draft-ietf-httpbis-rfc6265bis-05.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group M. West, Ed. HTTP Working Group M. West, Ed.
Internet-Draft Google, Inc Internet-Draft Google, Inc
Obsoletes: 6265 (if approved) J. Wilander, Ed. Obsoletes: 6265 (if approved) J. Wilander, Ed.
Intended status: Standards Track Apple, Inc Intended status: Standards Track Apple, Inc
Expires: August 8, 2020 February 5, 2020 Expires: October 4, 2020 April 2, 2020
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-05 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 8, 2020. This Internet-Draft will expire on October 4, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 43 skipping to change at page 3, line 43
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 44
10.1. Normative References . . . . . . . . . . . . . . . . . . 44 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 44
10.2. Informative References . . . . . . . . . . . . . . . . . 46 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 45
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 45
10.1. Normative References . . . . . . . . . . . . . . . . . . 45
10.2. Informative References . . . . . . . . . . . . . . . . . 47
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 49 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 50
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 49 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 50
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 49 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 50
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 50
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 50 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 51
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 50 A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 51
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 50 A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 51
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 28, line 28 skipping to change at page 28, line 28
cookies along with cross-site requests if and only if they are top- cookies along with cross-site requests if and only if they are top-
level navigations which use a "safe" (in the [RFC7231] sense) HTTP level navigations which use a "safe" (in the [RFC7231] sense) HTTP
method. method.
Lax enforcement provides reasonable defense in depth against CSRF Lax enforcement provides reasonable defense in depth against CSRF
attacks that rely on unsafe HTTP methods (like "POST"), but does not attacks that rely on unsafe HTTP methods (like "POST"), but does not
offer a robust defense against CSRF as a general category of attack: offer a robust defense against CSRF as a general category of attack:
1. Attackers can still pop up new windows or trigger top-level 1. Attackers can still pop up new windows or trigger top-level
navigations in order to create a "same-site" request (as navigations in order to create a "same-site" request (as
described in section 5.2.1), which is only a speedbump along the described in Section 5.2.1), which is only a speedbump along the
road to exploitation. road to exploitation.
2. Features like "<link rel='prerender'>" [prerendering] can be 2. Features like "<link rel='prerender'>" [prerendering] can be
exploited to create "same-site" requests without the risk of user exploited to create "same-site" requests without the risk of user
detection. detection.
When possible, developers should use a session management mechanism When possible, developers should use a session management mechanism
such as that described in Section 8.8.2 to mitigate the risk of CSRF such as that described in Section 8.8.2 to mitigate the risk of CSRF
more completely. more completely.
skipping to change at page 31, line 13 skipping to change at page 31, line 13
ignore the cookie entirely. ignore the cookie entirely.
10. If the cookie-attribute-list contains an attribute with an 10. If the cookie-attribute-list contains an attribute with an
attribute-name of "HttpOnly", set the cookie's http-only-flag to attribute-name of "HttpOnly", set the cookie's http-only-flag to
true. Otherwise, set the cookie's http-only-flag to false. true. Otherwise, set the cookie's http-only-flag to false.
11. If the cookie was received from a "non-HTTP" API and the 11. If the cookie was received from a "non-HTTP" API and the
cookie's http-only-flag is true, abort these steps and ignore cookie's http-only-flag is true, abort these steps and ignore
the cookie entirely. the cookie entirely.
12. If the cookie's secure-only-flag is not set, and the scheme 12. If the cookie's secure-only-flag is false, and the scheme
component of request-uri does not denote a "secure" protocol, component of request-uri does not denote a "secure" protocol,
then abort these steps and ignore the cookie entirely if the then abort these steps and ignore the cookie entirely if the
cookie store contains one or more cookies that meet all of the cookie store contains one or more cookies that meet all of the
following criteria: following criteria:
1. Their name matches the name of the newly-created cookie. 1. Their name matches the name of the newly-created cookie.
2. Their secure-only-flag is true. 2. Their secure-only-flag is true.
3. Their domain domain-matches the domain of the newly-created 3. Their domain domain-matches the domain of the newly-created
skipping to change at page 33, line 27 skipping to change at page 33, line 27
At any time, the user agent MAY "remove excess cookies" from the At any time, the user agent MAY "remove excess cookies" from the
cookie store if the cookie store exceeds some predetermined upper cookie store if the cookie store exceeds some predetermined upper
bound (such as 3000 cookies). bound (such as 3000 cookies).
