Changes between Initial Version and Version 1 of Ticket #33212, comment 1
- Timestamp:
- Oct 20, 2021, 11:26:04 AM (3 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #33212, comment 1
initial v1 1 There is a related discussion at https://code.djangoproject.com/ticket/ 33212where it is claimed that splitting on ';' is safe (because a raw ';' is invalid in a cookie value). I don't think it is, unless we assume that all HTTP requests come **from well-known browsers** that are **trustworthy** to follow standards.1 There is a related discussion at https://code.djangoproject.com/ticket/26158 where it is claimed that splitting on ';' is safe (because a raw ';' is invalid in a cookie value). I don't think it is, unless we assume that all HTTP requests come **from well-known browsers** that are **trustworthy** to follow standards.