draft-ietf-httpbis-rfc6265bis-08.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group L. Chen, Ed. HTTP Working Group L. Chen, Ed.
Internet-Draft Google LLC Internet-Draft Google LLC
Obsoletes: 6265 (if approved) S. Englehardt, Ed. Obsoletes: 6265 (if approved) S. Englehardt, Ed.
Intended status: Standards Track Mozilla Intended status: Standards Track Mozilla
Expires: December 4, 2021 M. West, Ed. Expires: March 28, 2022 M. West, Ed.
Google LLC Google LLC
J. Wilander, Ed. J. Wilander, Ed.
Apple, Inc Apple, Inc
June 2, 2021 September 24, 2021
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-08 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 4, 2021. This Internet-Draft will expire on March 28, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 23 skipping to change at page 3, line 23
5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26
5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26
5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28
5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30
5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35
5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35
5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36
5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36
6. Implementation Considerations . . . . . . . . . . . . . . . . 38 6. Implementation Considerations . . . . . . . . . . . . . . . . 38
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2. Application Programming Interfaces . . . . . . . . . . . 38 6.2. Application Programming Interfaces . . . . . . . . . . . 38
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 38 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39
7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 40 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41
8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 41 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 41
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 42 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 44 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 47
8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 49
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 48 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
10.1. Normative References . . . . . . . . . . . . . . . . . . 49 10.1. Normative References . . . . . . . . . . . . . . . . . . 49
10.2. Informative References . . . . . . . . . . . . . . . . . 51 10.2. Informative References . . . . . . . . . . . . . . . . . 51
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 52 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 54 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 54 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 54 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 55 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 57
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 56 A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 58
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57 A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header field. return the name/value pairs in the Cookie header field.
skipping to change at page 7, line 46 skipping to change at page 7, line 46
Cookie header field does not preclude HTTP caches from storing and Cookie header field does not preclude HTTP caches from storing and
reusing a response. reusing a response.
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
a single header field. The usual mechanism for folding HTTP headers a single header field. The usual mechanism for folding HTTP headers
fields (i.e., as defined in Section 5.3 of [HTTPSEM]) might change fields (i.e., as defined in Section 5.3 of [HTTPSEM]) might change
the semantics of the Set-Cookie header field because the %x2C (",") the semantics of the Set-Cookie header field because the %x2C (",")
character is used by Set-Cookie in a way that conflicts with such character is used by Set-Cookie in a way that conflicts with such
folding. folding.
User agents MAY ignore Set-Cookie header fieldss based on response User agents MAY ignore Set-Cookie header fields based on response
status codes or the user agent's cookie policy (see Section 5.3). status codes or the user agent's cookie policy (see Section 5.3).
3.1. Examples 3.1. Examples
Using the Set-Cookie header field, a server can send the user agent a Using the Set-Cookie header field, a server can send the user agent a
short string in an HTTP response that the user agent will return in short string in an HTTP response that the user agent will return in
future HTTP requests that are within the scope of the cookie. For future HTTP requests that are within the scope of the cookie. For
example, the server can send the user agent a "session identifier" example, the server can send the user agent a "session identifier"
named SID with the value 31d4d96e407aad42. The user agent then named SID with the value 31d4d96e407aad42. The user agent then
returns the session identifier in subsequent requests. returns the session identifier in subsequent requests.
skipping to change at page 13, line 44 skipping to change at page 13, line 44
4.1.2.5. The Secure Attribute 4.1.2.5. The Secure Attribute
The Secure attribute limits the scope of the cookie to "secure" The Secure attribute limits the scope of the cookie to "secure"
channels (where "secure" is defined by the user agent). When a channels (where "secure" is defined by the user agent). When a
cookie has the Secure attribute, the user agent will include the cookie has the Secure attribute, the user agent will include the
cookie in an HTTP request only if the request is transmitted over a cookie in an HTTP request only if the request is transmitted over a
secure channel (typically HTTP over Transport Layer Security (TLS) secure channel (typically HTTP over Transport Layer Security (TLS)
[RFC2818]). [RFC2818]).
Although seemingly useful for protecting cookies from active network
attackers, the Secure attribute protects only the cookie's
confidentiality. An active network attacker can overwrite Secure
cookies from an insecure channel, disrupting their integrity (see
Section 8.6 for more details).
