RFC6265bis: Attributes should specify how missing/invalid values should be handled

[sbingler]

A number of cookies attributes accept values which must conform to some requirement of the attribute. These values can be more freeform such as Domain or Path or must be an item from an enumerated set such as SameSite's {None, Lax, Strict}.

We've had some recent issues trying to clarify how an attribute should handle value it doesn't understand or are invalid such as https://github.com/httpwg/http-extensions/issues/1757 and https://github.com/httpwg/http-extensions/issues/1332.

Rather than attack these piecewise, we should consider examining all applicable attributes and determine a reasonable course of action for bad input: Drop the cookie, ignore the attribute, use some default, use the most recent valid input of the attribute*, etc.

* I.e.: Set-Cookie: foo=bar; ExampleAttribute=valid1; ExampleAttribute=valid2; ExampleAttribute=invalid the cookie processing logic would extract valid2 as it's the last value it understood.

[annevk]

Are browsers consistent across attributes for this? If not, this might be risky to change, but it's still worth settling on a set of rules for new attributes.

[sbingler]

Chrome has recently aligned with the other browsers on how an empty Domain attribute is handled #1332 , so there is at least one where we were inconsistent.