draft-ietf-httpbis-rfc6265bis-09.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group L. Chen, Ed. HTTP Working Group L. Chen, Ed.
Internet-Draft Google LLC Internet-Draft Google LLC
Obsoletes: 6265 (if approved) S. Englehardt, Ed. Obsoletes: 6265 (if approved) S. Englehardt, Ed.
Intended status: Standards Track Mozilla Intended status: Standards Track Mozilla
Expires: April 22, 2022 M. West, Ed. Expires: July 18, 2022 M. West, Ed.
Google LLC Google LLC
J. Wilander, Ed. J. Wilander, Ed.
Apple, Inc Apple, Inc
October 19, 2021 January 14, 2022
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-09 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
Note to Readers
Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at
https://lists.w3.org/Archives/Public/ietf-http-wg/ [1].
Working Group information can be found at http://httpwg.github.io/
[2]; source code and issues list for this draft can be found at
https://github.com/httpwg/http-extensions/labels/6265bis [3].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 22, 2022.
This Internet-Draft will expire on July 18, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 41 skipping to change at page 2, line 32
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17
skipping to change at page 3, line 15 skipping to change at page 3, line 6
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19
5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20
5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21
5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22
5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23
5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23
5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26
5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27
5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28
5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 29 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30
5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35
5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35
5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36
5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36
6. Implementation Considerations . . . . . . . . . . . . . . . . 38 6. Implementation Considerations . . . . . . . . . . . . . . . . 38
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2. Application Programming Interfaces . . . . . . . . . . . 38 6.2. Application Programming Interfaces . . . . . . . . . . . 38
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39
7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41
skipping to change at page 3, line 47 skipping to change at page 3, line 38
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 47
8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 49
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
10.1. Normative References . . . . . . . . . . . . . . . . . . 49 10.1. Normative References . . . . . . . . . . . . . . . . . . 49
10.2. Informative References . . . . . . . . . . . . . . . . . 51 10.2. Informative References . . . . . . . . . . . . . . . . . 51
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 57
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57 A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 58
A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58 A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 59
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 59
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header field. return the name/value pairs in the Cookie header field.
skipping to change at page 10, line 23 skipping to change at page 10, line 23
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires" BWS "=" BWS sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
; In practice, both expires-av and max-age-av
; are limited to dates representable by the
; user agent.
non-zero-digit = %x31-39 non-zero-digit = %x31-39
; digits 1 through 9 ; digits 1 through 9
domain-av = "Domain" BWS "=" BWS domain-value domain-av = "Domain" BWS "=" BWS domain-value
domain-value = <subdomain> domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as ; see details below
; enhanced by [RFC1123], Section 2.1
path-av = "Path" BWS "=" BWS path-value path-av = "Path" BWS "=" BWS path-value
path-value = *av-octet path-value = *av-octet
secure-av = "Secure" secure-av = "Secure"
httponly-av = "HttpOnly" httponly-av = "HttpOnly"
samesite-av = "SameSite" BWS "=" BWS samesite-value samesite-av = "SameSite" BWS "=" BWS samesite-value
samesite-value = "Strict" / "Lax" / "None" samesite-value = "Strict" / "Lax" / "None"
extension-av = *av-octet extension-av = *av-octet
av-octet = %x20-3A / %x3C-7E av-octet = %x20-3A / %x3C-7E
; any CHAR except CTLs or ";" ; any CHAR except CTLs or ";"
Note that some of the grammatical terms above reference documents Note that some of the grammatical terms above reference documents
that use different grammatical notations than this document (which that use different grammatical notations than this document (which
uses ABNF from [RFC5234]). uses ABNF from [RFC5234]).
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
To maximize compatibility with user agents, servers that wish to To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648]. example, using Base64 [RFC4648].
The domain-value is a subdomain as defined by [RFC1034], Section 3.5,
and as enhanced by [RFC1123], Section 2.1.
Per the grammar above, the cookie-value MAY be wrapped in DQUOTE Per the grammar above, the cookie-value MAY be wrapped in DQUOTE
characters. Note that in this case, the initial and trailing DQUOTE characters. Note that in this case, the initial and trailing DQUOTE
characters are not stripped. They are part of the cookie-value, and characters are not stripped. They are part of the cookie-value, and
will be included in Cookie header fields sent to the server. will be included in Cookie header fields sent to the server.
