| draft-ietf-httpbis-rfc6265bis-11.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group S. Bingler, Ed. | HTTP Working Group S. Bingler, Ed. | |||
| Internet-Draft M. West, Ed. | Internet-Draft M. West, Ed. | |||
| Obsoletes: 6265 (if approved) Google LLC | Obsoletes: 6265 (if approved) Google LLC | |||
| Intended status: Standards Track J. Wilander, Ed. | Intended status: Standards Track J. Wilander, Ed. | |||
| Expires: May 11, 2023 Apple, Inc | Expires: October 2, 2023 Apple, Inc | |||
| November 7, 2022 | March 31, 2023 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-11 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 11, 2023. | This Internet-Draft will expire on October 2, 2023. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 45 ¶ | skipping to change at page 2, line 45 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 | 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | 3.2. Which Requirements to Implement . . . . . . . . . . . . . 9 | |||
| 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.2.1. Cookie Producing Implementations . . . . . . . . . . 10 | |||
| 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.2.2. Cookie Consuming Implementations . . . . . . . . . . 10 | |||
| 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12 | 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15 | 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 13 | |||
| 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 17 | 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 17 | |||
| 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17 | 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 | 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20 | 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 19 | |||
| 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 20 | 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 21 | 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 21 | |||
| 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 22 | |||
| 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 22 | |||
| 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 23 | |||
| 5.4. Cookie Name Prefixes . . . . . . . . . . . . . . . . . . 24 | 5.2.1. Document-based requests . . . . . . . . . . . . . . . 23 | |||
| 5.5. The Set-Cookie Header Field . . . . . . . . . . . . . . . 25 | 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 24 | |||
| 5.5.1. The Expires Attribute . . . . . . . . . . . . . . . . 28 | 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 25 | |||
| 5.5.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 28 | 5.4. Cookie Name Prefixes . . . . . . . . . . . . . . . . . . 25 | |||
| 5.5.3. The Domain Attribute . . . . . . . . . . . . . . . . 29 | 5.5. The Set-Cookie Header Field . . . . . . . . . . . . . . . 27 | |||
| 5.5.4. The Path Attribute . . . . . . . . . . . . . . . . . 29 | 5.5.1. The Expires Attribute . . . . . . . . . . . . . . . . 30 | |||
| 5.5.5. The Secure Attribute . . . . . . . . . . . . . . . . 29 | 5.5.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 30 | |||
| 5.5.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 30 | 5.5.3. The Domain Attribute . . . . . . . . . . . . . . . . 31 | |||
| 5.5.7. The SameSite Attribute . . . . . . . . . . . . . . . 30 | 5.5.4. The Path Attribute . . . . . . . . . . . . . . . . . 31 | |||
| 5.6. Storage Model . . . . . . . . . . . . . . . . . . . . . . 32 | 5.5.5. The Secure Attribute . . . . . . . . . . . . . . . . 31 | |||
| 5.7. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 38 | 5.5.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 32 | |||
| 5.7.1. The Cookie Header Field . . . . . . . . . . . . . . . 38 | 5.5.7. The SameSite Attribute . . . . . . . . . . . . . . . 32 | |||
| 5.7.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 38 | 5.6. Storage Model . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 5.7.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 39 | 5.7. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 6. Implementation Considerations . . . . . . . . . . . . . . . . 40 | 5.7.1. The Cookie Header Field . . . . . . . . . . . . . . . 40 | |||
| 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 40 | 5.7.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 40 | |||
| 6.2. Application Programming Interfaces . . . . . . . . . . . 41 | 5.7.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 41 | |||
| 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 41 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 42 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 42 | 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 43 | 6.2. Application Programming Interfaces . . . . . . . . . . . 43 | |||
| 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 43 | 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 43 | |||
| 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 44 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 44 | |||
| 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 44 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 45 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 44 | 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 44 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 45 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 45 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 46 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 46 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 47 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 47 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 47 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 48 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 48 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 48 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 49 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 48 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 49 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 49 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 50 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 50 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 50 | |||
