| draft-ietf-httpbis-rfc6265bis-07.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group M. West, Ed. | HTTP Working Group M. West, Ed. | |||
| Internet-Draft Google, Inc | Internet-Draft Google, Inc | |||
| Obsoletes: 6265 (if approved) J. Wilander, Ed. | Obsoletes: 6265 (if approved) J. Wilander, Ed. | |||
| Intended status: Standards Track Apple, Inc | Intended status: Standards Track Apple, Inc | |||
| Expires: June 10, 2021 December 7, 2020 | Expires: September 3, 2021 March 2, 2021 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-07 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| skipping to change at page 1, line 47 ¶ | skipping to change at page 1, line 47 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 10, 2021. | This Internet-Draft will expire on September 3, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 40 ¶ | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 41 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 41 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 43 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 43 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 44 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 44 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 44 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 45 | ||||
| 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 45 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 45 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 45 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 45 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 46 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 45 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 46 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 47 | 10.2. Informative References . . . . . . . . . . . . . . . . . 48 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 50 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 51 | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 50 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 51 | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 50 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 51 | |||
| A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 51 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 52 | |||
| A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 52 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 52 | |||
| A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 52 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 53 | |||
| A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 52 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 53 | |||
| A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 52 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 53 | |||
| A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 53 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 53 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 53 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 54 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
| the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
| agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
| return the name/value pairs in the Cookie header. | return the name/value pairs in the Cookie header. | |||
| skipping to change at page 6, line 51 ¶ | skipping to change at page 6, line 51 ¶ | |||
| A domain's "public suffix" is the portion of a domain that is | A domain's "public suffix" is the portion of a domain that is | |||
| controlled by a public registry, such as "com", "co.uk", and | controlled by a public registry, such as "com", "co.uk", and | |||
| "pvt.k12.wy.us". A domain's "registrable domain" is the domain's | "pvt.k12.wy.us". A domain's "registrable domain" is the domain's | |||
| public suffix plus the label to its left. That is, for | public suffix plus the label to its left. That is, for | |||
| "https://www.site.example", the public suffix is "example", and the | "https://www.site.example", the public suffix is "example", and the | |||
| registrable domain is "site.example". Whenever possible, user agents | registrable domain is "site.example". Whenever possible, user agents | |||
| SHOULD use an up-to-date public suffix list, such as the one | SHOULD use an up-to-date public suffix list, such as the one | |||
| maintained by the Mozilla project at [PSL]. | maintained by the Mozilla project at [PSL]. | |||
| The term "request", as well as a request's "client", "current url", | The term "request", as well as a request's "client", "current url", | |||
| "method", and "target browsing context", are defined in [FETCH]. | "method", "target browsing context", and "url list", are defined in | |||
| [FETCH]. | ||||
| 3. Overview | 3. Overview | |||
| This section outlines a way for an origin server to send state | This section outlines a way for an origin server to send state | |||
| information to a user agent and for the user agent to return the | information to a user agent and for the user agent to return the | |||