The portions of the set-cookie-string produced by the cookie-av term The portions of the set-cookie-string produced by the cookie-av term
are known as attributes. To maximize compatibility with user agents, are known as attributes. To maximize compatibility with user agents,
servers SHOULD NOT produce two attributes with the same name in the servers SHOULD NOT produce two attributes with the same name in the
same set-cookie-string. (See Section 5.5 for how user agents handle same set-cookie-string. (See Section 5.5 for how user agents handle
this case.) this case.)
skipping to change at page 12, line 19 skipping to change at page 12, line 15
attributes (but not the entire cookie). attributes (but not the entire cookie).
4.1.2.1. The Expires Attribute 4.1.2.1. The Expires Attribute
The Expires attribute indicates the maximum lifetime of the cookie, The Expires attribute indicates the maximum lifetime of the cookie,
represented as the date and time at which the cookie expires. The represented as the date and time at which the cookie expires. The
user agent is not required to retain the cookie until the specified user agent is not required to retain the cookie until the specified
date has passed. In fact, user agents often evict cookies due to date has passed. In fact, user agents often evict cookies due to
memory pressure or privacy concerns. memory pressure or privacy concerns.
The user agent MUST limit the maximum value of the Expires attribute.
The limit MUST NOT be greater than 400 days (34560000 seconds) in the
future. The RECOMMENDED limit is 400 days in the future, but the
user agent MAY adjust the limit to be less (see Section 7.2).
Expires attributes that are greater than the limit MUST be reduced to
the limit.
4.1.2.2. The Max-Age Attribute 4.1.2.2. The Max-Age Attribute
The Max-Age attribute indicates the maximum lifetime of the cookie, The Max-Age attribute indicates the maximum lifetime of the cookie,
represented as the number of seconds until the cookie expires. The represented as the number of seconds until the cookie expires. The
user agent is not required to retain the cookie for the specified user agent is not required to retain the cookie for the specified
duration. In fact, user agents often evict cookies due to memory duration. In fact, user agents often evict cookies due to memory
pressure or privacy concerns. pressure or privacy concerns.
The user agent MUST limit the maximum value of the Max-Age attribute.
The limit MUST NOT be greater than 400 days (34560000 seconds) in
duration. The RECOMMENDED limit is 400 days in duration, but the
user agent MAY adjust the limit to be less (see Section 7.2). Max-
Age attributes that are greater than the limit MUST be reduced to the
limit.
NOTE: Some existing user agents do not support the Max-Age attribute. NOTE: Some existing user agents do not support the Max-Age attribute.
User agents that do not support the Max-Age attribute ignore the User agents that do not support the Max-Age attribute ignore the
attribute. attribute.
If a cookie has both the Max-Age and the Expires attribute, the Max- If a cookie has both the Max-Age and the Expires attribute, the Max-
Age attribute has precedence and controls the expiration date of the Age attribute has precedence and controls the expiration date of the
cookie. If a cookie has neither the Max-Age nor the Expires cookie. If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
skipping to change at page 17, line 24 skipping to change at page 17, line 30
flags defined as a part of the algorithm (i.e., found-time, found- flags defined as a part of the algorithm (i.e., found-time, found-
day-of-month, found-month, found-year) are initially "not set". day-of-month, found-month, found-year) are initially "not set".
1. Using the grammar below, divide the cookie-date into date-tokens. 1. Using the grammar below, divide the cookie-date into date-tokens.
cookie-date = *delimiter date-token-list *delimiter cookie-date = *delimiter date-token-list *delimiter
date-token-list = date-token *( 1*delimiter date-token ) date-token-list = date-token *( 1*delimiter date-token )
date-token = 1*non-delimiter date-token = 1*non-delimiter
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E
non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA
/ %x7F-FF
non-digit = %x00-2F / %x3A-FF non-digit = %x00-2F / %x3A-FF
day-of-month = 1*2DIGIT [ non-digit *OCTET ] day-of-month = 1*2DIGIT [ non-digit *OCTET ]
month = ( "jan" / "feb" / "mar" / "apr" / month = ( "jan" / "feb" / "mar" / "apr" /
"may" / "jun" / "jul" / "aug" / "may" / "jun" / "jul" / "aug" /
"sep" / "oct" / "nov" / "dec" ) *OCTET "sep" / "oct" / "nov" / "dec" ) *OCTET
year = 2*4DIGIT [ non-digit *OCTET ] year = 2*4DIGIT [ non-digit *OCTET ]
time = hms-time [ non-digit *OCTET ] time = hms-time [ non-digit *OCTET ]
hms-time = time-field ":" time-field ":" time-field hms-time = time-field ":" time-field ":" time-field
time-field = 1*2DIGIT time-field = 1*2DIGIT
skipping to change at page 26, line 16 skipping to change at page 26, line 16
If the attribute-name case-insensitively matches the string If the attribute-name case-insensitively matches the string
"Expires", the user agent MUST process the cookie-av as follows. "Expires", the user agent MUST process the cookie-av as follows.
