draft-ietf-httpbis-rfc6265bis-10.txt		draft-ietf-httpbis-rfc6265bis-latest.txt
	HTTP Working Group L. Chen, Ed.		HTTP Working Group L. Chen, Ed.
	Internet-Draft Google LLC		Internet-Draft Google LLC
	Obsoletes: 6265 (if approved) S. Englehardt, Ed.		Obsoletes: 6265 (if approved) S. Englehardt, Ed.
	Intended status: Standards Track Mozilla		Intended status: Standards Track Mozilla
	Expires: October 26, 2022 M. West, Ed.		Expires: January 8, 2023 M. West, Ed.
	Google LLC		Google LLC
	J. Wilander, Ed.		J. Wilander, Ed.
	Apple, Inc		Apple, Inc
	April 24, 2022		July 7, 2022
	Cookies: HTTP State Management Mechanism		Cookies: HTTP State Management Mechanism
	draft-ietf-httpbis-rfc6265bis-10		draft-ietf-httpbis-rfc6265bis-latest
	Abstract		Abstract
	This document defines the HTTP Cookie and Set-Cookie header fields.		This document defines the HTTP Cookie and Set-Cookie header fields.
	These header fields can be used by HTTP servers to store state		These header fields can be used by HTTP servers to store state
	(called cookies) at HTTP user agents, letting the servers maintain a		(called cookies) at HTTP user agents, letting the servers maintain a
	stateful session over the mostly stateless HTTP protocol. Although		stateful session over the mostly stateless HTTP protocol. Although
	cookies have many historical infelicities that degrade their security		cookies have many historical infelicities that degrade their security
	and privacy, the Cookie and Set-Cookie header fields are widely used		and privacy, the Cookie and Set-Cookie header fields are widely used
	on the Internet. This document obsoletes RFC 6265.		on the Internet. This document obsoletes RFC 6265.
	skipping to change at page 2, line 10 ¶		skipping to change at page 2, line 10 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 26, 2022.		This Internet-Draft will expire on January 8, 2023.
	Copyright Notice		Copyright Notice
	Copyright (c) 2022 IETF Trust and the persons identified as the		Copyright (c) 2022 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 2, line 51 ¶		skipping to change at page 2, line 51 ¶
	1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4		1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
	2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5		2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
	2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5		2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5
	2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6		2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6
	2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6		2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
	3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7		3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7
	3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8		3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8
	4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9		4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9
	4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10		4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10
	4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10		4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10
	4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11		4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12
	4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15		4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15
	4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16		4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16
	4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16		4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16
	4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16		4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16
	5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17		5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17
	5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17		5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17
	5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17		5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17
	5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19		5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19
	5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20		5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20
	skipping to change at page 3, line 31 ¶		skipping to change at page 3, line 31 ¶
	5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27		5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27
	5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28		5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28
	5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28		5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28
	5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28		5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28
	5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28		5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28
	5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30		5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30
	5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36		5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36
	5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36		5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36
	5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36		5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36
	5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37		5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37
	6. Implementation Considerations . . . . . . . . . . . . . . . . 39		6. Implementation Considerations . . . . . . . . . . . . . . . . 38
	6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 39		6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38
	6.2. Application Programming Interfaces . . . . . . . . . . . 39		6.2. Application Programming Interfaces . . . . . . . . . . . 39
	6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 40		6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39
	7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40		7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40
	7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41		7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41
	7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41		7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41
	7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42		7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42
	7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42		7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42
	8. Security Considerations . . . . . . . . . . . . . . . . . . . 43		8. Security Considerations . . . . . . . . . . . . . . . . . . . 42
	8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 43		8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 42
	8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43		8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43
	8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 44		8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 43
	8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44		8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44
	8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45		8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45
	8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 46		8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 45
	8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 47		8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 46
	8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 47		8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 46
	8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 47		8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 46
	8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47		8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47
	8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 48		8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 47
	8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48		8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48
	8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48		8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48
	8.8.6. Top-level requests with "unsafe" methods . . . . . . 49		8.8.6. Top-level requests with "unsafe" methods . . . . . . 49
	9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50		9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
	9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 50		9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 49
	9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50		9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50
	9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50		9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50
	9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50		9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50
	9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 51		9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 50
	10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51		10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
	10.1. Normative References . . . . . . . . . . . . . . . . . . 51		10.1. Normative References . . . . . . . . . . . . . . . . . . 51
	10.2. Informative References . . . . . . . . . . . . . . . . . 53		10.2. Informative References . . . . . . . . . . . . . . . . . 52
	10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54		10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54
	Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 56		Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 57
	A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 56		A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 57
	A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 56		A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 57
	A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57		A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57
	A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58		A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58
	A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58		A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58
	A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58		A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58
	A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 58		A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 59
	A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59		A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59
	A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59		A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59
	A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60		A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60
	A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60		A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60
	Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60		A.12. draft-ietf-httpbis-rfc6265bis-11 . . . . . . . . . . . . 61
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60		Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 61
			Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61
	1. Introduction		1. Introduction
	This document defines the HTTP Cookie and Set-Cookie header fields.		This document defines the HTTP Cookie and Set-Cookie header fields.