| state information to the origin server. | state information to the origin server. | |||
| To store state, the origin server includes a Set-Cookie header in an | To store state, the origin server includes a Set-Cookie header in an | |||
| HTTP response. In subsequent requests, the user agent returns a | HTTP response. In subsequent requests, the user agent returns a | |||
| Cookie request header to the origin server. The Cookie header | Cookie request header to the origin server. The Cookie header | |||
| skipping to change at page 20, line 33 ¶ | skipping to change at page 20, line 33 ¶ | |||
| o The cookie-path is a prefix of the request-path, and the last | o The cookie-path is a prefix of the request-path, and the last | |||
| character of the cookie-path is %x2F ("/"). | character of the cookie-path is %x2F ("/"). | |||
| o The cookie-path is a prefix of the request-path, and the first | o The cookie-path is a prefix of the request-path, and the first | |||
| character of the request-path that is not included in the cookie- | character of the request-path that is not included in the cookie- | |||
| path is a %x2F ("/") character. | path is a %x2F ("/") character. | |||
| 5.2. "Same-site" and "cross-site" Requests | 5.2. "Same-site" and "cross-site" Requests | |||
| Two origins, A and B, are considered same-site if the following | Two origins are same-site if they satisfy the "same site" criteria | |||
| algorithm returns true: | defined in [SAMESITE]. A request is "same-site" if the following | |||
| criteria are true: | ||||
| 1. If A and B are both the same globally unique identifier, return | ||||
| true. | ||||
| 2. If A and B are both scheme/host/port triples: | ||||
| 1. If A's scheme does not equal B's scheme, return false. | ||||
| 2. Let hostA be A's host, and hostB be B's host. | ||||
| 3. If hostA equals hostB and hostA's registrable domain is null, | ||||
| return true. | ||||
| 4. If hostA's registrable domain equals hostB's registrable | 1. The request is not the result of a cross-site redirect. That is, | |||
| domain and is non-null, return true. | the origin of every url in the request's url list is same-site | |||
| with the request's current url's origin. | ||||
| 3. Return false. | 2. The request is not the result of a reload navigation triggered | |||
| through a user interface element (as defined by the user agent; | ||||
| e.g., a request triggered by the user clicking a refresh button | ||||
| on a toolbar). | ||||
| Note: The port component of the origins is not considered. | 3. The request's current url's origin is same-site with the | |||
| request's client's "site for cookies" (which is an origin), or if | ||||
| the request has no client or the request's client is null. | ||||
| A request is "same-site" if its target's URI's origin is same-site | Requests which are the result of a reload navigation triggered | |||
| with the request's client's "site for cookies" (which is an origin), | through a user interface element are same-site if the reloaded | |||
| or if the request has no client. The request is otherwise "cross- | document was originally navigated to via a same-site request. A | |||
| site". | request that is not "same-site" is instead "cross-site". | |||
| The request's client's "site for cookies" is calculated depending | The request's client's "site for cookies" is calculated depending | |||
| upon its client's type, as described in the following subsections: | upon its client's type, as described in the following subsections: | |||
| 5.2.1. Document-based requests | 5.2.1. Document-based requests | |||
| The URI displayed in a user agent's address bar is the only security | The URI displayed in a user agent's address bar is the only security | |||
| context directly exposed to users, and therefore the only signal | context directly exposed to users, and therefore the only signal | |||
| users can reasonably rely upon to determine whether or not they trust | users can reasonably rely upon to determine whether or not they trust | |||
| a particular website. The origin of that URI represents the context | a particular website. The origin of that URI represents the context | |||
| skipping to change at page 28, line 9 ¶ | skipping to change at page 28, line 9 ¶ | |||
| 3. If cookie-av's attribute-value is a case-insensitive match for | 3. If cookie-av's attribute-value is a case-insensitive match for | |||
| "Strict", set "enforcement" to "Strict". | "Strict", set "enforcement" to "Strict". | |||
| 4. If cookie-av's attribute-value is a case-insensitive match for | 4. If cookie-av's attribute-value is a case-insensitive match for | |||
| "Lax", set "enforcement" to "Lax". | "Lax", set "enforcement" to "Lax". | |||
| 5. Append an attribute to the cookie-attribute-list with an | 5. Append an attribute to the cookie-attribute-list with an | |||
| attribute-name of "SameSite" and an attribute-value of | attribute-name of "SameSite" and an attribute-value of | |||