1. Let the expiry-time be the result of parsing the attribute-value 1. Let the expiry-time be the result of parsing the attribute-value
as cookie-date (see Section 5.1.1). as cookie-date (see Section 5.1.1).
2. If the attribute-value failed to parse as a cookie date, ignore 2. If the attribute-value failed to parse as a cookie date, ignore
the cookie-av. the cookie-av.
3. If the expiry-time is later than the last date the user agent can 3. Let cookie-age-limit be the maximum age of the cookie (which must
represent, the user agent MAY replace the expiry-time with the be 400 days in the future or sooner, see Section 4.1.2.1).
last representable date.
4. If the expiry-time is earlier than the earliest date the user 4. If the expiry-time is more than cookie-age-limit, the user agent
MUST set the expiry time to cookie-age-limit in seconds.
5. If the expiry-time is earlier than the earliest date the user
agent can represent, the user agent MAY replace the expiry-time agent can represent, the user agent MAY replace the expiry-time
with the earliest representable date. with the earliest representable date.
5. Append an attribute to the cookie-attribute-list with an 6. Append an attribute to the cookie-attribute-list with an
attribute-name of Expires and an attribute-value of expiry-time. attribute-name of Expires and an attribute-value of expiry-time.
5.4.2. The Max-Age Attribute 5.4.2. The Max-Age Attribute
If the attribute-name case-insensitively matches the string "Max- If the attribute-name case-insensitively matches the string "Max-
Age", the user agent MUST process the cookie-av as follows. Age", the user agent MUST process the cookie-av as follows.
1. If the first character of the attribute-value is not a DIGIT or a 1. If the first character of the attribute-value is not a DIGIT or a
"-" character, ignore the cookie-av. "-" character, ignore the cookie-av.
2. If the remainder of attribute-value contains a non-DIGIT 2. If the remainder of attribute-value contains a non-DIGIT
character, ignore the cookie-av. character, ignore the cookie-av.
3. Let delta-seconds be the attribute-value converted to an integer. 3. Let delta-seconds be the attribute-value converted to an integer.
4. If delta-seconds is less than or equal to zero (0), let expiry- 4. Let cookie-age-limit be the maximum age of the cookie (which must
be 400 days or less, see Section 4.1.2.2).
5. Set delta-seconds to the smaller of its present value and cookie-
age-limit.
6. If delta-seconds is less than or equal to zero (0), let expiry-
time be the earliest representable date and time. Otherwise, let time be the earliest representable date and time. Otherwise, let
the expiry-time be the current date and time plus delta-seconds the expiry-time be the current date and time plus delta-seconds
seconds. seconds.
5. Append an attribute to the cookie-attribute-list with an 7. Append an attribute to the cookie-attribute-list with an
attribute-name of Max-Age and an attribute-value of expiry-time. attribute-name of Max-Age and an attribute-value of expiry-time.
5.4.3. The Domain Attribute 5.4.3. The Domain Attribute
If the attribute-name case-insensitively matches the string "Domain", If the attribute-name case-insensitively matches the string "Domain",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. Let cookie-domain be the attribute-value. 1. Let cookie-domain be the attribute-value.
2. If cookie-domain starts with %x2E ("."), let cookie-domain be 2. If cookie-domain starts with %x2E ("."), let cookie-domain be
skipping to change at page 29, line 35 skipping to change at page 29, line 39
recently. Deployment experience has shown a cookie age of 2 minutes recently. Deployment experience has shown a cookie age of 2 minutes
or less to be a reasonable limit. or less to be a reasonable limit.
If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST
apply the following modification to the retrieval algorithm defined apply the following modification to the retrieval algorithm defined
in Section 5.6.3: in Section 5.6.3:
Replace the condition in the penultimate bullet point of step 1 of Replace the condition in the penultimate bullet point of step 1 of
the retrieval algorithm reading the retrieval algorithm reading
* The HTTP request associated with the retrieval uses a "safe" method. * The HTTP request associated with the retrieval uses a "safe"
method.
with with
* At least one of the following is true: * At least one of the following is true:
1. The HTTP request associated with the retrieval uses a "safe" method. 1. The HTTP request associated with the retrieval uses a "safe"
method.
2. The cookie's same-site-flag is "Default" and the amount of time 2. The cookie's same-site-flag is "Default" and the amount of
elapsed since the cookie's creation-time is at most a duration of the time elapsed since the cookie's creation-time is at most a
user agent's choosing. duration of the user agent's choosing.