4.1.2.6. The HttpOnly Attribute 4.1.2.6. The HttpOnly Attribute
The HttpOnly attribute limits the scope of the cookie to HTTP The HttpOnly attribute limits the scope of the cookie to HTTP
requests. In particular, the attribute instructs the user agent to requests. In particular, the attribute instructs the user agent to
omit the cookie when providing access to cookies via non-HTTP APIs. omit the cookie when providing access to cookies via non-HTTP APIs.
Note that the HttpOnly attribute is independent of the Secure Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure attribute: a cookie can have both the HttpOnly and the Secure
attribute. attribute.
skipping to change at page 15, line 17 skipping to change at page 15, line 11
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Secure-", then the cookie will have been set with a "Secure" "__Secure-", then the cookie will have been set with a "Secure"
attribute. attribute.
For example, the following "Set-Cookie" header field would be For example, the following "Set-Cookie" header field would be
rejected by a conformant user agent, as it does not have a "Secure" rejected by a conformant user agent, as it does not have a "Secure"
attribute. attribute.
Set-Cookie: __Secure-SID=12345; Domain=site.example Set-Cookie: __Secure-SID=12345; Domain=site.example
Whereas the following "Set-Cookie" header field would be accepted: Whereas the following "Set-Cookie" header field would be accepted if
set from a secure origin (e.g. "https://site.example/"), and rejected
otherwise:
Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure
4.1.3.2. The "__Host-" Prefix 4.1.3.2. The "__Host-" Prefix
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Host-", then the cookie will have been set with a "Secure" "__Host-", then the cookie will have been set with a "Secure"
attribute, a "Path" attribute with a value of "/", and no "Domain" attribute, a "Path" attribute with a value of "/", and no "Domain"
attribute. attribute.
skipping to change at page 24, line 7 skipping to change at page 24, line 4
Section 4.1. For example, the algorithm strips leading and trailing Section 4.1. For example, the algorithm strips leading and trailing
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. In addition, the algorithm below accommodates some these positions. In addition, the algorithm below accommodates some
characters that are not cookie-octets according to the grammar in characters that are not cookie-octets according to the grammar in
Section 4.1. User agents use this algorithm so as to interoperate Section 4.1. User agents use this algorithm so as to interoperate
with servers that do not follow the recommendations in Section 4. with servers that do not follow the recommendations in Section 4.
NOTE: As set-cookie-string may originate from a non-HTTP API, it is NOTE: As set-cookie-string may originate from a non-HTTP API, it is
not guaranteed to be free of CTL characters, so this algorithm not guaranteed to be free of CTL characters, so this algorithm
handles them explicitly. handles them explicitly. Horizontal tab (%x09) is excluded from the
CTL characters that lead to set-cookie-string rejection, as it is
considered whitespace, which is handled separately.
A user agent MUST use an algorithm equivalent to the following A user agent MUST use an algorithm equivalent to the following
algorithm to parse a set-cookie-string: algorithm to parse a set-cookie-string:
1. If the set-cookie-string contains a %x0D (CR), %x0A (LF), or %x00 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F
(NUL) octet, then set the set-cookie-string equal to all the character (CTL characters excluding HTAB): Abort these steps and
characters of set-cookie-string up to, but not including, the ignore the set-cookie-string entirely.
first such octet.
2. If the set-cookie-string contains a %x00-1F / %x7F (CTL)
character: Abort these steps and ignore the set-cookie-string
entirely.
3. If the set-cookie-string contains a %x3B (";") character: 2. If the set-cookie-string contains a %x3B (";") character:
1. The name-value-pair string consists of the characters up to, 1. The name-value-pair string consists of the characters up to,
but not including, the first %x3B (";"), and the unparsed- but not including, the first %x3B (";"), and the unparsed-
attributes consist of the remainder of the set-cookie-string attributes consist of the remainder of the set-cookie-string
(including the %x3B (";") in question). (including the %x3B (";") in question).
Otherwise: Otherwise:
1. The name-value-pair string consists of all the characters 1. The name-value-pair string consists of all the characters
contained in the set-cookie-string, and the unparsed- contained in the set-cookie-string, and the unparsed-
attributes is the empty string. attributes is the empty string.