| "enforcement". | "enforcement". | |||
| Note: This algorithm maps the "None" value, as well as any unknown | ||||
| value, to the "None" behavior, which is helpful for backwards | ||||
| compatibility when introducing new variants. | ||||
| 5.3.7.1. "Strict" and "Lax" enforcement | 5.3.7.1. "Strict" and "Lax" enforcement | |||
| Same-site cookies in "Strict" enforcement mode will not be sent along | Same-site cookies in "Strict" enforcement mode will not be sent along | |||
| with top-level navigations which are triggered from a cross-site | with top-level navigations which are triggered from a cross-site | |||
| document context. As discussed in Section 8.8.2, this might or might | document context. As discussed in Section 8.8.2, this might or might | |||
| not be compatible with existing session management systems. In the | not be compatible with existing session management systems. In the | |||
| interests of providing a drop-in mechanism that mitigates the risk of | interests of providing a drop-in mechanism that mitigates the risk of | |||
| CSRF attacks, developers may set the "SameSite" attribute in a "Lax" | CSRF attacks, developers may set the "SameSite" attribute in a "Lax" | |||
| enforcement mode that carves out an exception which sends same-site | enforcement mode that carves out an exception which sends same-site | |||
| cookies along with cross-site requests if and only if they are top- | cookies along with cross-site requests if and only if they are top- | |||
| skipping to change at page 44, line 21 ¶ | skipping to change at page 44, line 21 ¶ | |||
| SameSite cookies in and of themselves don't do anything to address | SameSite cookies in and of themselves don't do anything to address | |||
| the general privacy concerns outlined in Section 7.1 of [RFC6265]. | the general privacy concerns outlined in Section 7.1 of [RFC6265]. | |||
| The "SameSite" attribute is set by the server, and serves to mitigate | The "SameSite" attribute is set by the server, and serves to mitigate | |||
| the risk of certain kinds of attacks that the server is worried | the risk of certain kinds of attacks that the server is worried | |||
| about. The user is not involved in this decision. Moreover, a | about. The user is not involved in this decision. Moreover, a | |||
| number of side-channels exist which could allow a server to link | number of side-channels exist which could allow a server to link | |||
| distinct requests even in the absence of cookies (for example, | distinct requests even in the absence of cookies (for example, | |||
| connection and/or socket pooling between same-site and cross-site | connection and/or socket pooling between same-site and cross-site | |||
| requests). | requests). | |||
| 8.8.5. Reload navigations | ||||
| Requests issued for reloads triggered through user interface elements | ||||
| (such as a refresh button on a toolbar) are same-site only if the | ||||
| reloaded document was originally navigated to via a same-site | ||||
| request. This differs from the handling of other reload navigations, | ||||
| which are always same-site if top-level, since the source browsing | ||||
| context's active document is precisely the document being reloaded. | ||||
| This special handling of reloads triggered through a user interface | ||||
| element avoids sending "SameSite" cookies on user-initiated reloads | ||||
| if they were withheld on the original navigation (i.e., if the | ||||
| initial navigation were cross-site). If the reload navigation were | ||||
| instead considered same-site, and sent all the initially withheld | ||||
| "SameSite" cookies, the security benefits of withholding the cookies | ||||
| in the first place would be nullified. This is especially important | ||||
| given that the absence of "SameSite" cookies withheld on a cross-site | ||||
| navigation request may lead to visible site breakage, prompting the | ||||
| user to trigger a reload. | ||||
| For example, suppose the user clicks on a link from | ||||
| "https://attacker.example/" to "https://victim.example/". This is a | ||||
| cross-site request, so "SameSite=Strict" cookies are withheld. | ||||
| Suppose this causes "https://victim.example/" to appear broken, | ||||
| because the site only displays its sensitive content if a particular | ||||
| "SameSite" cookie is present in the request. The user, frustrated by | ||||
| the unexpectedly broken site, presses refresh on their browser's | ||||
| toolbar. To now consider the reload request same-site and send the | ||||
| initially withheld "SameSite" cookie would defeat the purpose of | ||||
| withholding it in the first place, as the reload navigation triggered | ||||
| through the user interface may replay the original (potentially | ||||
| malicious) request. Thus, the reload request should be considered | ||||
| cross-site, like the request that initially navigated to the page. | ||||
| 9. IANA Considerations | 9. IANA Considerations | |||
| 9.1. Cookie | 9.1. Cookie | |||
