| draft-ietf-httpbis-rfc6265bis-09.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group L. Chen, Ed. | HTTP Working Group L. Chen, Ed. | |||
| Internet-Draft Google LLC | Internet-Draft Google LLC | |||
| Obsoletes: 6265 (if approved) S. Englehardt, Ed. | Obsoletes: 6265 (if approved) S. Englehardt, Ed. | |||
| Intended status: Standards Track Mozilla | Intended status: Standards Track Mozilla | |||
| Expires: April 22, 2022 M. West, Ed. | Expires: July 18, 2022 M. West, Ed. | |||
| Google LLC | Google LLC | |||
| J. Wilander, Ed. | J. Wilander, Ed. | |||
| Apple, Inc | Apple, Inc | |||
| October 19, 2021 | January 14, 2022 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-09 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| Note to Readers | ||||
| Discussion of this draft takes place on the HTTP working group | ||||
| mailing list (ietf-http-wg@w3.org), which is archived at | ||||
| https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. | ||||
| Working Group information can be found at http://httpwg.github.io/ | ||||
| [2]; source code and issues list for this draft can be found at | ||||
| https://github.com/httpwg/http-extensions/labels/6265bis [3]. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 22, 2022. | ||||
| This Internet-Draft will expire on July 18, 2022. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 41 ¶ | skipping to change at page 2, line 32 ¶ | |||
| than English. | than English. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | |||
| 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 | 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 | 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 | |||
| 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14 | 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14 | |||
| 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 | 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 | |||
| 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | |||
| skipping to change at page 3, line 15 ¶ | skipping to change at page 3, line 6 ¶ | |||
| 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | |||
| 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19 | 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19 | |||
| 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19 | 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19 | |||
| 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20 | 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20 | |||
| 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | |||
| 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | |||
| 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | |||
| 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 | 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 | |||
| 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | |||
| 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 | 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 | |||
| 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 | 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27 | |||
| 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 | 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 | |||
| 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 | 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 | |||
| 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 | 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 | |||
| 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 | 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 | |||
| 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 29 | 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 | 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 | |||
| 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 | 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 | |||
| 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35 | 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 | |||
| 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 | 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 | |||
| 6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | |||
| 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 6.2. Application Programming Interfaces . . . . . . . . . . . 38 | 6.2. Application Programming Interfaces . . . . . . . . . . . 38 | |||
| 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 | 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | |||
| 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 | |||
| 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 | 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41 | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 38 ¶ | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 | |||
| 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 47 | |||
| 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 49 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 49 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 49 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 51 | 10.2. Informative References . . . . . . . . . . . . . . . . . 51 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55 | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55 | |||
| A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 | |||
| A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56 | |||
| A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 | |||
| A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 57 | |||
| A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57 | |||
| A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 | |||
| A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 58 | |||
| A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58 | A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 | A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 58 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 59 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