5.5. Storage Model 5.5. Storage Model
The user agent stores the following fields about each cookie: name, The user agent stores the following fields about each cookie: name,
value, expiry-time, domain, path, creation-time, last-access-time, value, expiry-time, domain, path, creation-time, last-access-time,
persistent-flag, host-only-flag, secure-only-flag, http-only-flag, persistent-flag, host-only-flag, secure-only-flag, http-only-flag,
and same-site-flag. and same-site-flag.
When the user agent "receives a cookie" from a request-uri with name When the user agent "receives a cookie" from a request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute- cookie-name, value cookie-value, and attributes cookie-attribute-
skipping to change at page 40, line 21 skipping to change at page 40, line 31
injecting identifying information into dynamic URLs. injecting identifying information into dynamic URLs.
7.2. Cookie policy 7.2. Cookie policy
User agents MAY enforce a cookie policy consisting of restrictions on User agents MAY enforce a cookie policy consisting of restrictions on
how cookies may be used or ignored (see Section 5.3). how cookies may be used or ignored (see Section 5.3).
A cookie policy may govern which domains or parties, as in first and A cookie policy may govern which domains or parties, as in first and
third parties (see Section 7.1), for which the user agent will allow third parties (see Section 7.1), for which the user agent will allow
cookie access. The policy can also define limits on cookie size, cookie access. The policy can also define limits on cookie size,
cookie expiry, and the number of cookies per domain or in total. cookie expiry (see Section 4.1.2.1 and Section 4.1.2.2), and the
number of cookies per domain or in total.
The goal of a restrictive cookie policy is often to improve security The goal of a restrictive cookie policy is often to improve security
or privacy. User agents often allow users to change the cookie or privacy. User agents often allow users to change the cookie
policy (see Section 7.3). policy (see Section 7.3).
7.3. User Controls 7.3. User Controls
User agents SHOULD provide users with a mechanism for managing the User agents SHOULD provide users with a mechanism for managing the
cookies stored in the cookie store. For example, a user agent might cookies stored in the cookie store. For example, a user agent might
let users delete all cookies received during a specified time period let users delete all cookies received during a specified time period
skipping to change at page 48, line 40 skipping to change at page 49, line 4
The permanent message header field registry (see [RFC3864]) needs to The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration: be updated with the following registration:
Header field name: Set-Cookie Header field name: Set-Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.4) Specification document: this specification (Section 5.4)
9.3. Cookie Attribute Registry 9.3. Cookie Attribute Registry
IANA is requested to create the "Cookie Attribute Registry", defining IANA is requested to create the "Cookie Attribute Registry", defining
the name space of attribute used to control cookies' behavior. The the name space of attribute used to control cookies' behavior. The
registry should be maintained at https://www.iana.org/assignments/ registry should be maintained at https://www.iana.org/assignments/
cookie-attribute-names [4]. cookie-attribute-names [1].
9.3.1. Procedure 9.3.1. Procedure
Each registered attribute name is associated with a description, and Each registered attribute name is associated with a description, and
a reference detailing how the attribute is to be processed and a reference detailing how the attribute is to be processed and
stored. stored.
New registrations happen on a "RFC Required" basis (see Section 4.7 New registrations happen on a "RFC Required" basis (see Section 4.7
of [RFC8126]). The attribute to be registered MUST match the of [RFC8126]). The attribute to be registered MUST match the
"extension-av" syntax defined in Section 4.1.1. Note that attribute "extension-av" syntax defined in Section 4.1.1. Note that attribute
skipping to change at page 53, line 7 skipping to change at page 53, line 15
[RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame- [RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame-
Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, Options", RFC 7034, DOI 10.17487/RFC7034, October 2013,
<https://www.rfc-editor.org/info/rfc7034>. <https://www.rfc-editor.org/info/rfc7034>.
[UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility
Processing", UNICODE Unicode Technical Standards # 46, Processing", UNICODE Unicode Technical Standards # 46,
June 2016, <http://unicode.org/reports/tr46/>. June 2016, <http://unicode.org/reports/tr46/>.
