draft-ietf-httpbis-rfc6265bis-10.txt		draft-ietf-httpbis-rfc6265bis-latest.txt
	HTTP Working Group L. Chen, Ed.		HTTP Working Group L. Chen, Ed.
	Internet-Draft Google LLC		Internet-Draft Google LLC
	Obsoletes: 6265 (if approved) S. Englehardt, Ed.		Obsoletes: 6265 (if approved) S. Englehardt, Ed.
	Intended status: Standards Track Mozilla		Intended status: Standards Track Mozilla
	Expires: October 26, 2022 M. West, Ed.		Expires: November 14, 2022 M. West, Ed.
	Google LLC		Google LLC
	J. Wilander, Ed.		J. Wilander, Ed.
	Apple, Inc		Apple, Inc
	April 24, 2022		May 13, 2022
	Cookies: HTTP State Management Mechanism		Cookies: HTTP State Management Mechanism
	draft-ietf-httpbis-rfc6265bis-10		draft-ietf-httpbis-rfc6265bis-latest
	Abstract		Abstract
	This document defines the HTTP Cookie and Set-Cookie header fields.		This document defines the HTTP Cookie and Set-Cookie header fields.
	These header fields can be used by HTTP servers to store state		These header fields can be used by HTTP servers to store state
	(called cookies) at HTTP user agents, letting the servers maintain a		(called cookies) at HTTP user agents, letting the servers maintain a
	stateful session over the mostly stateless HTTP protocol. Although		stateful session over the mostly stateless HTTP protocol. Although
	cookies have many historical infelicities that degrade their security		cookies have many historical infelicities that degrade their security
	and privacy, the Cookie and Set-Cookie header fields are widely used		and privacy, the Cookie and Set-Cookie header fields are widely used
	on the Internet. This document obsoletes RFC 6265.		on the Internet. This document obsoletes RFC 6265.
	skipping to change at page 2, line 10 ¶		skipping to change at page 2, line 10 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 26, 2022.		This Internet-Draft will expire on November 14, 2022.
	Copyright Notice		Copyright Notice
	Copyright (c) 2022 IETF Trust and the persons identified as the		Copyright (c) 2022 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 10, line 23 ¶		skipping to change at page 10, line 23 ¶
	which begins with a name-value-pair, followed by zero or more		which begins with a name-value-pair, followed by zero or more
	attribute-value pairs. Servers SHOULD NOT send Set-Cookie header		attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
	fields that fail to conform to the following grammar:		fields that fail to conform to the following grammar:
	set-cookie = set-cookie-string		set-cookie = set-cookie-string
	set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )		set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
	cookie-pair = cookie-name BWS "=" BWS cookie-value		cookie-pair = cookie-name BWS "=" BWS cookie-value
	cookie-name = 1*cookie-octet		cookie-name = 1*cookie-octet
	cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )		cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
	cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E		cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
	/ %x80-FF		; US-ASCII characters excluding CTLs,
	; octets excluding CTLs,
	; whitespace DQUOTE, comma, semicolon,		; whitespace DQUOTE, comma, semicolon,
	; and backslash		; and backslash
	cookie-av = expires-av / max-age-av / domain-av /		cookie-av = expires-av / max-age-av / domain-av /
	path-av / secure-av / httponly-av /		path-av / secure-av / httponly-av /
	samesite-av / extension-av		samesite-av / extension-av
	expires-av = "Expires" BWS "=" BWS sane-cookie-date		expires-av = "Expires" BWS "=" BWS sane-cookie-date
	sane-cookie-date =		sane-cookie-date =
	<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>		<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
	max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT		max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
	skipping to change at page 13, line 23 ¶		skipping to change at page 13, line 23 ¶
	session is over" (as defined by the user agent).		session is over" (as defined by the user agent).
	4.1.2.3. The Domain Attribute		4.1.2.3. The Domain Attribute
	The Domain attribute specifies those hosts to which the cookie will		The Domain attribute specifies those hosts to which the cookie will
	be sent. For example, if the value of the Domain attribute is		be sent. For example, if the value of the Domain attribute is
	"site.example", the user agent will include the cookie in the Cookie		"site.example", the user agent will include the cookie in the Cookie
	header field when making HTTP requests to site.example,		header field when making HTTP requests to site.example,
	www.site.example, and www.corp.site.example. (Note that a leading		www.site.example, and www.corp.site.example. (Note that a leading
	%x2E ("."), if present, is ignored even though that character is not		%x2E ("."), if present, is ignored even though that character is not
	permitted, but a trailing %x2E ("."), if present, will cause the user		permitted.) If the server omits the Domain attribute, the user agent
	agent to ignore the attribute.) If the server omits the Domain		will return the cookie only to the origin server.
	attribute, the user agent will return the cookie only to the origin
	server.
	WARNING: Some existing user agents treat an absent Domain attribute		WARNING: Some existing user agents treat an absent Domain attribute
	as if the Domain attribute were present and contained the current		as if the Domain attribute were present and contained the current
	host name. For example, if site.example returns a Set-Cookie header		host name. For example, if site.example returns a Set-Cookie header
	field without a Domain attribute, these user agents will erroneously		field without a Domain attribute, these user agents will erroneously
	send the cookie to www.site.example as well.		send the cookie to www.site.example as well.
	The user agent will reject cookies unless the Domain attribute		The user agent will reject cookies unless the Domain attribute
	specifies a scope for the cookie that would include the origin		specifies a scope for the cookie that would include the origin
	server. For example, the user agent will accept a cookie with a		server. For example, the user agent will accept a cookie with a
	skipping to change at page 32, line 5 ¶		skipping to change at page 32, line 5 ¶
	date.		date.
	7. If the cookie-attribute-list contains an attribute with an		7. If the cookie-attribute-list contains an attribute with an
	attribute-name of "Domain":		attribute-name of "Domain":
	1. Let the domain-attribute be the attribute-value of the last		1. Let the domain-attribute be the attribute-value of the last
	attribute in the cookie-attribute-list with both an		attribute in the cookie-attribute-list with both an
	attribute-name of "Domain" and an attribute-value whose		attribute-name of "Domain" and an attribute-value whose
	length is no more than 1024 octets. (Note that a leading		length is no more than 1024 octets. (Note that a leading
	%x2E ("."), if present, is ignored even though that		%x2E ("."), if present, is ignored even though that
	character is not permitted, but a trailing %x2E ("."), if		character is not permitted.)
	present, will cause the user agent to ignore the attribute.)
	Otherwise:		Otherwise:
	1. Let the domain-attribute be the empty string.		1. Let the domain-attribute be the empty string.
	8. If the domain-attribute contains a character that is not in the		8. If the domain-attribute contains a character that is not in the
	range of [USASCII] characters, abort these steps and ignore the		range of [USASCII] characters, abort these steps and ignore the
	cookie entirely.		cookie entirely.
	9. If the user agent is configured to reject "public suffixes" and		9. If the user agent is configured to reject "public suffixes" and
End of changes. 7 change blocks.
	12 lines changed or deleted		8 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/