| the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
| agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
| return the name/value pairs in the Cookie header field. | return the name/value pairs in the Cookie header field. | |||
| skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 23 ¶ | |||
| ; whitespace DQUOTE, comma, semicolon, | ; whitespace DQUOTE, comma, semicolon, | |||
| ; and backslash | ; and backslash | |||
| cookie-av = expires-av / max-age-av / domain-av / | cookie-av = expires-av / max-age-av / domain-av / | |||
| path-av / secure-av / httponly-av / | path-av / secure-av / httponly-av / | |||
| samesite-av / extension-av | samesite-av / extension-av | |||
| expires-av = "Expires" BWS "=" BWS sane-cookie-date | expires-av = "Expires" BWS "=" BWS sane-cookie-date | |||
| sane-cookie-date = | sane-cookie-date = | |||
| <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | |||
| max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | |||
| ; In practice, both expires-av and max-age-av | ||||
| ; are limited to dates representable by the | ||||
| ; user agent. | ||||
| non-zero-digit = %x31-39 | non-zero-digit = %x31-39 | |||
| ; digits 1 through 9 | ; digits 1 through 9 | |||
| domain-av = "Domain" BWS "=" BWS domain-value | domain-av = "Domain" BWS "=" BWS domain-value | |||
| domain-value = <subdomain> | domain-value = <subdomain> | |||
| ; defined in [RFC1034], Section 3.5, as | ; see details below | |||
| ; enhanced by [RFC1123], Section 2.1 | ||||
| path-av = "Path" BWS "=" BWS path-value | path-av = "Path" BWS "=" BWS path-value | |||
| path-value = *av-octet | path-value = *av-octet | |||
| secure-av = "Secure" | secure-av = "Secure" | |||
| httponly-av = "HttpOnly" | httponly-av = "HttpOnly" | |||
| samesite-av = "SameSite" BWS "=" BWS samesite-value | samesite-av = "SameSite" BWS "=" BWS samesite-value | |||
| samesite-value = "Strict" / "Lax" / "None" | samesite-value = "Strict" / "Lax" / "None" | |||
| extension-av = *av-octet | extension-av = *av-octet | |||
| av-octet = %x20-3A / %x3C-7E | av-octet = %x20-3A / %x3C-7E | |||
| ; any CHAR except CTLs or ";" | ; any CHAR except CTLs or ";" | |||
| Note that some of the grammatical terms above reference documents | Note that some of the grammatical terms above reference documents | |||
| that use different grammatical notations than this document (which | that use different grammatical notations than this document (which | |||
| uses ABNF from [RFC5234]). | uses ABNF from [RFC5234]). | |||
| The semantics of the cookie-value are not defined by this document. | The semantics of the cookie-value are not defined by this document. | |||
| To maximize compatibility with user agents, servers that wish to | To maximize compatibility with user agents, servers that wish to | |||
| store arbitrary data in a cookie-value SHOULD encode that data, for | store arbitrary data in a cookie-value SHOULD encode that data, for | |||
| example, using Base64 [RFC4648]. | example, using Base64 [RFC4648]. | |||
| The domain-value is a subdomain as defined by [RFC1034], Section 3.5, | ||||
| and as enhanced by [RFC1123], Section 2.1. | ||||
| Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | |||
| characters. Note that in this case, the initial and trailing DQUOTE | characters. Note that in this case, the initial and trailing DQUOTE | |||
| characters are not stripped. They are part of the cookie-value, and | characters are not stripped. They are part of the cookie-value, and | |||
| will be included in Cookie header fields sent to the server. | will be included in Cookie header fields sent to the server. | |||
| The portions of the set-cookie-string produced by the cookie-av term | The portions of the set-cookie-string produced by the cookie-av term | |||
| are known as attributes. To maximize compatibility with user agents, | are known as attributes. To maximize compatibility with user agents, | |||
| servers SHOULD NOT produce two attributes with the same name in the | servers SHOULD NOT produce two attributes with the same name in the | |||
| same set-cookie-string. (See Section 5.5 for how user agents handle | same set-cookie-string. (See Section 5.5 for how user agents handle | |||
| this case.) | this case.) | |||
| skipping to change at page 12, line 19 ¶ | skipping to change at page 12, line 15 ¶ | |||
| attributes (but not the entire cookie). | attributes (but not the entire cookie). | |||
| 4.1.2.1. The Expires Attribute | 4.1.2.1. The Expires Attribute | |||
| The Expires attribute indicates the maximum lifetime of the cookie, | The Expires attribute indicates the maximum lifetime of the cookie, | |||
| represented as the date and time at which the cookie expires. The | represented as the date and time at which the cookie expires. The | |||
| user agent is not required to retain the cookie until the specified | user agent is not required to retain the cookie until the specified | |||
| date has passed. In fact, user agents often evict cookies due to | date has passed. In fact, user agents often evict cookies due to | |||
| memory pressure or privacy concerns. | memory pressure or privacy concerns. | |||
| The user agent MUST limit the maximum value of the Expires attribute. | ||||
| The limit MUST NOT be greater than 400 days (34560000 seconds) in the | ||||
| future. The RECOMMENDED limit is 400 days in the future, but the | ||||
| user agent MAY adjust the limit to be less (see Section 7.2). | ||||
| Expires attributes that are greater than the limit MUST be reduced to | ||||
| the limit. | ||||
| 4.1.2.2. The Max-Age Attribute | 4.1.2.2. The Max-Age Attribute | |||
| The Max-Age attribute indicates the maximum lifetime of the cookie, | The Max-Age attribute indicates the maximum lifetime of the cookie, | |||
| represented as the number of seconds until the cookie expires. The | represented as the number of seconds until the cookie expires. The | |||
