draft-ietf-httpbis-rfc6265bis-10.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group L. Chen, Ed. HTTP Working Group L. Chen, Ed.
Internet-Draft Google LLC Internet-Draft Google LLC
Obsoletes: 6265 (if approved) S. Englehardt, Ed. Obsoletes: 6265 (if approved) S. Englehardt, Ed.
Intended status: Standards Track Mozilla Intended status: Standards Track Mozilla
Expires: October 26, 2022 M. West, Ed. Expires: January 8, 2023 M. West, Ed.
Google LLC Google LLC
J. Wilander, Ed. J. Wilander, Ed.
Apple, Inc Apple, Inc
April 24, 2022 July 7, 2022
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-10 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 26, 2022. This Internet-Draft will expire on January 8, 2023.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 51 skipping to change at page 2, line 51
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20
skipping to change at page 3, line 31 skipping to change at page 3, line 31
5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27
5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28
5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28
5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28
5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28
5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30
5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36
5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36
5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36
5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37
6. Implementation Considerations . . . . . . . . . . . . . . . . 39 6. Implementation Considerations . . . . . . . . . . . . . . . . 38
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 39 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2. Application Programming Interfaces . . . . . . . . . . . 39 6.2. Application Programming Interfaces . . . . . . . . . . . 39
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 40 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41
7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42
8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 43 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 42
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 44 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 43
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 46 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 45
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 47 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 46
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 47 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 46
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 47 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 46
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 48 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 47
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48
8.8.6. Top-level requests with "unsafe" methods . . . . . . 49 8.8.6. Top-level requests with "unsafe" methods . . . . . . 49
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 50 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 49
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 51 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 50
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
10.1. Normative References . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . 51
10.2. Informative References . . . . . . . . . . . . . . . . . 53 10.2. Informative References . . . . . . . . . . . . . . . . . 52
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 56 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 57
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 56 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 57
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 56 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 57
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58 A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58 A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 58 A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 59
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59 A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59 A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59
A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60 A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60
A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60 A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 A.12. draft-ietf-httpbis-rfc6265bis-11 . . . . . . . . . . . . 61
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 61
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header field. return the name/value pairs in the Cookie header field.
skipping to change at page 10, line 23 skipping to change at page 10, line 23
which begins with a name-value-pair, followed by zero or more which begins with a name-value-pair, followed by zero or more
attribute-value pairs. Servers SHOULD NOT send Set-Cookie header attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
fields that fail to conform to the following grammar: fields that fail to conform to the following grammar:
set-cookie = set-cookie-string set-cookie = set-cookie-string
set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
cookie-pair = cookie-name BWS "=" BWS cookie-value cookie-pair = cookie-name BWS "=" BWS cookie-value
cookie-name = 1*cookie-octet cookie-name = 1*cookie-octet
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
/ %x80-FF ; US-ASCII characters excluding CTLs,
; octets excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires" BWS "=" BWS sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
skipping to change at page 11, line 5 skipping to change at page 11, line 5
samesite-av = "SameSite" BWS "=" BWS samesite-value samesite-av = "SameSite" BWS "=" BWS samesite-value
samesite-value = "Strict" / "Lax" / "None" samesite-value = "Strict" / "Lax" / "None"
extension-av = *av-octet extension-av = *av-octet
av-octet = %x20-3A / %x3C-7E av-octet = %x20-3A / %x3C-7E
; any CHAR except CTLs or ";" ; any CHAR except CTLs or ";"
Note that some of the grammatical terms above reference documents Note that some of the grammatical terms above reference documents
that use different grammatical notations than this document (which that use different grammatical notations than this document (which
uses ABNF from [RFC5234]). uses ABNF from [RFC5234]).
NOTE: The name of an attribute-value pair is not case sensitive. So
while they are presented here in CamelCase, such as "HttpOnly" or
"SameSite", any case is accepted. E.x.: "httponly", "Httponly",
"hTTPoNLY", etc.
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
To maximize compatibility with user agents, servers that wish to To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648]. example, using Base64 [RFC4648].