When the user agent removes excess cookies from the cookie store, the When the user agent removes excess cookies from the cookie store, the
user agent MUST evict cookies in the following priority order: user agent MUST evict cookies in the following priority order:
1. Expired cookies. 1. Expired cookies.
2. Cookies whose secure-only-flag is not set, and which share a 2. Cookies whose secure-only-flag is false, and which share a domain
domain field with more than a predetermined number of other field with more than a predetermined number of other cookies.
cookies.
3. Cookies that share a domain field with more than a predetermined 3. Cookies that share a domain field with more than a predetermined
number of other cookies. number of other cookies.
4. All cookies. 4. All cookies.
If two cookies have the same removal priority, the user agent MUST If two cookies have the same removal priority, the user agent MUST
evict the cookie with the earliest last-access-time first. evict the cookie with the earliest last-access-time first.
When "the current session is over" (as defined by the user agent), When "the current session is over" (as defined by the user agent),
skipping to change at page 35, line 29 skipping to change at page 35, line 26
this order reflects common practice when this document was this order reflects common practice when this document was
written, and, historically, there have been servers that written, and, historically, there have been servers that
(erroneously) depended on this order. (erroneously) depended on this order.
3. Update the last-access-time of each cookie in the cookie-list to 3. Update the last-access-time of each cookie in the cookie-list to
the current date and time. the current date and time.
4. Serialize the cookie-list into a cookie-string by processing each 4. Serialize the cookie-list into a cookie-string by processing each
cookie in the cookie-list in order: cookie in the cookie-list in order:
1. Output the cookie's name, the %x3D ("=") character, and the 1. If the cookies' name is not empty, output the cookie's name
cookie's value. followed by the %x3D ("=") character.
2. If there is an unprocessed cookie in the cookie-list, output 2. If the cookies' value is not empty, output the cookie's
value.
3. If there is an unprocessed cookie in the cookie-list, output
the characters %x3B and %x20 ("; "). the characters %x3B and %x20 ("; ").
NOTE: Despite its name, the cookie-string is actually a sequence of NOTE: Despite its name, the cookie-string is actually a sequence of
octets, not a sequence of characters. To convert the cookie-string octets, not a sequence of characters. To convert the cookie-string
(or components thereof) into a sequence of characters (e.g., for (or components thereof) into a sequence of characters (e.g., for
presentation to the user), the user agent might wish to try using the presentation to the user), the user agent might wish to try using the
UTF-8 character encoding [RFC3629] to decode the octet sequence. UTF-8 character encoding [RFC3629] to decode the octet sequence.
This decoding might fail, however, because not every sequence of This decoding might fail, however, because not every sequence of
octets is valid UTF-8. octets is valid UTF-8.
skipping to change at page 44, line 7 skipping to change at page 44, line 7
The "SameSite" attribute is set by the server, and serves to mitigate The "SameSite" attribute is set by the server, and serves to mitigate
the risk of certain kinds of attacks that the server is worried the risk of certain kinds of attacks that the server is worried
about. The user is not involved in this decision. Moreover, a about. The user is not involved in this decision. Moreover, a
number of side-channels exist which could allow a server to link number of side-channels exist which could allow a server to link
distinct requests even in the absence of cookies. Connection and/or distinct requests even in the absence of cookies. Connection and/or
socket pooling, Token Binding, and Channel ID all offer explicit socket pooling, Token Binding, and Channel ID all offer explicit
methods of identification that servers could take advantage of. methods of identification that servers could take advantage of.
9. IANA Considerations 9. IANA Considerations
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registrations.
9.1. Cookie 9.1. Cookie
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration:
Header field name: Cookie Header field name: Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.5) Specification document: this specification (Section 5.5)
9.2. Set-Cookie 9.2. Set-Cookie
The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration:
Header field name: Set-Cookie Header field name: Set-Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.3) Specification document: this specification (Section 5.3)
9.3. Cookie Attribute Registry
The "Cookie Attribute Registry" defines the name space of attribute
used to control cookies' behavior. The registry is maintained at
https://www.iana.org/assignments/cookie-attribute-names [4].
