Currently http.cookiejar.join_header_words() uses re.search(r"^\w+$", v) to check whether the value can be represented as a token, unquoted. There are some red flags here:

1. \w looks arbitrary. And it is. The original Perl implementation (it is now in HTTP::Headers::Util) uses a set of characters documented in the split_header_words() docstring. On one side, it allows more characters (like "." or "-") be unquoted, on other hand, it requires quoting non-ASCII letters and digits.
2. $ matches not only the end of the string, but also a position just before \n. So this pattern does not work for value containing \n. I do not know whether such values are supported at higher level, but currently that code is prone to header injection.
3. Using search() with anchors at both ends for testing the whole string is very outdated, this patterns precedes the current re module. First, match() was added to testing the match from beginning, and later fullmatch() was added for testing the whole string.

Linked PRs

• gh-130631: Make join_header_words() more similar to the original Perl version #130632
• [3.13] gh-130631: Make join_header_words() more similar to the original Perl version (GH-130632) #132303