4. If the name-value-pair string lacks a %x3D ("=") character, then 3. If the name-value-pair string lacks a %x3D ("=") character, then
the name string is empty, and the value string is the value of the name string is empty, and the value string is the value of
name-value-pair. name-value-pair.
Otherwise, the name string consists of the characters up to, but Otherwise, the name string consists of the characters up to, but
not including, the first %x3D ("=") character, and the (possibly not including, the first %x3D ("=") character, and the (possibly
empty) value string consists of the characters after the first empty) value string consists of the characters after the first
%x3D ("=") character. %x3D ("=") character.
5. Remove any leading or trailing WSP characters from the name 4. Remove any leading or trailing WSP characters from the name
string and the value string. string and the value string.
5. If the sum of the lengths of the name string and the value string
is more than 4096 octets, abort these steps and ignore the set-
cookie-string entirely.
6. The cookie-name is the name string, and the cookie-value is the 6. The cookie-name is the name string, and the cookie-value is the
value string. value string.
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse the unparsed-attributes: algorithm to parse the unparsed-attributes:
1. If the unparsed-attributes string is empty, skip the rest of 1. If the unparsed-attributes string is empty, skip the rest of
these steps. these steps.
2. Discard the first character of the unparsed-attributes (which 2. Discard the first character of the unparsed-attributes (which
skipping to change at page 25, line 39 skipping to change at page 25, line 36
character. character.
Otherwise: Otherwise:
1. The attribute-name string consists of the entire cookie-av 1. The attribute-name string consists of the entire cookie-av
string, and the attribute-value string is empty. string, and the attribute-value string is empty.
5. Remove any leading or trailing WSP characters from the attribute- 5. Remove any leading or trailing WSP characters from the attribute-
name string and the attribute-value string. name string and the attribute-value string.
6. Process the attribute-name and attribute-value according to the 6. If the attribute-value is longer than 1024 octets, ignore the
cookie-av string and return to Step 1 of this algorithm.
7. Process the attribute-name and attribute-value according to the
requirements in the following subsections. (Notice that requirements in the following subsections. (Notice that
attributes with unrecognized attribute-names are ignored.) attributes with unrecognized attribute-names are ignored.)
7. Return to Step 1 of this algorithm. 8. Return to Step 1 of this algorithm.
When the user agent finishes parsing the set-cookie-string, the user When the user agent finishes parsing the set-cookie-string, the user
agent is said to "receive a cookie" from the request-uri with name agent is said to "receive a cookie" from the request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute- cookie-name, value cookie-value, and attributes cookie-attribute-
list. (See Section 5.5 for additional requirements triggered by list. (See Section 5.5 for additional requirements triggered by
receiving a cookie.) receiving a cookie.)
5.4.1. The Expires Attribute 5.4.1. The Expires Attribute
If the attribute-name case-insensitively matches the string If the attribute-name case-insensitively matches the string
skipping to change at page 30, line 22 skipping to change at page 30, line 22
When the user agent "receives a cookie" from a request-uri with name When the user agent "receives a cookie" from a request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute- cookie-name, value cookie-value, and attributes cookie-attribute-
list, the user agent MUST process the cookie as follows: list, the user agent MUST process the cookie as follows:
1. A user agent MAY ignore a received cookie in its entirety. See 1. A user agent MAY ignore a received cookie in its entirety. See
Section 5.3. Section 5.3.
2. If cookie-name is empty and cookie-value is empty, abort these 2. If cookie-name is empty and cookie-value is empty, abort these
steps and ignore the cookie entirely. steps and ignore the cookie entirely.
3. If the cookie-name or the cookie-value contains a %x00-1F / %x7F 3. If the cookie-name or the cookie-value contains a %x00-08 /
(CTL) character, abort these steps and ignore the cookie %x0A-1F / %x7F character (CTL characters excluding HTAB), abort
these steps and ignore the cookie entirely.
4. If the sum of the lengths of cookie-name and cookie-value is
more than 4096 octets, abort these steps and ignore the cookie
entirely. entirely.
4. Create a new cookie with name cookie-name, value cookie-value. 5. Create a new cookie with name cookie-name, value cookie-value.
Set the creation-time and the last-access-time to the current Set the creation-time and the last-access-time to the current
date and time. date and time.