9.3.1. Procedure
Each registered attribute name is associated with a description, and
a reference detailing how the attribute is to be processed and
stored.
New registrations happen on a "RFC Required" basis (see Section 4.7
of [RFC8126]). The attribute to be registered MUST match the
"extension-av" syntax defined in Section 4.1.1. Note that attribute
names are generally defined in CamelCase, but technically accepted
case-insensitively.
9.3.2. Registration
The "Cookie Attribute Registry" will be updated with the
registrations below:
+----------+----------------------------------------+
| Name | Reference |
+----------+----------------------------------------+
| Domain | Section 4.1.2.3 of this document |
| Expires | Section 4.1.2.1 of this document |
| HttpOnly | {{attribute-httponly} of this document |
| Max-Age | {{attribute-max-age} of this document |
| Path | {{attribute-path} of this document |
| SameSite | {{attribute-samesite} of this document |
| Secure | {{attribute-secure} of this document |
+----------+----------------------------------------+
10. References 10. References
10.1. Normative References 10.1. Normative References
[FETCH] van Kesteren, A., "Fetch", n.d., [FETCH] van Kesteren, A., "Fetch", n.d.,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
P., and D. Denicola, "HTML", n.d., P., and D. Denicola, "HTML", n.d.,
<https://html.spec.whatwg.org/>. <https://html.spec.whatwg.org/>.
skipping to change at page 46, line 5 skipping to change at page 46, line 41
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>. <https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>. <https://www.rfc-editor.org/info/rfc7231>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[SERVICE-WORKERS] [SERVICE-WORKERS]
Russell, A., Song, J., and J. Archibald, "Service Russell, A., Song, J., and J. Archibald, "Service
Workers", n.d., <http://www.w3.org/TR/service-workers/>. Workers", n.d., <http://www.w3.org/TR/service-workers/>.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
skipping to change at page 48, line 13 skipping to change at page 48, line 48
June 2016, <http://unicode.org/reports/tr46/>. June 2016, <http://unicode.org/reports/tr46/>.
10.3. URIs 10.3. URIs
[1] https://lists.w3.org/Archives/Public/ietf-http-wg/ [1] https://lists.w3.org/Archives/Public/ietf-http-wg/
[2] http://httpwg.github.io/ [2] http://httpwg.github.io/
[3] https://github.com/httpwg/http-extensions/labels/6265bis [3] https://github.com/httpwg/http-extensions/labels/6265bis
[4] https://github.com/httpwg/http-extensions/issues/243 [4] https://www.iana.org/assignments/cookie-attribute-names
[5] https://github.com/httpwg/http-extensions/issues/246 [5] https://github.com/httpwg/http-extensions/issues/243
[6] https://www.rfc-editor.org/errata_search.php?rfc=6265 [6] https://github.com/httpwg/http-extensions/issues/246
[7] https://github.com/httpwg/http-extensions/issues/247 [7] https://www.rfc-editor.org/errata_search.php?rfc=6265
[8] https://github.com/httpwg/http-extensions/issues/201 [8] https://github.com/httpwg/http-extensions/issues/247
[9] https://github.com/httpwg/http-extensions/issues/204 [9] https://github.com/httpwg/http-extensions/issues/201
[10] https://github.com/httpwg/http-extensions/issues/222 [10] https://github.com/httpwg/http-extensions/issues/204
[11] https://github.com/httpwg/http-extensions/issues/248 [11] https://github.com/httpwg/http-extensions/issues/222
[12] https://github.com/httpwg/http-extensions/issues/295 [12] https://github.com/httpwg/http-extensions/issues/248
[13] https://github.com/httpwg/http-extensions/issues/302 [13] https://github.com/httpwg/http-extensions/issues/295
[14] https://github.com/httpwg/http-extensions/issues/389 [14] https://github.com/httpwg/http-extensions/issues/302
[15] https://github.com/httpwg/http-extensions/issues/199 [15] https://github.com/httpwg/http-extensions/issues/389
[16] https://github.com/httpwg/http-extensions/issues/788 [16] https://github.com/httpwg/http-extensions/issues/199
[17] https://github.com/httpwg/http-extensions/issues/594 [17] https://github.com/httpwg/http-extensions/issues/788