| user agent is not required to retain the cookie for the specified | user agent is not required to retain the cookie for the specified | |||
| duration. In fact, user agents often evict cookies due to memory | duration. In fact, user agents often evict cookies due to memory | |||
| pressure or privacy concerns. | pressure or privacy concerns. | |||
| The user agent MUST limit the maximum value of the Max-Age attribute. | ||||
| The limit MUST NOT be greater than 400 days (34560000 seconds) in | ||||
| duration. The RECOMMENDED limit is 400 days in duration, but the | ||||
| user agent MAY adjust the limit to be less (see Section 7.2). Max- | ||||
| Age attributes that are greater than the limit MUST be reduced to the | ||||
| limit. | ||||
| NOTE: Some existing user agents do not support the Max-Age attribute. | NOTE: Some existing user agents do not support the Max-Age attribute. | |||
| User agents that do not support the Max-Age attribute ignore the | User agents that do not support the Max-Age attribute ignore the | |||
| attribute. | attribute. | |||
| If a cookie has both the Max-Age and the Expires attribute, the Max- | If a cookie has both the Max-Age and the Expires attribute, the Max- | |||
| Age attribute has precedence and controls the expiration date of the | Age attribute has precedence and controls the expiration date of the | |||
| cookie. If a cookie has neither the Max-Age nor the Expires | cookie. If a cookie has neither the Max-Age nor the Expires | |||
| attribute, the user agent will retain the cookie until "the current | attribute, the user agent will retain the cookie until "the current | |||
| session is over" (as defined by the user agent). | session is over" (as defined by the user agent). | |||
| skipping to change at page 17, line 24 ¶ | skipping to change at page 17, line 30 ¶ | |||
| flags defined as a part of the algorithm (i.e., found-time, found- | flags defined as a part of the algorithm (i.e., found-time, found- | |||
| day-of-month, found-month, found-year) are initially "not set". | day-of-month, found-month, found-year) are initially "not set". | |||
| 1. Using the grammar below, divide the cookie-date into date-tokens. | 1. Using the grammar below, divide the cookie-date into date-tokens. | |||
| cookie-date = *delimiter date-token-list *delimiter | cookie-date = *delimiter date-token-list *delimiter | |||
| date-token-list = date-token *( 1*delimiter date-token ) | date-token-list = date-token *( 1*delimiter date-token ) | |||
| date-token = 1*non-delimiter | date-token = 1*non-delimiter | |||
| delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E | delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E | |||
| non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF | non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA | |||
| / %x7F-FF | ||||
| non-digit = %x00-2F / %x3A-FF | non-digit = %x00-2F / %x3A-FF | |||
| day-of-month = 1*2DIGIT [ non-digit *OCTET ] | day-of-month = 1*2DIGIT [ non-digit *OCTET ] | |||
| month = ( "jan" / "feb" / "mar" / "apr" / | month = ( "jan" / "feb" / "mar" / "apr" / | |||
| "may" / "jun" / "jul" / "aug" / | "may" / "jun" / "jul" / "aug" / | |||
| "sep" / "oct" / "nov" / "dec" ) *OCTET | "sep" / "oct" / "nov" / "dec" ) *OCTET | |||
| year = 2*4DIGIT [ non-digit *OCTET ] | year = 2*4DIGIT [ non-digit *OCTET ] | |||
| time = hms-time [ non-digit *OCTET ] | time = hms-time [ non-digit *OCTET ] | |||
| hms-time = time-field ":" time-field ":" time-field | hms-time = time-field ":" time-field ":" time-field | |||
| time-field = 1*2DIGIT | time-field = 1*2DIGIT | |||
| skipping to change at page 26, line 16 ¶ | skipping to change at page 26, line 16 ¶ | |||
| If the attribute-name case-insensitively matches the string | If the attribute-name case-insensitively matches the string | |||
| "Expires", the user agent MUST process the cookie-av as follows. | "Expires", the user agent MUST process the cookie-av as follows. | |||
| 1. Let the expiry-time be the result of parsing the attribute-value | 1. Let the expiry-time be the result of parsing the attribute-value | |||
| as cookie-date (see Section 5.1.1). | as cookie-date (see Section 5.1.1). | |||
| 2. If the attribute-value failed to parse as a cookie date, ignore | 2. If the attribute-value failed to parse as a cookie date, ignore | |||
| the cookie-av. | the cookie-av. | |||
| 3. If the expiry-time is later than the last date the user agent can | 3. Let cookie-age-limit be the maximum age of the cookie (which must | |||
| represent, the user agent MAY replace the expiry-time with the | be 400 days in the future or sooner, see Section 4.1.2.1). | |||
| last representable date. | ||||
| 4. If the expiry-time is earlier than the earliest date the user | 4. If the expiry-time is more than cookie-age-limit, the user agent | |||
| MUST set the expiry time to cookie-age-limit in seconds. | ||||
| 5. If the expiry-time is earlier than the earliest date the user | ||||
| agent can represent, the user agent MAY replace the expiry-time | agent can represent, the user agent MAY replace the expiry-time | |||
| with the earliest representable date. | with the earliest representable date. | |||
| 5. Append an attribute to the cookie-attribute-list with an | 6. Append an attribute to the cookie-attribute-list with an | |||
| attribute-name of Expires and an attribute-value of expiry-time. | attribute-name of Expires and an attribute-value of expiry-time. | |||
| 5.4.2. The Max-Age Attribute | 5.4.2. The Max-Age Attribute | |||
| If the attribute-name case-insensitively matches the string "Max- | If the attribute-name case-insensitively matches the string "Max- | |||
| Age", the user agent MUST process the cookie-av as follows. | Age", the user agent MUST process the cookie-av as follows. | |||
