draft-ietf-httpbis-rfc6265bis-10.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group L. Chen, Ed. HTTP Working Group L. Chen, Ed.
Internet-Draft Google LLC Internet-Draft Google LLC
Obsoletes: 6265 (if approved) S. Englehardt, Ed. Obsoletes: 6265 (if approved) S. Englehardt, Ed.
Intended status: Standards Track Mozilla Intended status: Standards Track Mozilla
Expires: October 26, 2022 M. West, Ed. Expires: November 14, 2022 M. West, Ed.
Google LLC Google LLC
J. Wilander, Ed. J. Wilander, Ed.
Apple, Inc Apple, Inc
April 24, 2022 May 13, 2022
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-10 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 26, 2022. This Internet-Draft will expire on November 14, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 10, line 23 skipping to change at page 10, line 23
which begins with a name-value-pair, followed by zero or more which begins with a name-value-pair, followed by zero or more
attribute-value pairs. Servers SHOULD NOT send Set-Cookie header attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
fields that fail to conform to the following grammar: fields that fail to conform to the following grammar:
set-cookie = set-cookie-string set-cookie = set-cookie-string
set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
cookie-pair = cookie-name BWS "=" BWS cookie-value cookie-pair = cookie-name BWS "=" BWS cookie-value
cookie-name = 1*cookie-octet cookie-name = 1*cookie-octet
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
/ %x80-FF ; US-ASCII characters excluding CTLs,
; octets excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires" BWS "=" BWS sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
skipping to change at page 13, line 23 skipping to change at page 13, line 23
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute 4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is be sent. For example, if the value of the Domain attribute is
"site.example", the user agent will include the cookie in the Cookie "site.example", the user agent will include the cookie in the Cookie
header field when making HTTP requests to site.example, header field when making HTTP requests to site.example,
www.site.example, and www.corp.site.example. (Note that a leading www.site.example, and www.corp.site.example. (Note that a leading
%x2E ("."), if present, is ignored even though that character is not %x2E ("."), if present, is ignored even though that character is not
permitted, but a trailing %x2E ("."), if present, will cause the user permitted.) If the server omits the Domain attribute, the user agent
agent to ignore the attribute.) If the server omits the Domain will return the cookie only to the origin server.
attribute, the user agent will return the cookie only to the origin
server.
WARNING: Some existing user agents treat an absent Domain attribute WARNING: Some existing user agents treat an absent Domain attribute
as if the Domain attribute were present and contained the current as if the Domain attribute were present and contained the current
host name. For example, if site.example returns a Set-Cookie header host name. For example, if site.example returns a Set-Cookie header
field without a Domain attribute, these user agents will erroneously field without a Domain attribute, these user agents will erroneously
send the cookie to www.site.example as well. send the cookie to www.site.example as well.
The user agent will reject cookies unless the Domain attribute The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin specifies a scope for the cookie that would include the origin
server. For example, the user agent will accept a cookie with a server. For example, the user agent will accept a cookie with a
skipping to change at page 32, line 5 skipping to change at page 32, line 5
date. date.
7. If the cookie-attribute-list contains an attribute with an 7. If the cookie-attribute-list contains an attribute with an
attribute-name of "Domain": attribute-name of "Domain":
1. Let the domain-attribute be the attribute-value of the last 1. Let the domain-attribute be the attribute-value of the last
attribute in the cookie-attribute-list with both an attribute in the cookie-attribute-list with both an
attribute-name of "Domain" and an attribute-value whose attribute-name of "Domain" and an attribute-value whose
length is no more than 1024 octets. (Note that a leading length is no more than 1024 octets. (Note that a leading
%x2E ("."), if present, is ignored even though that %x2E ("."), if present, is ignored even though that
character is not permitted, but a trailing %x2E ("."), if character is not permitted.)
present, will cause the user agent to ignore the attribute.)
Otherwise: Otherwise:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
8. If the domain-attribute contains a character that is not in the 8. If the domain-attribute contains a character that is not in the
range of [USASCII] characters, abort these steps and ignore the range of [USASCII] characters, abort these steps and ignore the
cookie entirely. cookie entirely.
9. If the user agent is configured to reject "public suffixes" and 9. If the user agent is configured to reject "public suffixes" and
 End of changes. 7 change blocks. 
12 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/