10.3. URIs 10.3. URIs
[1] https://lists.w3.org/Archives/Public/ietf-http-wg/ [1] https://www.iana.org/assignments/cookie-attribute-names
[2] http://httpwg.github.io/
[3] https://github.com/httpwg/http-extensions/labels/6265bis
[4] https://www.iana.org/assignments/cookie-attribute-names [2] https://github.com/httpwg/http-extensions/issues/243
[5] https://github.com/httpwg/http-extensions/issues/243 [3] https://github.com/httpwg/http-extensions/issues/246
[6] https://github.com/httpwg/http-extensions/issues/246 [4] https://www.rfc-editor.org/errata_search.php?rfc=6265
[7] https://www.rfc-editor.org/errata_search.php?rfc=6265 [5] https://github.com/httpwg/http-extensions/issues/247
[8] https://github.com/httpwg/http-extensions/issues/247 [6] https://github.com/httpwg/http-extensions/issues/201
[9] https://github.com/httpwg/http-extensions/issues/201 [7] https://github.com/httpwg/http-extensions/issues/204
[10] https://github.com/httpwg/http-extensions/issues/204 [8] https://github.com/httpwg/http-extensions/issues/222
[11] https://github.com/httpwg/http-extensions/issues/222 [9] https://github.com/httpwg/http-extensions/issues/248
[12] https://github.com/httpwg/http-extensions/issues/248 [10] https://github.com/httpwg/http-extensions/issues/295
[13] https://github.com/httpwg/http-extensions/issues/295 [11] https://github.com/httpwg/http-extensions/issues/302
[14] https://github.com/httpwg/http-extensions/issues/302 [12] https://github.com/httpwg/http-extensions/issues/389
[15] https://github.com/httpwg/http-extensions/issues/389 [13] https://github.com/httpwg/http-extensions/issues/199
[16] https://github.com/httpwg/http-extensions/issues/199 [14] https://github.com/httpwg/http-extensions/issues/788
[17] https://github.com/httpwg/http-extensions/issues/788 [15] https://github.com/httpwg/http-extensions/issues/594
[18] https://github.com/httpwg/http-extensions/issues/594 [16] https://github.com/httpwg/http-extensions/issues/159
[19] https://github.com/httpwg/http-extensions/issues/159 [17] https://github.com/httpwg/http-extensions/issues/159
[20] https://github.com/httpwg/http-extensions/issues/159 [18] https://github.com/httpwg/http-extensions/issues/901
[21] https://github.com/httpwg/http-extensions/issues/901 [19] https://github.com/httpwg/http-extensions/pull/1035
[22] https://github.com/httpwg/http-extensions/pull/1035 [20] https://github.com/httpwg/http-extensions/pull/1038
[23] https://github.com/httpwg/http-extensions/pull/1038 [21] https://github.com/httpwg/http-extensions/pull/1040
[24] https://github.com/httpwg/http-extensions/pull/1040 [22] https://github.com/httpwg/http-extensions/pull/1047
[25] https://github.com/httpwg/http-extensions/pull/1047 [23] https://github.com/httpwg/http-extensions/issues/1059
[26] https://github.com/httpwg/http-extensions/issues/1059 [24] https://github.com/httpwg/http-extensions/issues/1158
[27] https://github.com/httpwg/http-extensions/issues/1158 [25] https://github.com/httpwg/http-extensions/pull/1060
[28] https://github.com/httpwg/http-extensions/pull/1060 [26] https://github.com/httpwg/http-extensions/issues/1074
[29] https://github.com/httpwg/http-extensions/issues/1074 [27] https://github.com/httpwg/http-extensions/issues/1119
[30] https://github.com/httpwg/http-extensions/issues/1119 [28] https://github.com/httpwg/http-extensions/pull/1143
[31] https://github.com/httpwg/http-extensions/pull/1143 [29] https://github.com/httpwg/http-extensions/issues/1159
[32] https://github.com/httpwg/http-extensions/issues/1159 [30] https://github.com/httpwg/http-extensions/issues/1234
[33] https://github.com/httpwg/http-extensions/issues/1234 [31] https://github.com/httpwg/http-extensions/pull/1325
[34] https://github.com/httpwg/http-extensions/pull/1325 [32] https://github.com/httpwg/http-extensions/pull/1323
[35] https://github.com/httpwg/http-extensions/pull/1323 [33] https://github.com/httpwg/http-extensions/pull/1324
[36] https://github.com/httpwg/http-extensions/pull/1324 [34] https://github.com/httpwg/http-extensions/pull/1384
[37] https://github.com/httpwg/http-extensions/pull/1384 [35] https://github.com/httpwg/http-extensions/pull/1348
[38] https://github.com/httpwg/http-extensions/pull/1348 [36] https://github.com/httpwg/http-extensions/pull/1416
[39] https://github.com/httpwg/http-extensions/pull/1416 [37] https://github.com/httpwg/http-extensions/pull/1420
[40] https://github.com/httpwg/http-extensions/pull/1420 [38] https://github.com/httpwg/http-extensions/pull/1428
[41] https://github.com/httpwg/http-extensions/pull/1428 [39] https://github.com/httpwg/http-extensions/pull/1435
[42] https://github.com/httpwg/http-extensions/pull/1435 [40] https://github.com/httpwg/http-extensions/pull/1527
[43] https://github.com/httpwg/http-extensions/pull/1527 [41] https://github.com/httpwg/http-extensions/pull/1563
[44] https://github.com/httpwg/http-extensions/pull/1563 [42] https://github.com/httpwg/http-extensions/pull/1576
