From e22dd5e0ef69db39c81c7d7debf5b9367b3a46ee Mon Sep 17 00:00:00 2001 From: "carpentry-heartbeat[bot]" Date: Wed, 20 May 2026 07:27:08 +0200 Subject: [PATCH] Ignore unknown Set-Cookie attributes in Cookie.parse-set (RFC 6265) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The parser previously hard-failed on unrecognised attributes like Partitioned and Priority, which modern servers routinely send. RFC 6265 ยง5.2 says unknown attributes MUST be silently ignored. --- http.carp | 2 +- test/http.carp | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/http.carp b/http.carp index 7e82b08..f526a9a 100644 --- a/http.carp +++ b/http.carp @@ -158,7 +158,7 @@ the type yourself, instead you can [parse](#parse) it.") (fmt "malformed samesite property in set-cookie, unknown value: %s" &s))))) - (Result.Error (fmt "Unknown set-cookie property: %s" prop)))))) + (Result.Success c))))) (doc parse-set "parses a `Set-Cookie` form.") (defn parse-set [s] diff --git a/test/http.carp b/test/http.carp index f09a977..325d2cf 100644 --- a/test/http.carp +++ b/test/http.carp @@ -161,6 +161,26 @@ _ false) "parse-set rejects malformed Expires date") + ; -- Unknown Set-Cookie attributes are silently ignored (RFC 6265) -- + (assert-true test + (match (Cookie.parse-set "id=abc; Partitioned") + (Result.Success c) (= (Cookie.name &c) "id") + _ false) + "parse-set ignores unknown attribute Partitioned") + + (assert-true test + (match (Cookie.parse-set "id=abc; Priority=High") + (Result.Success c) (= (Cookie.value &c) "abc") + _ false) + "parse-set ignores unknown attribute Priority=High") + + (assert-true test + (match (Cookie.parse-set + "id=abc; Path=/; Partitioned; Secure; Priority=High") + (Result.Success c) (and (= (Cookie.path &c) "/") @(Cookie.secure &c)) + _ false) + "parse-set handles mix of known and unknown attributes") + ; -- Cookie value containing '=' (e.g. base64 padding) -- (assert-true test (match (Cookie.parse "session=YWJjZA==")