5. If the cookie-attribute-list contains an attribute with an 6. If the cookie-attribute-list contains an attribute with an
attribute-name of "Max-Age": attribute-name of "Max-Age":
1. Set the cookie's persistent-flag to true. 1. Set the cookie's persistent-flag to true.
2. Set the cookie's expiry-time to attribute-value of the last 2. Set the cookie's expiry-time to attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Max-Age". name of "Max-Age".
Otherwise, if the cookie-attribute-list contains an attribute Otherwise, if the cookie-attribute-list contains an attribute
with an attribute-name of "Expires" (and does not contain an with an attribute-name of "Expires" (and does not contain an
skipping to change at page 31, line 8 skipping to change at page 31, line 12
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Expires". name of "Expires".
Otherwise: Otherwise:
1. Set the cookie's persistent-flag to false. 1. Set the cookie's persistent-flag to false.
2. Set the cookie's expiry-time to the latest representable 2. Set the cookie's expiry-time to the latest representable
date. date.
6. If the cookie-attribute-list contains an attribute with an 7. If the cookie-attribute-list contains an attribute with an
attribute-name of "Domain": attribute-name of "Domain":
1. Let the domain-attribute be the attribute-value of the last 1. Let the domain-attribute be the attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with both an
name of "Domain". attribute-name of "Domain" and an attribute-value whose
length is no more than 1024 octets. (Note that a leading
%x2E ("."), if present, is ignored even though that
character is not permitted, but a trailing %x2E ("."), if
present, will cause the user agent to ignore the attribute.)
Otherwise: Otherwise:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
7. If the user agent is configured to reject "public suffixes" and 8. If the user agent is configured to reject "public suffixes" and
the domain-attribute is a public suffix: the domain-attribute is a public suffix:
1. If the domain-attribute is identical to the canonicalized 1. If the domain-attribute is identical to the canonicalized
request-host: request-host:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
Otherwise: Otherwise:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
NOTE: This step prevents "attacker.example" from disrupting the NOTE: This step prevents "attacker.example" from disrupting the
integrity of "site.example" by setting a cookie with a Domain integrity of "site.example" by setting a cookie with a Domain
attribute of "example". attribute of "example".
8. If the domain-attribute is non-empty: 9. If the domain-attribute is non-empty:
1. If the canonicalized request-host does not domain-match the 1. If the canonicalized request-host does not domain-match the
domain-attribute: domain-attribute:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
Otherwise: Otherwise:
1. Set the cookie's host-only-flag to false. 1. Set the cookie's host-only-flag to false.
2. Set the cookie's domain to the domain-attribute. 2. Set the cookie's domain to the domain-attribute.
Otherwise: Otherwise:
1. Set the cookie's host-only-flag to true. 1. Set the cookie's host-only-flag to true.
2. Set the cookie's domain to the canonicalized request-host. 2. Set the cookie's domain to the canonicalized request-host.
9. If the cookie-attribute-list contains an attribute with an 10. If the cookie-attribute-list contains an attribute with an
attribute-name of "Path", set the cookie's path to attribute- attribute-name of "Path", set the cookie's path to attribute-
value of the last attribute in the cookie-attribute-list with an value of the last attribute in the cookie-attribute-list with
attribute-name of "Path". Otherwise, set the cookie's path to both an attribute-name of "Path" and an attribute-value whose
the default-path of the request-uri. length is no more than 1024 octets. Otherwise, set the cookie's
path to the default-path of the request-uri.
10. If the cookie-attribute-list contains an attribute with an 11. If the cookie-attribute-list contains an attribute with an
attribute-name of "Secure", set the cookie's secure-only-flag to attribute-name of "Secure", set the cookie's secure-only-flag to
true. Otherwise, set the cookie's secure-only-flag to false. true. Otherwise, set the cookie's secure-only-flag to false.
11. If the scheme component of the request-uri does not denote a 12. If the scheme component of the request-uri does not denote a
"secure" protocol (as defined by the user agent), and the "secure" protocol (as defined by the user agent), and the
cookie's secure-only-flag is true, then abort these steps and cookie's secure-only-flag is true, then abort these steps and
ignore the cookie entirely. ignore the cookie entirely.