	Using the Set-Cookie header field, an HTTP server can pass name/value		Using the Set-Cookie header field, an HTTP server can pass name/value
	pairs and associated metadata (called cookies) to a user agent. When		pairs and associated metadata (called cookies) to a user agent. When
	the user agent makes subsequent requests to the server, the user		the user agent makes subsequent requests to the server, the user
	agent uses the metadata and other information to determine whether to		agent uses the metadata and other information to determine whether to
	return the name/value pairs in the Cookie header field.		return the name/value pairs in the Cookie header field.
	skipping to change at page 10, line 23 ¶		skipping to change at page 10, line 23 ¶
	which begins with a name-value-pair, followed by zero or more		which begins with a name-value-pair, followed by zero or more
	attribute-value pairs. Servers SHOULD NOT send Set-Cookie header		attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
	fields that fail to conform to the following grammar:		fields that fail to conform to the following grammar:
	set-cookie = set-cookie-string		set-cookie = set-cookie-string
	set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )		set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
	cookie-pair = cookie-name BWS "=" BWS cookie-value		cookie-pair = cookie-name BWS "=" BWS cookie-value
	cookie-name = 1*cookie-octet		cookie-name = 1*cookie-octet
	cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )		cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
	cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E		cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
	/ %x80-FF		; US-ASCII characters excluding CTLs,
	; octets excluding CTLs,
	; whitespace DQUOTE, comma, semicolon,		; whitespace DQUOTE, comma, semicolon,
	; and backslash		; and backslash
	cookie-av = expires-av / max-age-av / domain-av /		cookie-av = expires-av / max-age-av / domain-av /
	path-av / secure-av / httponly-av /		path-av / secure-av / httponly-av /
	samesite-av / extension-av		samesite-av / extension-av
	expires-av = "Expires" BWS "=" BWS sane-cookie-date		expires-av = "Expires" BWS "=" BWS sane-cookie-date
	sane-cookie-date =		sane-cookie-date =
	<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>		<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
	max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT		max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
	skipping to change at page 11, line 5 ¶		skipping to change at page 11, line 5 ¶
	samesite-av = "SameSite" BWS "=" BWS samesite-value		samesite-av = "SameSite" BWS "=" BWS samesite-value
	samesite-value = "Strict" / "Lax" / "None"		samesite-value = "Strict" / "Lax" / "None"
	extension-av = *av-octet		extension-av = *av-octet
	av-octet = %x20-3A / %x3C-7E		av-octet = %x20-3A / %x3C-7E
	; any CHAR except CTLs or ";"		; any CHAR except CTLs or ";"
	Note that some of the grammatical terms above reference documents		Note that some of the grammatical terms above reference documents
	that use different grammatical notations than this document (which		that use different grammatical notations than this document (which
	uses ABNF from [RFC5234]).		uses ABNF from [RFC5234]).
			NOTE: The name of an attribute-value pair is not case sensitive. So
			while they are presented here in CamelCase, such as "HttpOnly" or
			"SameSite", any case is accepted. E.x.: "httponly", "Httponly",
			"hTTPoNLY", etc.
