RegExp:

[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]*|"[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]*"

If you want to save 2 chars of your JavaScript you can use [!#$%&'()*+\-./0-9:<=>?@A-Z[\]^_a-z{|}~]instead of[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]`.

---

Test case

// According to RFC 6265:
/^("?)[!#$%&'()*+\-.\/0-9:<=>?@A-Z[\]^_`a-z{|}~]*\1$/.test('"H@l1o_th>re"') == TRUE
/^("?)[!#$%&'()*+\-.\/0-9:<=>?@A-Z[\]^_`a-z{|}~]*\1$/.test('"H@l1o_th>re') == FALSE
/^("?)[!#$%&'()*+\-.\/0-9:<=>?@A-Z[\]^_`a-z{|}~]*\1$/.test('H@l1o_th>re"') == FALSE
/^("?)[!#$%&'()*+\-.\/0-9:<=>?@A-Z[\]^_`a-z{|}~]*\1$/.test('H@l1o_th>re') == TRUE
/^("?)[!#$%&'()*+\-.\/0-9:<=>?@A-Z[\]^_`a-z{|}~]*\1$/.test('Üñîçødë') == FALSE
// Current RegExp:
/[^;]+($|;)/.test('"H@l1o_th>re"') == TRUE
/[^;]+($|;)/.test('"H@l1o_th>re') == TRUE
/[^;]+($|;)/.test('H@l1o_th>re"') == TRUE
/[^;]+($|;)/.test('H@l1o_th>re') == TRUE
/[^;]+($|;)/.test('Üñîçødë') == TRUE

---

Feature request

Could you check whether key is a valid value when doing .set()? Here is the RegExp:

[\x21\x23-\x27\x2A\x2B\x2D\x2E\x30-\x39\x41-\x5A\x5E-\x7A\x7C\x7E]+

Or if you don’t like the hex values:

[!#$%&'*+\-.0-9A-Z^_`a-z|~]+

---

I think it would be great to have a library independent script for managing cookies in an easy and correct way. This could be it, but it needs some maintenance done.

[findchris]

Thanks for your thoughtful comment. If you put this change into a pull request, I'll merge it in as it seems to be a straightforward and logical request.

Cheers.