| 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 50 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 51 | |||
| 8.8.6. Top-level requests with "unsafe" methods . . . . . . 51 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 51 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 51 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 52 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 51 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 52 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 52 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 53 | |||
| 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 52 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 52 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 52 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 54 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 53 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 54 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 54 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 54 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 56 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 59 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 59 | 10.2. Informative References . . . . . . . . . . . . . . . . . 56 | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 59 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 59 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 61 | |||
| A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 60 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 61 | |||
| A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 60 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 61 | |||
| A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 61 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 62 | |||
| A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 61 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 62 | |||
| A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 61 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 62 | |||
| A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 62 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 63 | |||
| A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 62 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 63 | |||
| A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 62 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 63 | |||
| A.12. draft-ietf-httpbis-rfc6265bis-11 . . . . . . . . . . . . 63 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 64 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 64 | A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 64 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 64 | A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 65 | |||
| A.12. draft-ietf-httpbis-rfc6265bis-11 . . . . . . . . . . . . 65 | ||||
| A.13. draft-ietf-httpbis-rfc6265bis-12 . . . . . . . . . . . . 66 | ||||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
| the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
| agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
| return the name/value pairs in the Cookie header field. | return the name/value pairs in the Cookie header field. | |||
| skipping to change at page 9, line 44 ¶ | skipping to change at page 9, line 44 ¶ | |||
| the cookie was created. | the cookie was created. | |||
| == Server -> User Agent == | == Server -> User Agent == | |||
| Set-Cookie: lang=; Expires=Sun, 06 Nov 1994 08:49:37 GMT | Set-Cookie: lang=; Expires=Sun, 06 Nov 1994 08:49:37 GMT | |||
| == User Agent -> Server == | == User Agent -> Server == | |||
| Cookie: SID=31d4d96e407aad42 | Cookie: SID=31d4d96e407aad42 | |||
| 3.2. Which Requirements to Implement | ||||
| The upcoming two sections, Section 4 and Section 5, discuss the set | ||||
| of requirements for two distinct types of implementations. This | ||||
| section is meant to help guide implementers in determining which set | ||||
| of requirements best fits their goals. Choosing the wrong set of | ||||
| requirements could result in a lack of compatibility with other | ||||
| cookie implementations. | ||||
| It's important to note that being compatible means different things | ||||
| depending on the implementer's goals. These differences have built | ||||
| up over time due to both intentional and unintentional spec changes, | ||||
| spec interpretations, and historical implementation differences. | ||||
| This section roughly divides implementers of the cookie spec into two | ||||
| types, producers and consumers. These are not official terms and are | ||||
| only used here to help readers develop an intuitive understanding of | ||||
| the use cases. | ||||
| 3.2.1. Cookie Producing Implementations | ||||
| An implementer should choose Section 4 whenever cookies are created | ||||
| and will be sent to a user agent, such as a web browser. These | ||||
| implementations are frequently referred to as Servers by the spec but | ||||
| that term includes anything which primarily produces cookies. Some | ||||
| potential examples: | ||||
| o Server applications hosting a website or API | ||||
| o Programming languages or software frameworks that support cookies | ||||
| o Integrated third-party web applications, such as a business | ||||
| management suite | ||||
| All these benefit from not only supporting as many user agents as | ||||
| possible but also supporting other servers. This is useful if a | ||||