[18] https://github.com/httpwg/http-extensions/issues/159 [18] https://github.com/httpwg/http-extensions/issues/594
[19] https://github.com/httpwg/http-extensions/issues/159 [19] https://github.com/httpwg/http-extensions/issues/159
[20] https://github.com/httpwg/http-extensions/issues/901 [20] https://github.com/httpwg/http-extensions/issues/159
[21] https://github.com/httpwg/http-extensions/pull/1035 [21] https://github.com/httpwg/http-extensions/issues/901
[22] https://github.com/httpwg/http-extensions/pull/1038 [22] https://github.com/httpwg/http-extensions/pull/1035
[23] https://github.com/httpwg/http-extensions/pull/1040 [23] https://github.com/httpwg/http-extensions/pull/1038
[24] https://github.com/httpwg/http-extensions/pull/1047 [24] https://github.com/httpwg/http-extensions/pull/1040
[25] https://github.com/httpwg/http-extensions/pull/1047
[26] https://github.com/httpwg/http-extensions/pull/1060
[27] https://github.com/httpwg/http-extensions/issues/1059
[28] https://github.com/httpwg/http-extensions/pull/1143
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
* https://github.com/httpwg/http-extensions/issues/243 [4] * https://github.com/httpwg/http-extensions/issues/243 [5]
* https://github.com/httpwg/http-extensions/issues/246 [5] * https://github.com/httpwg/http-extensions/issues/246 [6]
o Addresses errata 3444 by updating the "path-value" and "extension- o Addresses errata 3444 by updating the "path-value" and "extension-
av" grammar, errata 4148 by updating the "day-of-month", "year", av" grammar, errata 4148 by updating the "day-of-month", "year",
and "time" grammar, and errata 3663 by adding the requested note. and "time" grammar, and errata 3663 by adding the requested note.
https://www.rfc-editor.org/errata_search.php?rfc=6265 [6] https://www.rfc-editor.org/errata_search.php?rfc=6265 [7]
o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations
section: https://github.com/httpwg/http-extensions/issues/247 [7] section: https://github.com/httpwg/http-extensions/issues/247 [8]
o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone], o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone],
removing the ability for a non-secure origin to set cookies with a removing the ability for a non-secure origin to set cookies with a
'secure' flag, and to overwrite cookies whose 'secure' flag is 'secure' flag, and to overwrite cookies whose 'secure' flag is
true. true.
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and
"__Host-" cookie name prefix processing instructions. "__Host-" cookie name prefix processing instructions.
A.3. draft-ietf-httpbis-rfc6265bis-02 A.3. draft-ietf-httpbis-rfc6265bis-02
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-same-site], adding support for the [I-D.ietf-httpbis-cookie-same-site], adding support for the
"SameSite" attribute. "SameSite" attribute.
o Closed a number of editorial bugs: o Closed a number of editorial bugs:
* Clarified address bar behavior for SameSite cookies: * Clarified address bar behavior for SameSite cookies:
https://github.com/httpwg/http-extensions/issues/201 [8] https://github.com/httpwg/http-extensions/issues/201 [9]
* Added the word "Cookies" to the document's name: * Added the word "Cookies" to the document's name:
https://github.com/httpwg/http-extensions/issues/204 [9] https://github.com/httpwg/http-extensions/issues/204 [10]
* Clarified that the "__Host-" prefix requires an explicit "Path" * Clarified that the "__Host-" prefix requires an explicit "Path"
attribute: https://github.com/httpwg/http-extensions/issues/222 attribute: https://github.com/httpwg/http-extensions/issues/222
[10] [11]
* Expanded the options for dealing with third-party cookies to * Expanded the options for dealing with third-party cookies to
include a brief mention of partitioning based on first-party: include a brief mention of partitioning based on first-party:
https://github.com/httpwg/http-extensions/issues/248 [11] https://github.com/httpwg/http-extensions/issues/248 [12]
* Noted that double-quotes in cookie values are part of the * Noted that double-quotes in cookie values are part of the
