HTTP

Minimum support

For a request, GET and HEAD methods, Content-Length and Transfer-Encoding fields, chunked encoding. Folded request field support is not required. Since RFC 2616: “Expect: 100-continue”.

Caching

With no headers, some responses (including a 200 “Okay” response to a GET) may be stored in a cache by default. If a response is cacheable and no freshness expiry time is given, an expiry time may be calculated, e.g. based on the difference between the Last-Modified and Date response fields.

To indicate something should always come from a cache if possible, set a large expiry time (e.g. max-age=2592000 for 30 days). To prevent something from being stored in a shared cache, if the Authorization field is not used in the request, a private response directive should be included.

Cookies

Netscape specification:

Last version: https://curl.haxx.se/rfc/cookie_spec.html
Earlier: http://citycat.ru/doc/HTML/Netscape/cookie.html

RFC 2109 (Version=1)
RFC 2965 (Set-Cookie2)
RFC 6265

Syntax

Cookie names and values are not allowed to contain semicolons, commas, nor whitespace. The Netscape specification seems to allow quotes as ordinary characters. RFC 6265 disallows double quotes, except that the whole value may be enclosed in double quotes. Support for proper quoted-string values (RFCs 2109 and 2965), where the string can contain almost anything, backslashes can escape internal double-quotes, and a backslash at the end of the string is ambiguous (by accident: errata id. 3407), is spotty.

Avoid cookie names beginning with a dollar sign ($; RFCs 2109 and 2965), or “__Secure-” or “__Host-” (two underscores “_”, one dash “-”; draft-ietf-httpbis-rfc6265bis-02).

Multiple cookies go into a single Cookie header field separated by semicolons (rather than commas). For Set-Cookie, multiple cookies should be given in multiple header fields. (Splitting with commas could be confusing with the comma in dates.)

Expires

https://github.com/abarth/http-state/blob/master/notes/2009-08-05-Dan-Winship.txt

Suggested date formats include:

Wdy, DD-Mon-YYYY HH:MM:SS GMT [format in last Netscape specification]
Wednesday, 09-Nov-99 23:12:40 GMT [example in both Netscape specification versions]
Tue, 04 Sep 2018 00:02:05 GMT [RFC 6265: rfc1123-date, RFC 2616 profile of RFC 1123 update to RFC 822]

RFC 6265 gives a generic procedure to parse the date. The date is split into tokens of digits, letters, and colons (:), so the comma (,), dashes (-), and spaces in the above formats are treated as delimiters. The tokens are matched to the day number, month name, year name, and time components. The order doesn’t matter, except that the day of the month has to come before the year. The weekday name and time zone are ignored, and years 99 and less are treated as 1970–2069.

Cross-origin access

Browsers restrict some kinds of accesses based on an “origin”. The scheme, host, and sometimes the port, in a URL determine the origin.

embedding allowed
automatic POST requests of forms allowed (via scripted submit calls and XMLHTTPRequest)