	The semantics of the cookie-value are not defined by this document.		The semantics of the cookie-value are not defined by this document.
	To maximize compatibility with user agents, servers that wish to		To maximize compatibility with user agents, servers that wish to
	store arbitrary data in a cookie-value SHOULD encode that data, for		store arbitrary data in a cookie-value SHOULD encode that data, for
	example, using Base64 [RFC4648].		example, using Base64 [RFC4648].
	The domain-value is a subdomain as defined by [RFC1034], Section 3.5,		The domain-value is a subdomain as defined by [RFC1034], Section 3.5,
	and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a		and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a
	string of [USASCII] characters, such as one obtained by applying the		string of [USASCII] characters, such as one obtained by applying the
	"ToASCII" operation defined in Section 4 of [RFC3490].		"ToASCII" operation defined in Section 4 of [RFC3490].
	skipping to change at page 13, line 23 ¶		skipping to change at page 13, line 30 ¶
	session is over" (as defined by the user agent).		session is over" (as defined by the user agent).
	4.1.2.3. The Domain Attribute		4.1.2.3. The Domain Attribute
	The Domain attribute specifies those hosts to which the cookie will		The Domain attribute specifies those hosts to which the cookie will
	be sent. For example, if the value of the Domain attribute is		be sent. For example, if the value of the Domain attribute is
	"site.example", the user agent will include the cookie in the Cookie		"site.example", the user agent will include the cookie in the Cookie
	header field when making HTTP requests to site.example,		header field when making HTTP requests to site.example,
	www.site.example, and www.corp.site.example. (Note that a leading		www.site.example, and www.corp.site.example. (Note that a leading
	%x2E ("."), if present, is ignored even though that character is not		%x2E ("."), if present, is ignored even though that character is not
	permitted, but a trailing %x2E ("."), if present, will cause the user		permitted.) If the server omits the Domain attribute, the user agent
	agent to ignore the attribute.) If the server omits the Domain		will return the cookie only to the origin server.
	attribute, the user agent will return the cookie only to the origin
	server.
	WARNING: Some existing user agents treat an absent Domain attribute		WARNING: Some existing user agents treat an absent Domain attribute
	as if the Domain attribute were present and contained the current		as if the Domain attribute were present and contained the current
	host name. For example, if site.example returns a Set-Cookie header		host name. For example, if site.example returns a Set-Cookie header
	field without a Domain attribute, these user agents will erroneously		field without a Domain attribute, these user agents will erroneously
	send the cookie to www.site.example as well.		send the cookie to www.site.example as well.
	The user agent will reject cookies unless the Domain attribute		The user agent will reject cookies unless the Domain attribute
	specifies a scope for the cookie that would include the origin		specifies a scope for the cookie that would include the origin
	server. For example, the user agent will accept a cookie with a		server. For example, the user agent will accept a cookie with a
	skipping to change at page 32, line 5 ¶		skipping to change at page 32, line 5 ¶
	date.		date.
	7. If the cookie-attribute-list contains an attribute with an		7. If the cookie-attribute-list contains an attribute with an
	attribute-name of "Domain":		attribute-name of "Domain":
	1. Let the domain-attribute be the attribute-value of the last		1. Let the domain-attribute be the attribute-value of the last
	attribute in the cookie-attribute-list with both an		attribute in the cookie-attribute-list with both an
	attribute-name of "Domain" and an attribute-value whose		attribute-name of "Domain" and an attribute-value whose
	length is no more than 1024 octets. (Note that a leading		length is no more than 1024 octets. (Note that a leading
	%x2E ("."), if present, is ignored even though that		%x2E ("."), if present, is ignored even though that
	character is not permitted, but a trailing %x2E ("."), if		character is not permitted.)
	present, will cause the user agent to ignore the attribute.)
	Otherwise:		Otherwise:
	1. Let the domain-attribute be the empty string.		1. Let the domain-attribute be the empty string.
	8. If the domain-attribute contains a character that is not in the		8. If the domain-attribute contains a character that is not in the
	range of [USASCII] characters, abort these steps and ignore the		range of [USASCII] characters, abort these steps and ignore the
	cookie entirely.		cookie entirely.
