Chrome allows setting cookie values that don't follow the spec, which causes errors for server software that tries to parse the "Cookie" header.
I ran into this issue when trying to add the "Sign in with Google" button to my web application. That feature ends up setting a cookie with name 'g_state' and value '
g_state={"i_l":0}". The spec does not allow double quotes in cookie values (see "cookie-value" in https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1).
Even though my server isn't using the 'g_state' cookie, its presence in the "Cookie" causes the entire header to be out-of-spec, which causes the cookie parsing library to reject the entire header.
Ideally, Chrome (and other browsers) would follow the spec, but I imagine there are compatibility tradeoffs. So in the short/medium term, I'd like to write a cookie parsing library (in JavaScript) that can parse the "Cookie" headers that are generated by popular browsers.
Is there documentation anywhere on what exactly Chrome allows?