The domain-value is a subdomain as defined by [RFC1034], Section 3.5, The domain-value is a subdomain as defined by [RFC1034], Section 3.5,
and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a
string of [USASCII] characters, such as one obtained by applying the string of [USASCII] characters, such as one obtained by applying the
"ToASCII" operation defined in Section 4 of [RFC3490]. "ToASCII" operation defined in Section 4 of [RFC3490].
skipping to change at page 13, line 23 skipping to change at page 13, line 30
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute 4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is be sent. For example, if the value of the Domain attribute is
"site.example", the user agent will include the cookie in the Cookie "site.example", the user agent will include the cookie in the Cookie
header field when making HTTP requests to site.example, header field when making HTTP requests to site.example,
www.site.example, and www.corp.site.example. (Note that a leading www.site.example, and www.corp.site.example. (Note that a leading
%x2E ("."), if present, is ignored even though that character is not %x2E ("."), if present, is ignored even though that character is not
permitted, but a trailing %x2E ("."), if present, will cause the user permitted.) If the server omits the Domain attribute, the user agent
agent to ignore the attribute.) If the server omits the Domain will return the cookie only to the origin server.
attribute, the user agent will return the cookie only to the origin
server.
WARNING: Some existing user agents treat an absent Domain attribute WARNING: Some existing user agents treat an absent Domain attribute
as if the Domain attribute were present and contained the current as if the Domain attribute were present and contained the current
host name. For example, if site.example returns a Set-Cookie header host name. For example, if site.example returns a Set-Cookie header
field without a Domain attribute, these user agents will erroneously field without a Domain attribute, these user agents will erroneously
send the cookie to www.site.example as well. send the cookie to www.site.example as well.
The user agent will reject cookies unless the Domain attribute The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin specifies a scope for the cookie that would include the origin
server. For example, the user agent will accept a cookie with a server. For example, the user agent will accept a cookie with a
skipping to change at page 32, line 5 skipping to change at page 32, line 5
date. date.
7. If the cookie-attribute-list contains an attribute with an 7. If the cookie-attribute-list contains an attribute with an
attribute-name of "Domain": attribute-name of "Domain":
1. Let the domain-attribute be the attribute-value of the last 1. Let the domain-attribute be the attribute-value of the last
attribute in the cookie-attribute-list with both an attribute in the cookie-attribute-list with both an
attribute-name of "Domain" and an attribute-value whose attribute-name of "Domain" and an attribute-value whose
length is no more than 1024 octets. (Note that a leading length is no more than 1024 octets. (Note that a leading
%x2E ("."), if present, is ignored even though that %x2E ("."), if present, is ignored even though that
character is not permitted, but a trailing %x2E ("."), if character is not permitted.)
present, will cause the user agent to ignore the attribute.)
Otherwise: Otherwise:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
8. If the domain-attribute contains a character that is not in the 8. If the domain-attribute contains a character that is not in the
range of [USASCII] characters, abort these steps and ignore the range of [USASCII] characters, abort these steps and ignore the
cookie entirely. cookie entirely.
9. If the user agent is configured to reject "public suffixes" and 9. If the user agent is configured to reject "public suffixes" and
skipping to change at page 38, line 45 skipping to change at page 38, line 43
1. If the cookies' name is not empty, output the cookie's name 1. If the cookies' name is not empty, output the cookie's name
followed by the %x3D ("=") character. followed by the %x3D ("=") character.
2. If the cookies' value is not empty, output the cookie's 2. If the cookies' value is not empty, output the cookie's
value. value.
3. If there is an unprocessed cookie in the cookie-list, output 3. If there is an unprocessed cookie in the cookie-list, output
the characters %x3B and %x20 ("; "). the characters %x3B and %x20 ("; ").
NOTE: Despite its name, the cookie-string is actually a sequence of
octets, not a sequence of characters. To convert the cookie-string
(or components thereof) into a sequence of characters (e.g., for
presentation to the user), the user agent might wish to try using the
UTF-8 character encoding [RFC3629] to decode the octet sequence.
This decoding might fail, however, because not every sequence of
octets is valid UTF-8.
6. Implementation Considerations 6. Implementation Considerations
6.1. Limits 6.1. Limits
Practical user agent implementations have limits on the number and Practical user agent implementations have limits on the number and
size of cookies that they can store. General-use user agents SHOULD size of cookies that they can store. General-use user agents SHOULD
provide each of the following minimum capabilities: provide each of the following minimum capabilities:
o At least 50 cookies per domain. o At least 50 cookies per domain.
skipping to change at page 54, line 9 skipping to change at page 53, line 49
<https://publicsuffix.org/list/>. <https://publicsuffix.org/list/>.