12. If the cookie-attribute-list contains an attribute with an 13. If the cookie-attribute-list contains an attribute with an
attribute-name of "HttpOnly", set the cookie's http-only-flag to attribute-name of "HttpOnly", set the cookie's http-only-flag to
true. Otherwise, set the cookie's http-only-flag to false. true. Otherwise, set the cookie's http-only-flag to false.
13. If the cookie was received from a "non-HTTP" API and the 14. If the cookie was received from a "non-HTTP" API and the
cookie's http-only-flag is true, abort these steps and ignore cookie's http-only-flag is true, abort these steps and ignore
the cookie entirely. the cookie entirely.
14. If the cookie's secure-only-flag is false, and the scheme 15. If the cookie's secure-only-flag is false, and the scheme
component of request-uri does not denote a "secure" protocol, component of request-uri does not denote a "secure" protocol,
then abort these steps and ignore the cookie entirely if the then abort these steps and ignore the cookie entirely if the
cookie store contains one or more cookies that meet all of the cookie store contains one or more cookies that meet all of the
following criteria: following criteria:
1. Their name matches the name of the newly-created cookie. 1. Their name matches the name of the newly-created cookie.
2. Their secure-only-flag is true. 2. Their secure-only-flag is true.
3. Their domain domain-matches the domain of the newly-created 3. Their domain domain-matches the domain of the newly-created
skipping to change at page 33, line 5 skipping to change at page 33, line 13
of the existing cookie. of the existing cookie.
Note: The path comparison is not symmetric, ensuring only that a Note: The path comparison is not symmetric, ensuring only that a
newly-created, non-secure cookie does not overlay an existing newly-created, non-secure cookie does not overlay an existing
secure cookie, providing some mitigation against cookie-fixing secure cookie, providing some mitigation against cookie-fixing
attacks. That is, given an existing secure cookie named 'a' attacks. That is, given an existing secure cookie named 'a'
with a path of '/login', a non-secure cookie named 'a' could be with a path of '/login', a non-secure cookie named 'a' could be
set for a path of '/' or '/foo', but not for a path of '/login' set for a path of '/' or '/foo', but not for a path of '/login'
or '/login/en'. or '/login/en'.
15. If the cookie-attribute-list contains an attribute with an 16. If the cookie-attribute-list contains an attribute with an
attribute-name of "SameSite", and an attribute-value of attribute-name of "SameSite", and an attribute-value of
"Strict", "Lax", or "None", set the cookie's same-site-flag to "Strict", "Lax", or "None", set the cookie's same-site-flag to
the attribute-value of the last attribute in the cookie- the attribute-value of the last attribute in the cookie-
attribute-list with an attribute-name of "SameSite". Otherwise, attribute-list with an attribute-name of "SameSite". Otherwise,
set the cookie's same-site-flag to "Default". set the cookie's same-site-flag to "Default".
16. If the cookie's "same-site-flag" is not "None": 17. If the cookie's "same-site-flag" is not "None":
1. If the cookie was received from a "non-HTTP" API, and the 1. If the cookie was received from a "non-HTTP" API, and the
API was called from a browsing context's active document API was called from a browsing context's active document
whose "site for cookies" is not same-site with the top-level whose "site for cookies" is not same-site with the top-level
origin, then abort these steps and ignore the newly created origin, then abort these steps and ignore the newly created
cookie entirely. cookie entirely.
2. If the cookie was received from a "same-site" request (as 2. If the cookie was received from a "same-site" request (as
defined in Section 5.2), skip the remaining substeps and defined in Section 5.2), skip the remaining substeps and
continue processing the cookie. continue processing the cookie.
skipping to change at page 33, line 39 skipping to change at page 33, line 47
processing the cookie. processing the cookie.
Note: Top-level navigations can create a cookie with any Note: Top-level navigations can create a cookie with any
"SameSite" value, even if the new cookie wouldn't have been "SameSite" value, even if the new cookie wouldn't have been
sent along with the request had it already existed prior to sent along with the request had it already existed prior to
the navigation. the navigation.
4. Abort these steps and ignore the newly created cookie 4. Abort these steps and ignore the newly created cookie
entirely. entirely.
17. If the cookie's "same-site-flag" is "None", abort these steps 18. If the cookie's "same-site-flag" is "None", abort these steps
and ignore the cookie entirely unless the cookie's secure-only- and ignore the cookie entirely unless the cookie's secure-only-
flag is true. flag is true.