	9. If the user agent is configured to reject "public suffixes" and		9. If the user agent is configured to reject "public suffixes" and
	skipping to change at page 38, line 45 ¶		skipping to change at page 38, line 43 ¶
	1. If the cookies' name is not empty, output the cookie's name		1. If the cookies' name is not empty, output the cookie's name
	followed by the %x3D ("=") character.		followed by the %x3D ("=") character.
	2. If the cookies' value is not empty, output the cookie's		2. If the cookies' value is not empty, output the cookie's
	value.		value.
	3. If there is an unprocessed cookie in the cookie-list, output		3. If there is an unprocessed cookie in the cookie-list, output
	the characters %x3B and %x20 ("; ").		the characters %x3B and %x20 ("; ").
	NOTE: Despite its name, the cookie-string is actually a sequence of
	octets, not a sequence of characters. To convert the cookie-string
	(or components thereof) into a sequence of characters (e.g., for
	presentation to the user), the user agent might wish to try using the
	UTF-8 character encoding [RFC3629] to decode the octet sequence.
	This decoding might fail, however, because not every sequence of
	octets is valid UTF-8.
	6. Implementation Considerations		6. Implementation Considerations
	6.1. Limits		6.1. Limits
	Practical user agent implementations have limits on the number and		Practical user agent implementations have limits on the number and
	size of cookies that they can store. General-use user agents SHOULD		size of cookies that they can store. General-use user agents SHOULD
	provide each of the following minimum capabilities:		provide each of the following minimum capabilities:
	o At least 50 cookies per domain.		o At least 50 cookies per domain.
	skipping to change at page 54, line 9 ¶		skipping to change at page 53, line 49 ¶
	<https://publicsuffix.org/list/>.		<https://publicsuffix.org/list/>.
	[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management		[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management
	Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997,		Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997,
	<https://www.rfc-editor.org/info/rfc2109>.		<https://www.rfc-editor.org/info/rfc2109>.
	[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,		[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
	DOI 10.17487/RFC2818, May 2000,		DOI 10.17487/RFC2818, May 2000,
	<https://www.rfc-editor.org/info/rfc2818>.		<https://www.rfc-editor.org/info/rfc2818>.
	[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
	10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
	2003, <https://www.rfc-editor.org/info/rfc3629>.
	[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration		[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
	Procedures for Message Header Fields", BCP 90, RFC 3864,		Procedures for Message Header Fields", BCP 90, RFC 3864,
	DOI 10.17487/RFC3864, September 2004,		DOI 10.17487/RFC3864, September 2004,
	<https://www.rfc-editor.org/info/rfc3864>.		<https://www.rfc-editor.org/info/rfc3864>.
	[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform		[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
	Resource Identifier (URI): Generic Syntax", STD 66,		Resource Identifier (URI): Generic Syntax", STD 66,
	RFC 3986, DOI 10.17487/RFC3986, January 2005,		RFC 3986, DOI 10.17487/RFC3986, January 2005,
	<https://www.rfc-editor.org/info/rfc3986>.		<https://www.rfc-editor.org/info/rfc3986>.
