Allow tab characters in cookies

[recvfrom]

Fixes #203 - Allow tab characters in cookies

Also, applies the invalid character checks to all other attribute values as well for added clarity (even if they are less likely to contain invalid characters due to other restrictions on the types for those)

---

Preview | Diff

[recvfrom]

Hmm, after reading the latest version of the spec again, the changes in this PR don't exactly line up (likely due to an oversight)... I'll update this PR so that it aligns with what's in the spec today

[inexorabletash]

Are there WPT changes that correspond to this?

[recvfrom]

I just submitted the corresponding WPT changes for review - https://chromium-review.googlesource.com/c/chromium/src/+/3084521

[inexorabletash]

What happens to validation for domain and path?

[recvfrom]

I added a comment here about this - httpwg/http-extensions#1593 (comment)

In the RFC, the character restrictions apply to attribute values derived from Set-Cookie headers, but in the Storage Model section it only says that these character checks should happen for name and value... I think this may be more of an oversight than intentional, but regardless, my thinking with the change above is that this spec should match what's in the RFC today and then when/if the character restrictions are made to apply to attribute values as well, we can update it here also. What do you think?

[inexorabletash]

SGTM, but I'd add a TODO: ... or Issue: ... block to the spec referencing the issue.

[recvfrom]

With what I added with the latest commit, it looks like this:

Does that seem reasonable?

[inexorabletash]

LGTM. Since the expires and sameSite attributes aren't passed through from script as strings I don't think those are a concern.