Reverted Whitespaces are no longer allowed in cookie names

Published: | Categories: JavaScript, Networking


Previously, Firefox was improperly allowing whitespace characters to be stored in cookie names in violation of RFC 6265. This behaviour was considered as a moderate security issue, because such an implementation error could lead to incorrect cookie handling by Web servers.

Firefox 44 has fixed the issue and cookies with an invalid name are no longer created. In JavaScript, both cookie names and values must be explicitly encoded using the encodeURIComponent method before being stored with the document.cookie property.

Update: Due to some broken applications, this change has been reverted with Firefox 44.0.1. While spaces are allowed again for interoperability, control characters will remain prohibited to prevent potential security issues.