	skipping to change at page 56, line 39 ¶		skipping to change at page 56, line 27 ¶
	[41] https://github.com/httpwg/http-extensions/pull/1563		[41] https://github.com/httpwg/http-extensions/pull/1563
	[42] https://github.com/httpwg/http-extensions/pull/1576		[42] https://github.com/httpwg/http-extensions/pull/1576
	[43] https://github.com/httpwg/http-extensions/pull/1589		[43] https://github.com/httpwg/http-extensions/pull/1589
	[44] https://github.com/httpwg/http-extensions/pull/1709		[44] https://github.com/httpwg/http-extensions/pull/1709
	[45] https://github.com/httpwg/http-extensions/pull/1732		[45] https://github.com/httpwg/http-extensions/pull/1732
			[46] https://github.com/httpwg/http-extensions/pull/1980
			[47] https://github.com/httpwg/http-extensions/pull/1878
			[48] https://github.com/httpwg/http-extensions/pull/1902
			[49] https://github.com/httpwg/http-extensions/pull/1969
			[50] https://github.com/httpwg/http-extensions/pull/1789
			[51] https://github.com/httpwg/http-extensions/pull/1858
			[52] https://github.com/httpwg/http-extensions/pull/2069
			[53] https://github.com/httpwg/http-extensions/pull/2087
			[54] https://github.com/httpwg/http-extensions/pull/2092
			[55] https://github.com/httpwg/http-extensions/pull/2090
			[56] https://github.com/httpwg/http-extensions/pull/2165
			[57] https://github.com/httpwg/http-extensions/pull/2167
	Appendix A. Changes		Appendix A. Changes
	A.1. draft-ietf-httpbis-rfc6265bis-00		A.1. draft-ietf-httpbis-rfc6265bis-00
	o Port [RFC6265] to Markdown. No (intentional) normative changes.		o Port [RFC6265] to Markdown. No (intentional) normative changes.
	A.2. draft-ietf-httpbis-rfc6265bis-01		A.2. draft-ietf-httpbis-rfc6265bis-01
	o Fixes to formatting caused by mistakes in the initial port to		o Fixes to formatting caused by mistakes in the initial port to
	Markdown:		Markdown:
	skipping to change at page 60, line 22 ¶		skipping to change at page 60, line 38 ¶
	o No longer treat horizontal tab as a control character:		o No longer treat horizontal tab as a control character:
	https://github.com/httpwg/http-extensions/pull/1589 [43]		https://github.com/httpwg/http-extensions/pull/1589 [43]
	o Specify empty domain attribute handling:		o Specify empty domain attribute handling:
	https://github.com/httpwg/http-extensions/pull/1709 [44]		https://github.com/httpwg/http-extensions/pull/1709 [44]
	A.11. draft-ietf-httpbis-rfc6265bis-10		A.11. draft-ietf-httpbis-rfc6265bis-10
	o Standardize Max-Age/Expires upper bound:		o Standardize Max-Age/Expires upper bound:
	https://github.com/httpwg/http-extensions/pull/1732 [45]		https://github.com/httpwg/http-extensions/pull/1732 [45],
			https://github.com/httpwg/http-extensions/pull/1980 [46].
			o Expand on privacy considerations and third-party cookies:
			https://github.com/httpwg/http-extensions/pull/1878 [47]
			o Specify that no decoding of Set-Cookie line should occur:
			https://github.com/httpwg/http-extensions/pull/1902 [48]
			o Require ASCII for domain attributes: https://github.com/httpwg/
			http-extensions/pull/1969 [49]
			o Typos, formatting and editorial fixes: https://github.com/httpwg/
			http-extensions/pull/1789 [50], https://github.com/httpwg/http-
			extensions/pull/1858 [51], https://github.com/httpwg/http-
			extensions/pull/2069 [52].
			A.12. draft-ietf-httpbis-rfc6265bis-11
			o Remove note to ignore Domain attribute with trailing dot:
			https://github.com/httpwg/http-extensions/pull/2087 [53],
			https://github.com/httpwg/http-extensions/pull/2092 [54].
			o Remove an inadvertant change to cookie-octet:
			https://github.com/httpwg/http-extensions/pull/2090 [55]
			o Remove note regarding cookie serialization:
			https://github.com/httpwg/http-extensions/pull/2165 [56]
			o Add case insensitivity note to Set-Cookie Syntax:
			https://github.com/httpwg/http-extensions/pull/2167 [57]
	Acknowledgements		Acknowledgements
	RFC 6265 was written by Adam Barth. This document is an update of		RFC 6265 was written by Adam Barth. This document is an update of
	RFC 6265, adding features and aligning the specification with the		RFC 6265, adding features and aligning the specification with the
	reality of today's deployments. Here, we're standing upon the		reality of today's deployments. Here, we're standing upon the
	shoulders of a giant since the majority of the text is still Adam's.		shoulders of a giant since the majority of the text is still Adam's.
	Authors' Addresses		Authors' Addresses
End of changes. 25 change blocks.
	47 lines changed or deleted		91 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/