18. If the cookie-name begins with a case-sensitive match for the 19. If the cookie-name begins with a case-sensitive match for the
string "__Secure-", abort these steps and ignore the cookie string "__Secure-", abort these steps and ignore the cookie
entirely unless the cookie's secure-only-flag is true. entirely unless the cookie's secure-only-flag is true.
19. If the cookie-name begins with a case-sensitive match for the 20. If the cookie-name begins with a case-sensitive match for the
string "__Host-", abort these steps and ignore the cookie string "__Host-", abort these steps and ignore the cookie
entirely unless the cookie meets all the following criteria: entirely unless the cookie meets all the following criteria:
1. The cookie's secure-only-flag is true. 1. The cookie's secure-only-flag is true.
2. The cookie's host-only-flag is true. 2. The cookie's host-only-flag is true.
3. The cookie-attribute-list contains an attribute with an 3. The cookie-attribute-list contains an attribute with an
attribute-name of "Path", and the cookie's path is "/". attribute-name of "Path", and the cookie's path is "/".
20. If the cookie store contains a cookie with the same name, 21. If the cookie store contains a cookie with the same name,
domain, host-only-flag, and path as the newly-created cookie: domain, host-only-flag, and path as the newly-created cookie:
1. Let old-cookie be the existing cookie with the same name, 1. Let old-cookie be the existing cookie with the same name,
domain, host-only-flag, and path as the newly-created domain, host-only-flag, and path as the newly-created
cookie. (Notice that this algorithm maintains the invariant cookie. (Notice that this algorithm maintains the invariant
that there is at most one such cookie.) that there is at most one such cookie.)
2. If the newly-created cookie was received from a "non-HTTP" 2. If the newly-created cookie was received from a "non-HTTP"
API and the old-cookie's http-only-flag is true, abort these API and the old-cookie's http-only-flag is true, abort these
steps and ignore the newly created cookie entirely. steps and ignore the newly created cookie entirely.
3. Update the creation-time of the newly-created cookie to 3. Update the creation-time of the newly-created cookie to
match the creation-time of the old-cookie. match the creation-time of the old-cookie.
4. Remove the old-cookie from the cookie store. 4. Remove the old-cookie from the cookie store.
21. Insert the newly-created cookie into the cookie store. 22. Insert the newly-created cookie into the cookie store.
A cookie is "expired" if the cookie has an expiry date in the past. A cookie is "expired" if the cookie has an expiry date in the past.
The user agent MUST evict all expired cookies from the cookie store The user agent MUST evict all expired cookies from the cookie store
if, at any time, an expired cookie exists in the cookie store. if, at any time, an expired cookie exists in the cookie store.
At any time, the user agent MAY "remove excess cookies" from the At any time, the user agent MAY "remove excess cookies" from the
cookie store if the number of cookies sharing a domain field exceeds cookie store if the number of cookies sharing a domain field exceeds
some implementation-defined upper bound (such as 50 cookies). some implementation-defined upper bound (such as 50 cookies).
skipping to change at page 38, line 13 skipping to change at page 38, line 27
octets is valid UTF-8. octets is valid UTF-8.
6. Implementation Considerations 6. Implementation Considerations
6.1. Limits 6.1. Limits
Practical user agent implementations have limits on the number and Practical user agent implementations have limits on the number and
size of cookies that they can store. General-use user agents SHOULD size of cookies that they can store. General-use user agents SHOULD
provide each of the following minimum capabilities: provide each of the following minimum capabilities:
o At least 4096 bytes per cookie (as measured by the sum of the
length of the cookie's name, value, and attributes).
o At least 50 cookies per domain. o At least 50 cookies per domain.
o At least 3000 cookies total. o At least 3000 cookies total.
User agents MAY limit the maximum number of cookies they store, and
may evict any cookie at any time (whether at the request of the user
or due to implementation limitations).
Note that a limit on the maximum number of cookies also limits the
total size of the stored cookies, due to the length limits which MUST
be enforced in Section 5.4.
Servers SHOULD use as few and as small cookies as possible to avoid Servers SHOULD use as few and as small cookies as possible to avoid
reaching these implementation limits and to minimize network reaching these implementation limits and to minimize network
bandwidth due to the Cookie header field being included in every bandwidth due to the Cookie header field being included in every
request. request.