[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997,
<https://www.rfc-editor.org/info/rfc2109>. <https://www.rfc-editor.org/info/rfc2109>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
DOI 10.17487/RFC3864, September 2004, DOI 10.17487/RFC3864, September 2004,
<https://www.rfc-editor.org/info/rfc3864>. <https://www.rfc-editor.org/info/rfc3864>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
skipping to change at page 56, line 39 skipping to change at page 56, line 27
[41] https://github.com/httpwg/http-extensions/pull/1563 [41] https://github.com/httpwg/http-extensions/pull/1563
[42] https://github.com/httpwg/http-extensions/pull/1576 [42] https://github.com/httpwg/http-extensions/pull/1576
[43] https://github.com/httpwg/http-extensions/pull/1589 [43] https://github.com/httpwg/http-extensions/pull/1589
[44] https://github.com/httpwg/http-extensions/pull/1709 [44] https://github.com/httpwg/http-extensions/pull/1709
[45] https://github.com/httpwg/http-extensions/pull/1732 [45] https://github.com/httpwg/http-extensions/pull/1732
[46] https://github.com/httpwg/http-extensions/pull/1980
[47] https://github.com/httpwg/http-extensions/pull/1878
[48] https://github.com/httpwg/http-extensions/pull/1902
[49] https://github.com/httpwg/http-extensions/pull/1969
[50] https://github.com/httpwg/http-extensions/pull/1789
[51] https://github.com/httpwg/http-extensions/pull/1858
[52] https://github.com/httpwg/http-extensions/pull/2069
[53] https://github.com/httpwg/http-extensions/pull/2087
[54] https://github.com/httpwg/http-extensions/pull/2092
[55] https://github.com/httpwg/http-extensions/pull/2090
[56] https://github.com/httpwg/http-extensions/pull/2165
[57] https://github.com/httpwg/http-extensions/pull/2167
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
skipping to change at page 60, line 22 skipping to change at page 60, line 38
o No longer treat horizontal tab as a control character: o No longer treat horizontal tab as a control character:
https://github.com/httpwg/http-extensions/pull/1589 [43] https://github.com/httpwg/http-extensions/pull/1589 [43]
o Specify empty domain attribute handling: o Specify empty domain attribute handling:
https://github.com/httpwg/http-extensions/pull/1709 [44] https://github.com/httpwg/http-extensions/pull/1709 [44]
A.11. draft-ietf-httpbis-rfc6265bis-10 A.11. draft-ietf-httpbis-rfc6265bis-10
o Standardize Max-Age/Expires upper bound: o Standardize Max-Age/Expires upper bound:
https://github.com/httpwg/http-extensions/pull/1732 [45] https://github.com/httpwg/http-extensions/pull/1732 [45],
https://github.com/httpwg/http-extensions/pull/1980 [46].
o Expand on privacy considerations and third-party cookies:
https://github.com/httpwg/http-extensions/pull/1878 [47]
o Specify that no decoding of Set-Cookie line should occur:
https://github.com/httpwg/http-extensions/pull/1902 [48]
o Require ASCII for domain attributes: https://github.com/httpwg/
http-extensions/pull/1969 [49]
o Typos, formatting and editorial fixes: https://github.com/httpwg/
http-extensions/pull/1789 [50], https://github.com/httpwg/http-
extensions/pull/1858 [51], https://github.com/httpwg/http-
extensions/pull/2069 [52].
A.12. draft-ietf-httpbis-rfc6265bis-11
o Remove note to ignore Domain attribute with trailing dot:
https://github.com/httpwg/http-extensions/pull/2087 [53],
https://github.com/httpwg/http-extensions/pull/2092 [54].
o Remove an inadvertant change to cookie-octet:
https://github.com/httpwg/http-extensions/pull/2090 [55]
o Remove note regarding cookie serialization:
https://github.com/httpwg/http-extensions/pull/2165 [56]
o Add case insensitivity note to Set-Cookie Syntax:
https://github.com/httpwg/http-extensions/pull/2167 [57]
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is an update of RFC 6265 was written by Adam Barth. This document is an update of
RFC 6265, adding features and aligning the specification with the RFC 6265, adding features and aligning the specification with the
reality of today's deployments. Here, we're standing upon the reality of today's deployments. Here, we're standing upon the
shoulders of a giant since the majority of the text is still Adam's. shoulders of a giant since the majority of the text is still Adam's.
Authors' Addresses Authors' Addresses
 End of changes. 25 change blocks. 
47 lines changed or deleted 91 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/