value, and are not stripped: https://github.com/httpwg/http- value, and are not stripped: https://github.com/httpwg/http-
extensions/issues/295 [12] extensions/issues/295 [13]
* Fixed the "site for cookies" algorithm to return something that * Fixed the "site for cookies" algorithm to return something that
makes sense: https://github.com/httpwg/http-extensions/ makes sense: https://github.com/httpwg/http-extensions/
issues/302 [13] issues/302 [14]
A.4. draft-ietf-httpbis-rfc6265bis-03 A.4. draft-ietf-httpbis-rfc6265bis-03
o Clarified handling of invalid SameSite values: o Clarified handling of invalid SameSite values:
https://github.com/httpwg/http-extensions/issues/389 [14] https://github.com/httpwg/http-extensions/issues/389 [15]
o Reflect widespread implementation practice of including a cookie's o Reflect widespread implementation practice of including a cookie's
"host-only-flag" when calculating its uniqueness: "host-only-flag" when calculating its uniqueness:
https://github.com/httpwg/http-extensions/issues/199 [15] https://github.com/httpwg/http-extensions/issues/199 [16]
o Introduced an explicit "None" value for the SameSite attribute: o Introduced an explicit "None" value for the SameSite attribute:
https://github.com/httpwg/http-extensions/issues/788 [16] https://github.com/httpwg/http-extensions/issues/788 [17]
A.5. draft-ietf-httpbis-rfc6265bis-04 A.5. draft-ietf-httpbis-rfc6265bis-04
o Allow "SameSite" cookies to be set for all top-level navigations. o Allow "SameSite" cookies to be set for all top-level navigations.
https://github.com/httpwg/http-extensions/issues/594 [17] https://github.com/httpwg/http-extensions/issues/594 [18]
o Treat "Set-Cookie: token" as creating the cookie "("", "token")": o Treat "Set-Cookie: token" as creating the cookie "("", "token")":
https://github.com/httpwg/http-extensions/issues/159 [18] https://github.com/httpwg/http-extensions/issues/159 [19]
o Reject cookies with neither name nor value (e.g. "Set-Cookie: =" o Reject cookies with neither name nor value (e.g. "Set-Cookie: ="
and "Set-Cookie:": https://github.com/httpwg/http-extensions/ and "Set-Cookie:": https://github.com/httpwg/http-extensions/
issues/159 [19] issues/159 [20]
o Clarified behavior of multiple "SameSite" attributes in a cookie o Clarified behavior of multiple "SameSite" attributes in a cookie
string: https://github.com/httpwg/http-extensions/issues/901 [20] string: https://github.com/httpwg/http-extensions/issues/901 [21]
A.6. draft-ietf-httpbis-rfc6265bis-05 A.6. draft-ietf-httpbis-rfc6265bis-05
o Typos and editorial fixes: https://github.com/httpwg/http- o Typos and editorial fixes: https://github.com/httpwg/http-
extensions/pull/1035 [21], https://github.com/httpwg/http- extensions/pull/1035 [22], https://github.com/httpwg/http-
extensions/pull/1038 [22], https://github.com/httpwg/http- extensions/pull/1038 [23], https://github.com/httpwg/http-
extensions/pull/1040 [23], https://github.com/httpwg/http- extensions/pull/1040 [24], https://github.com/httpwg/http-
extensions/pull/1047 [24]. extensions/pull/1047 [25].
A.7. draft-ietf-httpbis-rfc6265bis-06
o Created a registry for cookie attribute names:
https://github.com/httpwg/http-extensions/pull/1060 [26].
o Editorial fixes: https://github.com/httpwg/http-extensions/
issues/1059 [27].
o Fixed serialization for nameless/valueless cookies:
https://github.com/httpwg/http-extensions/pull/1143 [28].
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is a minor update RFC 6265 was written by Adam Barth. This document is a minor update
of RFC 6265, adding small features, and aligning the specification of RFC 6265, adding small features, and aligning the specification
with the reality of today's deployments. Here, we're standing upon with the reality of today's deployments. Here, we're standing upon
the shoulders of a giant since the majority of the text is still the shoulders of a giant since the majority of the text is still
Adam's. Adam's.
Authors' Addresses Authors' Addresses
 End of changes. 53 change blocks. 
67 lines changed or deleted 135 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/