Servers SHOULD gracefully degrade if the user agent fails to return Servers SHOULD gracefully degrade if the user agent fails to return
one or more cookies in the Cookie header field because the user agent one or more cookies in the Cookie header field because the user agent
might evict any cookie at any time on orders from the user. might evict any cookie at any time.
6.2. Application Programming Interfaces 6.2. Application Programming Interfaces
One reason the Cookie and Set-Cookie header fields use such esoteric One reason the Cookie and Set-Cookie header fields use such esoteric
syntax is that many platforms (both in servers and user agents) syntax is that many platforms (both in servers and user agents)
provide a string-based application programming interface (API) to provide a string-based application programming interface (API) to
cookies, requiring application-layer programmers to generate and cookies, requiring application-layer programmers to generate and
parse the syntax used by the Cookie and Set-Cookie header fields, parse the syntax used by the Cookie and Set-Cookie header fields,
which many programmers have done incorrectly, resulting in which many programmers have done incorrectly, resulting in
interoperability problems. interoperability problems.
skipping to change at page 39, line 37 skipping to change at page 40, line 8
another site that contains content from the same third party, the another site that contains content from the same third party, the
third party can track the user between the two sites. third party can track the user between the two sites.
Given this risk to user privacy, some user agents restrict how third- Given this risk to user privacy, some user agents restrict how third-
party cookies behave, and those restrictions vary widly. For party cookies behave, and those restrictions vary widly. For
instance, user agents might block third-party cookies entirely by instance, user agents might block third-party cookies entirely by
refusing to send Cookie header fields or process Set-Cookie header refusing to send Cookie header fields or process Set-Cookie header
fields during third-party requests. They might take a less draconian fields during third-party requests. They might take a less draconian
approach by partitioning cookies based on the first-party context, approach by partitioning cookies based on the first-party context,
sending one set of cookies to a given third party in one first-party sending one set of cookies to a given third party in one first-party
context, and another to the same third party in another. context, and another to the same third party in another. Or they
might even allow some third-party cookies but block others depending
on user-agent cookie policy or user controls.
This document grants user agents wide latitude to experiment with This document grants user agents wide latitude to experiment with
third-party cookie policies that balance the privacy and third-party cookie policies that balance the privacy and
compatibility needs of their users. However, this document does not compatibility needs of their users. However, this document does not
endorse any particular third-party cookie policy. endorse any particular third-party cookie policy.
Third-party cookie blocking policies are often ineffective at Third-party cookie blocking policies are often ineffective at
achieving their privacy goals if servers attempt to work around their achieving their privacy goals if servers attempt to work around their
restrictions to track users. In particular, two collaborating restrictions to track users. In particular, two collaborating
servers can often track users without using cookies at all by servers can often track users without using cookies at all by
skipping to change at page 44, line 37 skipping to change at page 45, line 10
An active network attacker can also inject cookies into the Cookie An active network attacker can also inject cookies into the Cookie
header field sent to https://site.example/ by impersonating a header field sent to https://site.example/ by impersonating a
response from http://site.example/ and injecting a Set-Cookie header response from http://site.example/ and injecting a Set-Cookie header
field. The HTTPS server at site.example will be unable to field. The HTTPS server at site.example will be unable to
distinguish these cookies from cookies that it set itself in an HTTPS distinguish these cookies from cookies that it set itself in an HTTPS
response. An active network attacker might be able to leverage this response. An active network attacker might be able to leverage this
ability to mount an attack against site.example even if site.example ability to mount an attack against site.example even if site.example
uses HTTPS exclusively. uses HTTPS exclusively.
Servers can partially mitigate these attacks by encrypting and Servers can partially mitigate these attacks by encrypting and
signing the contents of their cookies. However, using cryptography signing the contents of their cookies, or by naming the cookie with
does not mitigate the issue completely because an attacker can replay the "__Secure-" prefix. However, using cryptography does not
a cookie he or she received from the authentic site.example server in mitigate the issue completely because an attacker can replay a cookie
the user's session, with unpredictable results. he or she received from the authentic site.example server in the
user's session, with unpredictable results.