| 1. If the first character of the attribute-value is not a DIGIT or a | 1. If the first character of the attribute-value is not a DIGIT or a | |||
| "-" character, ignore the cookie-av. | "-" character, ignore the cookie-av. | |||
| 2. If the remainder of attribute-value contains a non-DIGIT | 2. If the remainder of attribute-value contains a non-DIGIT | |||
| character, ignore the cookie-av. | character, ignore the cookie-av. | |||
| 3. Let delta-seconds be the attribute-value converted to an integer. | 3. Let delta-seconds be the attribute-value converted to an integer. | |||
| 4. If delta-seconds is less than or equal to zero (0), let expiry- | 4. Let cookie-age-limit be the maximum age of the cookie (which must | |||
| be 400 days or less, see Section 4.1.2.2). | ||||
| 5. Set delta-seconds to the smaller of its present value and cookie- | ||||
| age-limit. | ||||
| 6. If delta-seconds is less than or equal to zero (0), let expiry- | ||||
| time be the earliest representable date and time. Otherwise, let | time be the earliest representable date and time. Otherwise, let | |||
| the expiry-time be the current date and time plus delta-seconds | the expiry-time be the current date and time plus delta-seconds | |||
| seconds. | seconds. | |||
| 5. Append an attribute to the cookie-attribute-list with an | 7. Append an attribute to the cookie-attribute-list with an | |||
| attribute-name of Max-Age and an attribute-value of expiry-time. | attribute-name of Max-Age and an attribute-value of expiry-time. | |||
| 5.4.3. The Domain Attribute | 5.4.3. The Domain Attribute | |||
| If the attribute-name case-insensitively matches the string "Domain", | If the attribute-name case-insensitively matches the string "Domain", | |||
| the user agent MUST process the cookie-av as follows. | the user agent MUST process the cookie-av as follows. | |||
| 1. Let cookie-domain be the attribute-value. | 1. Let cookie-domain be the attribute-value. | |||
| 2. If cookie-domain starts with %x2E ("."), let cookie-domain be | 2. If cookie-domain starts with %x2E ("."), let cookie-domain be | |||
| skipping to change at page 29, line 35 ¶ | skipping to change at page 29, line 39 ¶ | |||
| recently. Deployment experience has shown a cookie age of 2 minutes | recently. Deployment experience has shown a cookie age of 2 minutes | |||
| or less to be a reasonable limit. | or less to be a reasonable limit. | |||
| If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST | If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST | |||
| apply the following modification to the retrieval algorithm defined | apply the following modification to the retrieval algorithm defined | |||
| in Section 5.6.3: | in Section 5.6.3: | |||
| Replace the condition in the penultimate bullet point of step 1 of | Replace the condition in the penultimate bullet point of step 1 of | |||
| the retrieval algorithm reading | the retrieval algorithm reading | |||
| * The HTTP request associated with the retrieval uses a "safe" method. | * The HTTP request associated with the retrieval uses a "safe" | |||
| method. | ||||
| with | with | |||
| * At least one of the following is true: | * At least one of the following is true: | |||
| 1. The HTTP request associated with the retrieval uses a "safe" method. | 1. The HTTP request associated with the retrieval uses a "safe" | |||
| method. | ||||
| 2. The cookie's same-site-flag is "Default" and the amount of time | 2. The cookie's same-site-flag is "Default" and the amount of | |||
| elapsed since the cookie's creation-time is at most a duration of the | time elapsed since the cookie's creation-time is at most a | |||
| user agent's choosing. | duration of the user agent's choosing. | |||
| 5.5. Storage Model | 5.5. Storage Model | |||
| The user agent stores the following fields about each cookie: name, | The user agent stores the following fields about each cookie: name, | |||
| value, expiry-time, domain, path, creation-time, last-access-time, | value, expiry-time, domain, path, creation-time, last-access-time, | |||
| persistent-flag, host-only-flag, secure-only-flag, http-only-flag, | persistent-flag, host-only-flag, secure-only-flag, http-only-flag, | |||
| and same-site-flag. | and same-site-flag. | |||
| When the user agent "receives a cookie" from a request-uri with name | When the user agent "receives a cookie" from a request-uri with name | |||
| cookie-name, value cookie-value, and attributes cookie-attribute- | cookie-name, value cookie-value, and attributes cookie-attribute- | |||
| skipping to change at page 40, line 21 ¶ | skipping to change at page 40, line 31 ¶ | |||
| injecting identifying information into dynamic URLs. | injecting identifying information into dynamic URLs. | |||
| 7.2. Cookie policy | 7.2. Cookie policy | |||
| User agents MAY enforce a cookie policy consisting of restrictions on | User agents MAY enforce a cookie policy consisting of restrictions on | |||
| how cookies may be used or ignored (see Section 5.3). | how cookies may be used or ignored (see Section 5.3). | |||
| A cookie policy may govern which domains or parties, as in first and | A cookie policy may govern which domains or parties, as in first and | |||
| third parties (see Section 7.1), for which the user agent will allow | third parties (see Section 7.1), for which the user agent will allow | |||
| cookie access. The policy can also define limits on cookie size, | cookie access. The policy can also define limits on cookie size, | |||
| cookie expiry, and the number of cookies per domain or in total. | cookie expiry (see Section 4.1.2.1 and Section 4.1.2.2), and the | |||
| number of cookies per domain or in total. | ||||
| The goal of a restrictive cookie policy is often to improve security | The goal of a restrictive cookie policy is often to improve security | |||
| or privacy. User agents often allow users to change the cookie | or privacy. User agents often allow users to change the cookie | |||