| cookie is produced by a software framework and is later sent back to | ||||
| a server application which needs to read it. Section 4 advises best | ||||
| practices that help maximize this sense of compatibility. | ||||
| See Section 3.2.2.1 for more details on programming languages and | ||||
| software frameworks. | ||||
| 3.2.2. Cookie Consuming Implementations | ||||
| An implementer should choose Section 5 whenever cookies are primarily | ||||
| received from another source. These implementations are referred to | ||||
| as user agents. Some examples: | ||||
| o Web browsers | ||||
| o Tools that support stateful HTTP | ||||
| o Programming languages or software frameworks that support cookies | ||||
| Because user agents don't know which servers a user will access, and | ||||
| whether or not that server is following best practices, users agents | ||||
| are advised to implement a more lenient set of requirements and to | ||||
| accept some things that servers are warned against producing. | ||||
| Section 5 advises best practices that help maximize this sense of | ||||
| compatibility. | ||||
| See Section 3.2.2.1 for more details on programming languages and | ||||
| software frameworks. | ||||
| 3.2.2.1. Programming Languages & Software Frameworks | ||||
| A programming language or software framework with support for cookies | ||||
| could reasonably be used to create an application that acts as a | ||||
| cookie producer, cookie consumer, or both. Because a developer may | ||||
| want to maximize their compatibility as either a producer or | ||||
| consumer, these languages or frameworks should strongly consider | ||||
| supporting both sets of requirements, Section 4 and Section 5, behind | ||||
| a compatibility mode toggle. This toggle should default to | ||||
| Section 4's requirements. | ||||
| Doing so will reduce the chances that a developer's application can | ||||
| inadvertently create cookies that cannot be read by other servers. | ||||
| 4. Server Requirements | 4. Server Requirements | |||
| This section describes the syntax and semantics of a well-behaved | This section describes the syntax and semantics of a well-behaved | |||
| profile of the Cookie and Set-Cookie header fields. | profile of the Cookie and Set-Cookie header fields. | |||
| 4.1. Set-Cookie | 4.1. Set-Cookie | |||
| The Set-Cookie HTTP response header field is used to send cookies | The Set-Cookie HTTP response header field is used to send cookies | |||
| from the server to the user agent. | from the server to the user agent. | |||
| skipping to change at page 59, line 15 ¶ | skipping to change at page 61, line 15 ¶ | |||
| [59] https://github.com/httpwg/http-extensions/pull/2220 | [59] https://github.com/httpwg/http-extensions/pull/2220 | |||
| [60] https://github.com/httpwg/http-extensions/pull/2217 | [60] https://github.com/httpwg/http-extensions/pull/2217 | |||
| [61] https://github.com/httpwg/http-extensions/pull/2236 | [61] https://github.com/httpwg/http-extensions/pull/2236 | |||
| [62] https://github.com/httpwg/http-extensions/pull/2244 | [62] https://github.com/httpwg/http-extensions/pull/2244 | |||
| [63] https://github.com/httpwg/http-extensions/pull/2251 | [63] https://github.com/httpwg/http-extensions/pull/2251 | |||
| [64] https://github.com/httpwg/http-extensions/pull/2478 | ||||
| Appendix A. Changes | Appendix A. Changes | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 | A.1. draft-ietf-httpbis-rfc6265bis-00 | |||
| o Port [RFC6265] to Markdown. No (intentional) normative changes. | o Port [RFC6265] to Markdown. No (intentional) normative changes. | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 | A.2. draft-ietf-httpbis-rfc6265bis-01 | |||
| o Fixes to formatting caused by mistakes in the initial port to | o Fixes to formatting caused by mistakes in the initial port to | |||
| Markdown: | Markdown: | |||
| skipping to change at page 64, line 5 ¶ | skipping to change at page 66, line 11 ¶ | |||
| o Compare cookie name prefixes case-insensitively: | o Compare cookie name prefixes case-insensitively: | |||
| https://github.com/httpwg/http-extensions/pull/2236 [61] | https://github.com/httpwg/http-extensions/pull/2236 [61] | |||
| o Update editors and the acknowledgements https://github.com/httpwg/ | o Update editors and the acknowledgements https://github.com/httpwg/ | |||
| http-extensions/pull/2244 [62] | http-extensions/pull/2244 [62] | |||
| o Prevent nameless cookies with prefixed values | o Prevent nameless cookies with prefixed values | |||
| https://github.com/httpwg/http-extensions/pull/2251 [63] | https://github.com/httpwg/http-extensions/pull/2251 [63] | |||
| o Advise the reader which section to implement | ||||
| https://github.com/httpwg/http-extensions/pull/2478 [64] | ||||
| A.13. draft-ietf-httpbis-rfc6265bis-12 | ||||
| o None. Yet! | ||||
| Acknowledgements | Acknowledgements | |||
| RFC 6265 was written by Adam Barth. This document is an update of | RFC 6265 was written by Adam Barth. This document is an update of | |||
| RFC 6265, adding features and aligning the specification with the | RFC 6265, adding features and aligning the specification with the | |||
| reality of today's deployments. Here, we're standing upon the | reality of today's deployments. Here, we're standing upon the | |||
| shoulders of a giant since the majority of the text is still Adam's. | shoulders of a giant since the majority of the text is still Adam's. | |||
| Thank you to both Lily Chen and Steven Englehardt, editors emeritus, | Thank you to both Lily Chen and Steven Englehardt, editors emeritus, | |||
| for their significant contributions improving this draft. | for their significant contributions improving this draft. | |||
| End of changes. 8 change blocks. | ||||
| 86 lines changed or deleted | 178 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||