Affects v5.2.4.RELEASE, though I think response cookie validation was added in v5.2.x.
We're calling a 3rd party service that returns a Set-Cookie header with a domain="" value. This is non-compliant with rfc6265 so is technically wrong.
However, Spring's now throwing an exception when encountering this header, so the entire request fails and the application is unable to consume the response.
Is this intended behaviour? I think in this case Spring should "be conservative in what it does, be liberal in what it accepts from others".
Affects
v5.2.4.RELEASE, though I think response cookie validation was added inv5.2.x.We're calling a 3rd party service that returns a
Set-Cookieheader with adomain=""value. This is non-compliant with rfc6265 so is technically wrong.However, Spring's now throwing an exception when encountering this header, so the entire request fails and the application is unable to consume the response.
Is this intended behaviour? I think in this case Spring should "be conservative in what it does, be liberal in what it accepts from others".