| policy (see Section 7.3). | policy (see Section 7.3). | |||
| 7.3. User Controls | 7.3. User Controls | |||
| User agents SHOULD provide users with a mechanism for managing the | User agents SHOULD provide users with a mechanism for managing the | |||
| cookies stored in the cookie store. For example, a user agent might | cookies stored in the cookie store. For example, a user agent might | |||
| let users delete all cookies received during a specified time period | let users delete all cookies received during a specified time period | |||
| skipping to change at page 48, line 40 ¶ | skipping to change at page 49, line 4 ¶ | |||
| The permanent message header field registry (see [RFC3864]) needs to | The permanent message header field registry (see [RFC3864]) needs to | |||
| be updated with the following registration: | be updated with the following registration: | |||
| Header field name: Set-Cookie | Header field name: Set-Cookie | |||
| Applicable protocol: http | Applicable protocol: http | |||
| Status: standard | Status: standard | |||
| Author/Change controller: IETF | Author/Change controller: IETF | |||
| Specification document: this specification (Section 5.4) | Specification document: this specification (Section 5.4) | |||
| 9.3. Cookie Attribute Registry | 9.3. Cookie Attribute Registry | |||
| IANA is requested to create the "Cookie Attribute Registry", defining | IANA is requested to create the "Cookie Attribute Registry", defining | |||
| the name space of attribute used to control cookies' behavior. The | the name space of attribute used to control cookies' behavior. The | |||
| registry should be maintained at https://www.iana.org/assignments/ | registry should be maintained at https://www.iana.org/assignments/ | |||
| cookie-attribute-names [4]. | cookie-attribute-names [1]. | |||
| 9.3.1. Procedure | 9.3.1. Procedure | |||
| Each registered attribute name is associated with a description, and | Each registered attribute name is associated with a description, and | |||
| a reference detailing how the attribute is to be processed and | a reference detailing how the attribute is to be processed and | |||
| stored. | stored. | |||
| New registrations happen on a "RFC Required" basis (see Section 4.7 | New registrations happen on a "RFC Required" basis (see Section 4.7 | |||
| of [RFC8126]). The attribute to be registered MUST match the | of [RFC8126]). The attribute to be registered MUST match the | |||
| "extension-av" syntax defined in Section 4.1.1. Note that attribute | "extension-av" syntax defined in Section 4.1.1. Note that attribute | |||
| skipping to change at page 53, line 7 ¶ | skipping to change at page 53, line 15 ¶ | |||
| [RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame- | [RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame- | |||
| Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, | Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, | |||
| <https://www.rfc-editor.org/info/rfc7034>. | <https://www.rfc-editor.org/info/rfc7034>. | |||
| [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility | [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility | |||
| Processing", UNICODE Unicode Technical Standards # 46, | Processing", UNICODE Unicode Technical Standards # 46, | |||
| June 2016, <http://unicode.org/reports/tr46/>. | June 2016, <http://unicode.org/reports/tr46/>. | |||
| 10.3. URIs | 10.3. URIs | |||
| [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ | [1] https://www.iana.org/assignments/cookie-attribute-names | |||
| [2] http://httpwg.github.io/ | ||||
| [3] https://github.com/httpwg/http-extensions/labels/6265bis | ||||
| [4] https://www.iana.org/assignments/cookie-attribute-names | [2] https://github.com/httpwg/http-extensions/issues/243 | |||
| [5] https://github.com/httpwg/http-extensions/issues/243 | [3] https://github.com/httpwg/http-extensions/issues/246 | |||
| [6] https://github.com/httpwg/http-extensions/issues/246 | [4] https://www.rfc-editor.org/errata_search.php?rfc=6265 | |||
| [7] https://www.rfc-editor.org/errata_search.php?rfc=6265 | [5] https://github.com/httpwg/http-extensions/issues/247 | |||
| [8] https://github.com/httpwg/http-extensions/issues/247 | [6] https://github.com/httpwg/http-extensions/issues/201 | |||
| [9] https://github.com/httpwg/http-extensions/issues/201 | [7] https://github.com/httpwg/http-extensions/issues/204 | |||
| [10] https://github.com/httpwg/http-extensions/issues/204 | [8] https://github.com/httpwg/http-extensions/issues/222 | |||
| [11] https://github.com/httpwg/http-extensions/issues/222 | [9] https://github.com/httpwg/http-extensions/issues/248 | |||
| [12] https://github.com/httpwg/http-extensions/issues/248 | [10] https://github.com/httpwg/http-extensions/issues/295 | |||
| [13] https://github.com/httpwg/http-extensions/issues/295 | [11] https://github.com/httpwg/http-extensions/issues/302 | |||
| [14] https://github.com/httpwg/http-extensions/issues/302 | [12] https://github.com/httpwg/http-extensions/issues/389 | |||
| [15] https://github.com/httpwg/http-extensions/issues/389 | [13] https://github.com/httpwg/http-extensions/issues/199 | |||
| [16] https://github.com/httpwg/http-extensions/issues/199 | [14] https://github.com/httpwg/http-extensions/issues/788 | |||
| [17] https://github.com/httpwg/http-extensions/issues/788 | [15] https://github.com/httpwg/http-extensions/issues/594 | |||
| [18] https://github.com/httpwg/http-extensions/issues/594 | [16] https://github.com/httpwg/http-extensions/issues/159 | |||
| [19] https://github.com/httpwg/http-extensions/issues/159 | [17] https://github.com/httpwg/http-extensions/issues/159 | |||
| [20] https://github.com/httpwg/http-extensions/issues/159 | [18] https://github.com/httpwg/http-extensions/issues/901 | |||
| [21] https://github.com/httpwg/http-extensions/issues/901 | [19] https://github.com/httpwg/http-extensions/pull/1035 | |||