[45] https://github.com/httpwg/http-extensions/pull/1576 [43] https://github.com/httpwg/http-extensions/pull/1589
[46] https://github.com/httpwg/http-extensions/pull/1589 [44] https://github.com/httpwg/http-extensions/pull/1709
[47] https://github.com/httpwg/http-extensions/pull/1709 [45] https://github.com/httpwg/http-extensions/pull/1732
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
* https://github.com/httpwg/http-extensions/issues/243 [5] * https://github.com/httpwg/http-extensions/issues/243 [2]
* https://github.com/httpwg/http-extensions/issues/246 [6] * https://github.com/httpwg/http-extensions/issues/246 [3]
o Addresses errata 3444 by updating the "path-value" and "extension- o Addresses errata 3444 by updating the "path-value" and "extension-
av" grammar, errata 4148 by updating the "day-of-month", "year", av" grammar, errata 4148 by updating the "day-of-month", "year",
and "time" grammar, and errata 3663 by adding the requested note. and "time" grammar, and errata 3663 by adding the requested note.
https://www.rfc-editor.org/errata_search.php?rfc=6265 [7] https://www.rfc-editor.org/errata_search.php?rfc=6265 [4]
o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations
section: https://github.com/httpwg/http-extensions/issues/247 [8] section: https://github.com/httpwg/http-extensions/issues/247 [5]
o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone], o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone],
removing the ability for a non-secure origin to set cookies with a removing the ability for a non-secure origin to set cookies with a
'secure' flag, and to overwrite cookies whose 'secure' flag is 'secure' flag, and to overwrite cookies whose 'secure' flag is
true. true.
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and
"__Host-" cookie name prefix processing instructions. "__Host-" cookie name prefix processing instructions.
A.3. draft-ietf-httpbis-rfc6265bis-02 A.3. draft-ietf-httpbis-rfc6265bis-02
o Merged the recommendations from o Merged the recommendations from
[I-D.ietf-httpbis-cookie-same-site], adding support for the [I-D.ietf-httpbis-cookie-same-site], adding support for the
"SameSite" attribute. "SameSite" attribute.
o Closed a number of editorial bugs: o Closed a number of editorial bugs:
* Clarified address bar behavior for SameSite cookies: * Clarified address bar behavior for SameSite cookies:
https://github.com/httpwg/http-extensions/issues/201 [9] https://github.com/httpwg/http-extensions/issues/201 [6]
* Added the word "Cookies" to the document's name: * Added the word "Cookies" to the document's name:
https://github.com/httpwg/http-extensions/issues/204 [10] https://github.com/httpwg/http-extensions/issues/204 [7]
* Clarified that the "__Host-" prefix requires an explicit "Path" * Clarified that the "__Host-" prefix requires an explicit "Path"
attribute: https://github.com/httpwg/http-extensions/issues/222 attribute: https://github.com/httpwg/http-extensions/issues/222
[11] [8]
* Expanded the options for dealing with third-party cookies to * Expanded the options for dealing with third-party cookies to
include a brief mention of partitioning based on first-party: include a brief mention of partitioning based on first-party:
https://github.com/httpwg/http-extensions/issues/248 [12] https://github.com/httpwg/http-extensions/issues/248 [9]
* Noted that double-quotes in cookie values are part of the * Noted that double-quotes in cookie values are part of the
value, and are not stripped: https://github.com/httpwg/http- value, and are not stripped: https://github.com/httpwg/http-
extensions/issues/295 [13] extensions/issues/295 [10]
* Fixed the "site for cookies" algorithm to return something that * Fixed the "site for cookies" algorithm to return something that
makes sense: https://github.com/httpwg/http-extensions/ makes sense: https://github.com/httpwg/http-extensions/
issues/302 [14] issues/302 [11]
A.4. draft-ietf-httpbis-rfc6265bis-03 A.4. draft-ietf-httpbis-rfc6265bis-03
o Clarified handling of invalid SameSite values: o Clarified handling of invalid SameSite values:
https://github.com/httpwg/http-extensions/issues/389 [15] https://github.com/httpwg/http-extensions/issues/389 [12]
o Reflect widespread implementation practice of including a cookie's o Reflect widespread implementation practice of including a cookie's
"host-only-flag" when calculating its uniqueness: "host-only-flag" when calculating its uniqueness:
https://github.com/httpwg/http-extensions/issues/199 [16] https://github.com/httpwg/http-extensions/issues/199 [13]
o Introduced an explicit "None" value for the SameSite attribute: o Introduced an explicit "None" value for the SameSite attribute:
https://github.com/httpwg/http-extensions/issues/788 [17] https://github.com/httpwg/http-extensions/issues/788 [14]
A.5. draft-ietf-httpbis-rfc6265bis-04 A.5. draft-ietf-httpbis-rfc6265bis-04
o Allow "SameSite" cookies to be set for all top-level navigations. o Allow "SameSite" cookies to be set for all top-level navigations.