| The permanent message header field registry (see [RFC3864]) needs to | The permanent message header field registry (see [RFC3864]) needs to | |||
| be updated with the following registration: | be updated with the following registration: | |||
| Header field name: Cookie | Header field name: Cookie | |||
| Applicable protocol: http | Applicable protocol: http | |||
| skipping to change at page 47, line 15 ¶ | skipping to change at page 47, line 46 ¶ | |||
| [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | Protocol (HTTP/1.1): Semantics and Content", RFC 7231, | |||
| DOI 10.17487/RFC7231, June 2014, | DOI 10.17487/RFC7231, June 2014, | |||
| <https://www.rfc-editor.org/info/rfc7231>. | <https://www.rfc-editor.org/info/rfc7231>. | |||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [SAMESITE] | ||||
| WHATWG, "HTML - Living Standard", January 2021, | ||||
| <https://html.spec.whatwg.org/#same-site>. | ||||
| [SERVICE-WORKERS] | [SERVICE-WORKERS] | |||
| Russell, A., Song, J., and J. Archibald, "Service | Russell, A., Song, J., and J. Archibald, "Service | |||
| Workers", n.d., <http://www.w3.org/TR/service-workers/>. | Workers", n.d., <http://www.w3.org/TR/service-workers/>. | |||
| [USASCII] American National Standards Institute, "Coded Character | [USASCII] American National Standards Institute, "Coded Character | |||
| Set -- 7-bit American Standard Code for Information | Set -- 7-bit American Standard Code for Information | |||
| Interchange", ANSI X3.4, 1986. | Interchange", ANSI X3.4, 1986. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| skipping to change at page 50, line 39 ¶ | skipping to change at page 51, line 21 ¶ | |||
| [32] https://github.com/httpwg/http-extensions/issues/1159 | [32] https://github.com/httpwg/http-extensions/issues/1159 | |||
| [33] https://github.com/httpwg/http-extensions/issues/1234 | [33] https://github.com/httpwg/http-extensions/issues/1234 | |||
| [34] https://github.com/httpwg/http-extensions/pull/1325 | [34] https://github.com/httpwg/http-extensions/pull/1325 | |||
| [35] https://github.com/httpwg/http-extensions/pull/1323 | [35] https://github.com/httpwg/http-extensions/pull/1323 | |||
| [36] https://github.com/httpwg/http-extensions/pull/1324 | [36] https://github.com/httpwg/http-extensions/pull/1324 | |||
| [37] https://github.com/httpwg/http-extensions/pull/1384 | ||||
| [38] https://github.com/httpwg/http-extensions/pull/1348 | ||||
| Appendix A. Changes | Appendix A. Changes | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 | A.1. draft-ietf-httpbis-rfc6265bis-00 | |||
| o Port [RFC6265] to Markdown. No (intentional) normative changes. | o Port [RFC6265] to Markdown. No (intentional) normative changes. | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 | A.2. draft-ietf-httpbis-rfc6265bis-01 | |||
| o Fixes to formatting caused by mistakes in the initial port to | o Fixes to formatting caused by mistakes in the initial port to | |||
| Markdown: | Markdown: | |||
| skipping to change at page 53, line 29 ¶ | skipping to change at page 54, line 17 ¶ | |||
| o Add a default enforcement value to the "same-site-flag", | o Add a default enforcement value to the "same-site-flag", | |||
| equivalent to "SameSite=Lax": https://github.com/httpwg/http- | equivalent to "SameSite=Lax": https://github.com/httpwg/http- | |||
| extensions/pull/1325 [34]. | extensions/pull/1325 [34]. | |||
| o Require a Secure attribute for "SameSite=None": | o Require a Secure attribute for "SameSite=None": | |||
| https://github.com/httpwg/http-extensions/pull/1323 [35]. | https://github.com/httpwg/http-extensions/pull/1323 [35]. | |||
| o Consider scheme when running the same-site algorithm: | o Consider scheme when running the same-site algorithm: | |||
| https://github.com/httpwg/http-extensions/pull/1324 [36]. | https://github.com/httpwg/http-extensions/pull/1324 [36]. | |||
| A.9. draft-ietf-httpbis-rfc6265bis-08 | ||||
| o Define "same-site" for reload navigation requests, e.g. those | ||||
| triggered via user interface elements: https://github.com/httpwg/ | ||||
| http-extensions/pull/1384 [37] | ||||
| o Consider redirects when defining same-site: | ||||
| https://github.com/httpwg/http-extensions/pull/1348 [38] | ||||
| Acknowledgements | Acknowledgements | |||
| RFC 6265 was written by Adam Barth. This document is a minor update | RFC 6265 was written by Adam Barth. This document is a minor update | |||
| of RFC 6265, adding small features, and aligning the specification | of RFC 6265, adding small features, and aligning the specification | |||
| with the reality of today's deployments. Here, we're standing upon | with the reality of today's deployments. Here, we're standing upon | |||
| the shoulders of a giant since the majority of the text is still | the shoulders of a giant since the majority of the text is still | |||
| Adam's. | Adam's. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 20 change blocks. | ||||
| 47 lines changed or deleted | 92 lines changed or added | |||
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||