| [22] https://github.com/httpwg/http-extensions/pull/1035 | [20] https://github.com/httpwg/http-extensions/pull/1038 | |||
| [23] https://github.com/httpwg/http-extensions/pull/1038 | [21] https://github.com/httpwg/http-extensions/pull/1040 | |||
| [24] https://github.com/httpwg/http-extensions/pull/1040 | [22] https://github.com/httpwg/http-extensions/pull/1047 | |||
| [25] https://github.com/httpwg/http-extensions/pull/1047 | [23] https://github.com/httpwg/http-extensions/issues/1059 | |||
| [26] https://github.com/httpwg/http-extensions/issues/1059 | [24] https://github.com/httpwg/http-extensions/issues/1158 | |||
| [27] https://github.com/httpwg/http-extensions/issues/1158 | [25] https://github.com/httpwg/http-extensions/pull/1060 | |||
| [28] https://github.com/httpwg/http-extensions/pull/1060 | [26] https://github.com/httpwg/http-extensions/issues/1074 | |||
| [29] https://github.com/httpwg/http-extensions/issues/1074 | [27] https://github.com/httpwg/http-extensions/issues/1119 | |||
| [30] https://github.com/httpwg/http-extensions/issues/1119 | [28] https://github.com/httpwg/http-extensions/pull/1143 | |||
| [31] https://github.com/httpwg/http-extensions/pull/1143 | [29] https://github.com/httpwg/http-extensions/issues/1159 | |||
| [32] https://github.com/httpwg/http-extensions/issues/1159 | [30] https://github.com/httpwg/http-extensions/issues/1234 | |||
| [33] https://github.com/httpwg/http-extensions/issues/1234 | [31] https://github.com/httpwg/http-extensions/pull/1325 | |||
| [34] https://github.com/httpwg/http-extensions/pull/1325 | [32] https://github.com/httpwg/http-extensions/pull/1323 | |||
| [35] https://github.com/httpwg/http-extensions/pull/1323 | [33] https://github.com/httpwg/http-extensions/pull/1324 | |||
| [36] https://github.com/httpwg/http-extensions/pull/1324 | [34] https://github.com/httpwg/http-extensions/pull/1384 | |||
| [37] https://github.com/httpwg/http-extensions/pull/1384 | [35] https://github.com/httpwg/http-extensions/pull/1348 | |||
| [38] https://github.com/httpwg/http-extensions/pull/1348 | [36] https://github.com/httpwg/http-extensions/pull/1416 | |||
| [39] https://github.com/httpwg/http-extensions/pull/1416 | [37] https://github.com/httpwg/http-extensions/pull/1420 | |||
| [40] https://github.com/httpwg/http-extensions/pull/1420 | [38] https://github.com/httpwg/http-extensions/pull/1428 | |||
| [41] https://github.com/httpwg/http-extensions/pull/1428 | [39] https://github.com/httpwg/http-extensions/pull/1435 | |||
| [42] https://github.com/httpwg/http-extensions/pull/1435 | [40] https://github.com/httpwg/http-extensions/pull/1527 | |||
| [43] https://github.com/httpwg/http-extensions/pull/1527 | [41] https://github.com/httpwg/http-extensions/pull/1563 | |||
| [44] https://github.com/httpwg/http-extensions/pull/1563 | [42] https://github.com/httpwg/http-extensions/pull/1576 | |||
| [45] https://github.com/httpwg/http-extensions/pull/1576 | [43] https://github.com/httpwg/http-extensions/pull/1589 | |||
| [46] https://github.com/httpwg/http-extensions/pull/1589 | [44] https://github.com/httpwg/http-extensions/pull/1709 | |||
| [47] https://github.com/httpwg/http-extensions/pull/1709 | [45] https://github.com/httpwg/http-extensions/pull/1732 | |||
| Appendix A. Changes | Appendix A. Changes | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 | A.1. draft-ietf-httpbis-rfc6265bis-00 | |||
| o Port [RFC6265] to Markdown. No (intentional) normative changes. | o Port [RFC6265] to Markdown. No (intentional) normative changes. | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 | A.2. draft-ietf-httpbis-rfc6265bis-01 | |||
| o Fixes to formatting caused by mistakes in the initial port to | o Fixes to formatting caused by mistakes in the initial port to | |||
| Markdown: | Markdown: | |||
| * https://github.com/httpwg/http-extensions/issues/243 [5] | * https://github.com/httpwg/http-extensions/issues/243 [2] | |||
| * https://github.com/httpwg/http-extensions/issues/246 [6] | * https://github.com/httpwg/http-extensions/issues/246 [3] | |||
| o Addresses errata 3444 by updating the "path-value" and "extension- | o Addresses errata 3444 by updating the "path-value" and "extension- | |||
| av" grammar, errata 4148 by updating the "day-of-month", "year", | av" grammar, errata 4148 by updating the "day-of-month", "year", | |||
| and "time" grammar, and errata 3663 by adding the requested note. | and "time" grammar, and errata 3663 by adding the requested note. | |||
| https://www.rfc-editor.org/errata_search.php?rfc=6265 [7] | https://www.rfc-editor.org/errata_search.php?rfc=6265 [4] | |||
| o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations | o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations | |||
| section: https://github.com/httpwg/http-extensions/issues/247 [8] | section: https://github.com/httpwg/http-extensions/issues/247 [5] | |||
| o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone], | o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone], | |||
| removing the ability for a non-secure origin to set cookies with a | removing the ability for a non-secure origin to set cookies with a | |||
| 'secure' flag, and to overwrite cookies whose 'secure' flag is | 'secure' flag, and to overwrite cookies whose 'secure' flag is | |||
| true. | true. | |||
| o Merged the recommendations from | o Merged the recommendations from | |||
| [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and | [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and | |||
| "__Host-" cookie name prefix processing instructions. | "__Host-" cookie name prefix processing instructions. | |||
| A.3. draft-ietf-httpbis-rfc6265bis-02 | A.3. draft-ietf-httpbis-rfc6265bis-02 | |||
| o Merged the recommendations from | o Merged the recommendations from | |||
| [I-D.ietf-httpbis-cookie-same-site], adding support for the | [I-D.ietf-httpbis-cookie-same-site], adding support for the | |||