Finally, an attacker might be able to force the user agent to delete Finally, an attacker might be able to force the user agent to delete
cookies by storing a large number of cookies. Once the user agent cookies by storing a large number of cookies. Once the user agent
reaches its storage limit, the user agent will be forced to evict reaches its storage limit, the user agent will be forced to evict
some cookies. Servers SHOULD NOT rely upon user agents retaining some cookies. Servers SHOULD NOT rely upon user agents retaining
cookies. cookies.
8.7. Reliance on DNS 8.7. Reliance on DNS
Cookies rely upon the Domain Name System (DNS) for security. If the Cookies rely upon the Domain Name System (DNS) for security. If the
skipping to change at page 49, line 40 skipping to change at page 50, line 10
<https://html.spec.whatwg.org/#dom-document-cookie>. <https://html.spec.whatwg.org/#dom-document-cookie>.
[FETCH] van Kesteren, A., "Fetch", n.d., [FETCH] van Kesteren, A., "Fetch", n.d.,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt,
P., and D. Denicola, "HTML", n.d., P., and D. Denicola, "HTML", n.d.,
<https://html.spec.whatwg.org/>. <https://html.spec.whatwg.org/>.
[HTTPSEM] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP [HTTPSEM] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP
Semantics", draft-ietf-httpbis-semantics-16 (work in Semantics", draft-ietf-httpbis-semantics-19 (work in
progress), May 2021. progress), September 2021.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>. <https://www.rfc-editor.org/info/rfc1123>.
skipping to change at page 54, line 31 skipping to change at page 55, line 5
[39] https://github.com/httpwg/http-extensions/pull/1416 [39] https://github.com/httpwg/http-extensions/pull/1416
[40] https://github.com/httpwg/http-extensions/pull/1420 [40] https://github.com/httpwg/http-extensions/pull/1420
[41] https://github.com/httpwg/http-extensions/pull/1428 [41] https://github.com/httpwg/http-extensions/pull/1428
[42] https://github.com/httpwg/http-extensions/pull/1435 [42] https://github.com/httpwg/http-extensions/pull/1435
[43] https://github.com/httpwg/http-extensions/pull/1527 [43] https://github.com/httpwg/http-extensions/pull/1527
[44] https://github.com/httpwg/http-extensions/pull/1563
[45] https://github.com/httpwg/http-extensions/pull/1576
[46] https://github.com/httpwg/http-extensions/pull/1589
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
skipping to change at page 57, line 47 skipping to change at page 58, line 30
o Refactor cookie retrieval algorithm to support non-HTTP APIs: o Refactor cookie retrieval algorithm to support non-HTTP APIs:
https://github.com/httpwg/http-extensions/pull/1428 [41] https://github.com/httpwg/http-extensions/pull/1428 [41]
o Define "Lax-allowing-unsafe" SameSite enforcement mode: o Define "Lax-allowing-unsafe" SameSite enforcement mode:
https://github.com/httpwg/http-extensions/pull/1435 [42] https://github.com/httpwg/http-extensions/pull/1435 [42]
o Consistently use "header field" (vs 'header"): o Consistently use "header field" (vs 'header"):
https://github.com/httpwg/http-extensions/pull/1527 [43] https://github.com/httpwg/http-extensions/pull/1527 [43]
A.10. draft-ietf-httpbis-rfc6265bis-09
o Update cookie size requirements: https://github.com/httpwg/http-
extensions/pull/1563 [44]
o Reject cookies with control characters: https://github.com/httpwg/
http-extensions/pull/1576 [45]
o No longer treat horizontal tab as a control character:
https://github.com/httpwg/http-extensions/pull/1589 [46]
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is an update of RFC 6265 was written by Adam Barth. This document is an update of
RFC 6265, adding features and aligning the specification with the RFC 6265, adding features and aligning the specification with the
reality of today's deployments. Here, we're standing upon the reality of today's deployments. Here, we're standing upon the
shoulders of a giant since the majority of the text is still Adam's. shoulders of a giant since the majority of the text is still Adam's.
Authors' Addresses Authors' Addresses
Lily Chen (editor) Lily Chen (editor)
Google LLC Google LLC
Email: chlily@google.com Email: chlily@google.com
Steven Englehardt (editor) Steven Englehardt (editor)
Mozilla Mozilla
Email: senglehardt@mozilla.com Email: senglehardt@mozilla.com
 End of changes. 56 change blocks. 
80 lines changed or deleted 114 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/