https://github.com/httpwg/http-extensions/issues/594 [18] https://github.com/httpwg/http-extensions/issues/594 [15]
o Treat "Set-Cookie: token" as creating the cookie "("", "token")": o Treat "Set-Cookie: token" as creating the cookie "("", "token")":
https://github.com/httpwg/http-extensions/issues/159 [19] https://github.com/httpwg/http-extensions/issues/159 [16]
o Reject cookies with neither name nor value (e.g. "Set-Cookie: =" o Reject cookies with neither name nor value (e.g. "Set-Cookie: ="
and "Set-Cookie:": https://github.com/httpwg/http-extensions/ and "Set-Cookie:": https://github.com/httpwg/http-extensions/
issues/159 [20] issues/159 [17]
o Clarified behavior of multiple "SameSite" attributes in a cookie o Clarified behavior of multiple "SameSite" attributes in a cookie
string: https://github.com/httpwg/http-extensions/issues/901 [21] string: https://github.com/httpwg/http-extensions/issues/901 [18]
A.6. draft-ietf-httpbis-rfc6265bis-05 A.6. draft-ietf-httpbis-rfc6265bis-05
o Typos and editorial fixes: https://github.com/httpwg/http- o Typos and editorial fixes: https://github.com/httpwg/http-
extensions/pull/1035 [22], https://github.com/httpwg/http- extensions/pull/1035 [19], https://github.com/httpwg/http-
extensions/pull/1038 [23], https://github.com/httpwg/http- extensions/pull/1038 [20], https://github.com/httpwg/http-
extensions/pull/1040 [24], https://github.com/httpwg/http- extensions/pull/1040 [21], https://github.com/httpwg/http-
extensions/pull/1047 [25]. extensions/pull/1047 [22].
A.7. draft-ietf-httpbis-rfc6265bis-06 A.7. draft-ietf-httpbis-rfc6265bis-06
o Editorial fixes: https://github.com/httpwg/http-extensions/ o Editorial fixes: https://github.com/httpwg/http-extensions/
issues/1059 [26], https://github.com/httpwg/http-extensions/ issues/1059 [23], https://github.com/httpwg/http-extensions/
issues/1158 [27]. issues/1158 [24].
o Created a registry for cookie attribute names: o Created a registry for cookie attribute names:
https://github.com/httpwg/http-extensions/pull/1060 [28]. https://github.com/httpwg/http-extensions/pull/1060 [25].
o Tweaks to ABNF for "cookie-pair" and the "Cookie" header o Tweaks to ABNF for "cookie-pair" and the "Cookie" header
production: https://github.com/httpwg/http-extensions/issues/1074 production: https://github.com/httpwg/http-extensions/issues/1074
[29], https://github.com/httpwg/http-extensions/issues/1119 [30]. [26], https://github.com/httpwg/http-extensions/issues/1119 [27].
o Fixed serialization for nameless/valueless cookies: o Fixed serialization for nameless/valueless cookies:
https://github.com/httpwg/http-extensions/pull/1143 [31]. https://github.com/httpwg/http-extensions/pull/1143 [28].
o Converted a normative reference to Mozilla's Public Suffix List o Converted a normative reference to Mozilla's Public Suffix List
[PSL] into an informative reference: https://github.com/httpwg/ [PSL] into an informative reference: https://github.com/httpwg/
http-extensions/issues/1159 [32]. http-extensions/issues/1159 [29].