| "SameSite" attribute. | "SameSite" attribute. | |||
| o Closed a number of editorial bugs: | o Closed a number of editorial bugs: | |||
| * Clarified address bar behavior for SameSite cookies: | * Clarified address bar behavior for SameSite cookies: | |||
| https://github.com/httpwg/http-extensions/issues/201 [9] | https://github.com/httpwg/http-extensions/issues/201 [6] | |||
| * Added the word "Cookies" to the document's name: | * Added the word "Cookies" to the document's name: | |||
| https://github.com/httpwg/http-extensions/issues/204 [10] | https://github.com/httpwg/http-extensions/issues/204 [7] | |||
| * Clarified that the "__Host-" prefix requires an explicit "Path" | * Clarified that the "__Host-" prefix requires an explicit "Path" | |||
| attribute: https://github.com/httpwg/http-extensions/issues/222 | attribute: https://github.com/httpwg/http-extensions/issues/222 | |||
| [11] | [8] | |||
| * Expanded the options for dealing with third-party cookies to | * Expanded the options for dealing with third-party cookies to | |||
| include a brief mention of partitioning based on first-party: | include a brief mention of partitioning based on first-party: | |||
| https://github.com/httpwg/http-extensions/issues/248 [12] | https://github.com/httpwg/http-extensions/issues/248 [9] | |||
| * Noted that double-quotes in cookie values are part of the | * Noted that double-quotes in cookie values are part of the | |||
| value, and are not stripped: https://github.com/httpwg/http- | value, and are not stripped: https://github.com/httpwg/http- | |||
| extensions/issues/295 [13] | extensions/issues/295 [10] | |||
| * Fixed the "site for cookies" algorithm to return something that | * Fixed the "site for cookies" algorithm to return something that | |||
| makes sense: https://github.com/httpwg/http-extensions/ | makes sense: https://github.com/httpwg/http-extensions/ | |||
| issues/302 [14] | issues/302 [11] | |||
| A.4. draft-ietf-httpbis-rfc6265bis-03 | A.4. draft-ietf-httpbis-rfc6265bis-03 | |||
| o Clarified handling of invalid SameSite values: | o Clarified handling of invalid SameSite values: | |||
| https://github.com/httpwg/http-extensions/issues/389 [15] | https://github.com/httpwg/http-extensions/issues/389 [12] | |||
| o Reflect widespread implementation practice of including a cookie's | o Reflect widespread implementation practice of including a cookie's | |||
| "host-only-flag" when calculating its uniqueness: | "host-only-flag" when calculating its uniqueness: | |||
| https://github.com/httpwg/http-extensions/issues/199 [16] | https://github.com/httpwg/http-extensions/issues/199 [13] | |||
| o Introduced an explicit "None" value for the SameSite attribute: | o Introduced an explicit "None" value for the SameSite attribute: | |||
| https://github.com/httpwg/http-extensions/issues/788 [17] | https://github.com/httpwg/http-extensions/issues/788 [14] | |||
| A.5. draft-ietf-httpbis-rfc6265bis-04 | A.5. draft-ietf-httpbis-rfc6265bis-04 | |||
| o Allow "SameSite" cookies to be set for all top-level navigations. | o Allow "SameSite" cookies to be set for all top-level navigations. | |||
| https://github.com/httpwg/http-extensions/issues/594 [18] | https://github.com/httpwg/http-extensions/issues/594 [15] | |||
| o Treat "Set-Cookie: token" as creating the cookie "("", "token")": | o Treat "Set-Cookie: token" as creating the cookie "("", "token")": | |||
| https://github.com/httpwg/http-extensions/issues/159 [19] | https://github.com/httpwg/http-extensions/issues/159 [16] | |||
| o Reject cookies with neither name nor value (e.g. "Set-Cookie: =" | o Reject cookies with neither name nor value (e.g. "Set-Cookie: =" | |||
| and "Set-Cookie:": https://github.com/httpwg/http-extensions/ | and "Set-Cookie:": https://github.com/httpwg/http-extensions/ | |||
| issues/159 [20] | issues/159 [17] | |||
| o Clarified behavior of multiple "SameSite" attributes in a cookie | o Clarified behavior of multiple "SameSite" attributes in a cookie | |||
| string: https://github.com/httpwg/http-extensions/issues/901 [21] | string: https://github.com/httpwg/http-extensions/issues/901 [18] | |||
| A.6. draft-ietf-httpbis-rfc6265bis-05 | A.6. draft-ietf-httpbis-rfc6265bis-05 | |||
| o Typos and editorial fixes: https://github.com/httpwg/http- | o Typos and editorial fixes: https://github.com/httpwg/http- | |||
| extensions/pull/1035 [22], https://github.com/httpwg/http- | extensions/pull/1035 [19], https://github.com/httpwg/http- | |||
| extensions/pull/1038 [23], https://github.com/httpwg/http- | extensions/pull/1038 [20], https://github.com/httpwg/http- | |||
| extensions/pull/1040 [24], https://github.com/httpwg/http- | extensions/pull/1040 [21], https://github.com/httpwg/http- | |||
| extensions/pull/1047 [25]. | extensions/pull/1047 [22]. | |||
| A.7. draft-ietf-httpbis-rfc6265bis-06 | A.7. draft-ietf-httpbis-rfc6265bis-06 | |||
| o Editorial fixes: https://github.com/httpwg/http-extensions/ | o Editorial fixes: https://github.com/httpwg/http-extensions/ | |||
| issues/1059 [26], https://github.com/httpwg/http-extensions/ | issues/1059 [23], https://github.com/httpwg/http-extensions/ | |||
| issues/1158 [27]. | issues/1158 [24]. | |||
| o Created a registry for cookie attribute names: | o Created a registry for cookie attribute names: | |||
| https://github.com/httpwg/http-extensions/pull/1060 [28]. | https://github.com/httpwg/http-extensions/pull/1060 [25]. | |||
| o Tweaks to ABNF for "cookie-pair" and the "Cookie" header | o Tweaks to ABNF for "cookie-pair" and the "Cookie" header | |||
| production: https://github.com/httpwg/http-extensions/issues/1074 | production: https://github.com/httpwg/http-extensions/issues/1074 | |||
| [29], https://github.com/httpwg/http-extensions/issues/1119 [30]. | [26], https://github.com/httpwg/http-extensions/issues/1119 [27]. | |||
| o Fixed serialization for nameless/valueless cookies: | o Fixed serialization for nameless/valueless cookies: | |||
| https://github.com/httpwg/http-extensions/pull/1143 [31]. | https://github.com/httpwg/http-extensions/pull/1143 [28]. | |||
| o Converted a normative reference to Mozilla's Public Suffix List | o Converted a normative reference to Mozilla's Public Suffix List | |||
| [PSL] into an informative reference: https://github.com/httpwg/ | [PSL] into an informative reference: https://github.com/httpwg/ | |||
| http-extensions/issues/1159 [32]. | http-extensions/issues/1159 [29]. | |||
| A.8. draft-ietf-httpbis-rfc6265bis-07 | A.8. draft-ietf-httpbis-rfc6265bis-07 | |||
| o Moved instruction to ignore cookies with empty cookie-name and | o Moved instruction to ignore cookies with empty cookie-name and | |||
| cookie-value from Section 5.4 to Section 5.5 to ensure that they | cookie-value from Section 5.4 to Section 5.5 to ensure that they | |||
| apply to cookies created without parsing a cookie string: | apply to cookies created without parsing a cookie string: | |||
| https://github.com/httpwg/http-extensions/issues/1234 [33]. | https://github.com/httpwg/http-extensions/issues/1234 [30]. | |||
| o Add a default enforcement value to the "same-site-flag", | o Add a default enforcement value to the "same-site-flag", | |||
| equivalent to "SameSite=Lax": https://github.com/httpwg/http- | equivalent to "SameSite=Lax": https://github.com/httpwg/http- | |||
| extensions/pull/1325 [34]. | extensions/pull/1325 [31]. | |||
| o Require a Secure attribute for "SameSite=None": | o Require a Secure attribute for "SameSite=None": | |||
| https://github.com/httpwg/http-extensions/pull/1323 [35]. | https://github.com/httpwg/http-extensions/pull/1323 [32]. | |||
| o Consider scheme when running the same-site algorithm: | o Consider scheme when running the same-site algorithm: | |||
| https://github.com/httpwg/http-extensions/pull/1324 [36]. | https://github.com/httpwg/http-extensions/pull/1324 [33]. | |||
| A.9. draft-ietf-httpbis-rfc6265bis-08 | A.9. draft-ietf-httpbis-rfc6265bis-08 | |||
| o Define "same-site" for reload navigation requests, e.g. those | o Define "same-site" for reload navigation requests, e.g. those | |||
| triggered via user interface elements: https://github.com/httpwg/ | triggered via user interface elements: https://github.com/httpwg/ | |||
| http-extensions/pull/1384 [37] | http-extensions/pull/1384 [34] | |||
| o Consider redirects when defining same-site: | o Consider redirects when defining same-site: | |||
| https://github.com/httpwg/http-extensions/pull/1348 [38] | https://github.com/httpwg/http-extensions/pull/1348 [35] | |||
| o Align on using HTML terminology for origins: | o Align on using HTML terminology for origins: | |||
| https://github.com/httpwg/http-extensions/pull/1416 [39] | https://github.com/httpwg/http-extensions/pull/1416 [36] | |||
| o Modify cookie parsing and creation algorithms in Section 5.4 and | o Modify cookie parsing and creation algorithms in Section 5.4 and | |||
| Section 5.5 to explicitly handle control characters: | Section 5.5 to explicitly handle control characters: | |||
| https://github.com/httpwg/http-extensions/pull/1420 [40] | https://github.com/httpwg/http-extensions/pull/1420 [37] | |||
| o Refactor cookie retrieval algorithm to support non-HTTP APIs: | o Refactor cookie retrieval algorithm to support non-HTTP APIs: | |||
| https://github.com/httpwg/http-extensions/pull/1428 [41] | https://github.com/httpwg/http-extensions/pull/1428 [38] | |||
| o Define "Lax-allowing-unsafe" SameSite enforcement mode: | o Define "Lax-allowing-unsafe" SameSite enforcement mode: | |||
| https://github.com/httpwg/http-extensions/pull/1435 [42] | https://github.com/httpwg/http-extensions/pull/1435 [39] | |||
| o Consistently use "header field" (vs 'header"): | o Consistently use "header field" (vs 'header"): | |||
| https://github.com/httpwg/http-extensions/pull/1527 [43] | https://github.com/httpwg/http-extensions/pull/1527 [40] | |||
| A.10. draft-ietf-httpbis-rfc6265bis-09 | A.10. draft-ietf-httpbis-rfc6265bis-09 | |||
| o Update cookie size requirements: https://github.com/httpwg/http- | o Update cookie size requirements: https://github.com/httpwg/http- | |||
| extensions/pull/1563 [44] | extensions/pull/1563 [41] | |||
| o Reject cookies with control characters: https://github.com/httpwg/ | o Reject cookies with control characters: https://github.com/httpwg/ | |||
| http-extensions/pull/1576 [45] | http-extensions/pull/1576 [42] | |||
| o No longer treat horizontal tab as a control character: | o No longer treat horizontal tab as a control character: | |||
| https://github.com/httpwg/http-extensions/pull/1589 [46] | https://github.com/httpwg/http-extensions/pull/1589 [43] | |||
| o Specify empty domain attribute handling: | o Specify empty domain attribute handling: | |||
| https://github.com/httpwg/http-extensions/pull/1709 [47] | https://github.com/httpwg/http-extensions/pull/1709 [44] | |||
| A.11. draft-ietf-httpbis-rfc6265bis-10 | ||||
| o Standardize Max-Age/Expires upper bound: | ||||
| https://github.com/httpwg/http-extensions/pull/1732 [45] | ||||
| Acknowledgements | Acknowledgements | |||
| RFC 6265 was written by Adam Barth. This document is an update of | RFC 6265 was written by Adam Barth. This document is an update of | |||
| RFC 6265, adding features and aligning the specification with the | RFC 6265, adding features and aligning the specification with the | |||
| reality of today's deployments. Here, we're standing upon the | reality of today's deployments. Here, we're standing upon the | |||
| shoulders of a giant since the majority of the text is still Adam's. | shoulders of a giant since the majority of the text is still Adam's. | |||
| Authors' Addresses | Authors' Addresses | |||
| End of changes. 116 change blocks. | ||||
| 139 lines changed or deleted | 156 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||