A.8. draft-ietf-httpbis-rfc6265bis-07 A.8. draft-ietf-httpbis-rfc6265bis-07
o Moved instruction to ignore cookies with empty cookie-name and o Moved instruction to ignore cookies with empty cookie-name and
cookie-value from Section 5.4 to Section 5.5 to ensure that they cookie-value from Section 5.4 to Section 5.5 to ensure that they
apply to cookies created without parsing a cookie string: apply to cookies created without parsing a cookie string:
https://github.com/httpwg/http-extensions/issues/1234 [33]. https://github.com/httpwg/http-extensions/issues/1234 [30].
o Add a default enforcement value to the "same-site-flag", o Add a default enforcement value to the "same-site-flag",
equivalent to "SameSite=Lax": https://github.com/httpwg/http- equivalent to "SameSite=Lax": https://github.com/httpwg/http-
extensions/pull/1325 [34]. extensions/pull/1325 [31].
o Require a Secure attribute for "SameSite=None": o Require a Secure attribute for "SameSite=None":
https://github.com/httpwg/http-extensions/pull/1323 [35]. https://github.com/httpwg/http-extensions/pull/1323 [32].
o Consider scheme when running the same-site algorithm: o Consider scheme when running the same-site algorithm:
https://github.com/httpwg/http-extensions/pull/1324 [36]. https://github.com/httpwg/http-extensions/pull/1324 [33].
A.9. draft-ietf-httpbis-rfc6265bis-08 A.9. draft-ietf-httpbis-rfc6265bis-08
o Define "same-site" for reload navigation requests, e.g. those o Define "same-site" for reload navigation requests, e.g. those
triggered via user interface elements: https://github.com/httpwg/ triggered via user interface elements: https://github.com/httpwg/
http-extensions/pull/1384 [37] http-extensions/pull/1384 [34]
o Consider redirects when defining same-site: o Consider redirects when defining same-site:
https://github.com/httpwg/http-extensions/pull/1348 [38] https://github.com/httpwg/http-extensions/pull/1348 [35]
o Align on using HTML terminology for origins: o Align on using HTML terminology for origins:
https://github.com/httpwg/http-extensions/pull/1416 [39] https://github.com/httpwg/http-extensions/pull/1416 [36]
o Modify cookie parsing and creation algorithms in Section 5.4 and o Modify cookie parsing and creation algorithms in Section 5.4 and
Section 5.5 to explicitly handle control characters: Section 5.5 to explicitly handle control characters:
https://github.com/httpwg/http-extensions/pull/1420 [40] https://github.com/httpwg/http-extensions/pull/1420 [37]
o Refactor cookie retrieval algorithm to support non-HTTP APIs: o Refactor cookie retrieval algorithm to support non-HTTP APIs:
https://github.com/httpwg/http-extensions/pull/1428 [41] https://github.com/httpwg/http-extensions/pull/1428 [38]
o Define "Lax-allowing-unsafe" SameSite enforcement mode: o Define "Lax-allowing-unsafe" SameSite enforcement mode:
https://github.com/httpwg/http-extensions/pull/1435 [42] https://github.com/httpwg/http-extensions/pull/1435 [39]
o Consistently use "header field" (vs 'header"): o Consistently use "header field" (vs 'header"):
https://github.com/httpwg/http-extensions/pull/1527 [43] https://github.com/httpwg/http-extensions/pull/1527 [40]
A.10. draft-ietf-httpbis-rfc6265bis-09 A.10. draft-ietf-httpbis-rfc6265bis-09
o Update cookie size requirements: https://github.com/httpwg/http- o Update cookie size requirements: https://github.com/httpwg/http-
extensions/pull/1563 [44] extensions/pull/1563 [41]
o Reject cookies with control characters: https://github.com/httpwg/ o Reject cookies with control characters: https://github.com/httpwg/
http-extensions/pull/1576 [45] http-extensions/pull/1576 [42]
o No longer treat horizontal tab as a control character: o No longer treat horizontal tab as a control character:
https://github.com/httpwg/http-extensions/pull/1589 [46] https://github.com/httpwg/http-extensions/pull/1589 [43]
o Specify empty domain attribute handling: o Specify empty domain attribute handling:
https://github.com/httpwg/http-extensions/pull/1709 [47] https://github.com/httpwg/http-extensions/pull/1709 [44]
A.11. draft-ietf-httpbis-rfc6265bis-10
o Standardize Max-Age/Expires upper bound:
https://github.com/httpwg/http-extensions/pull/1732 [45]
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is an update of RFC 6265 was written by Adam Barth. This document is an update of
RFC 6265, adding features and aligning the specification with the RFC 6265, adding features and aligning the specification with the
reality of today's deployments. Here, we're standing upon the reality of today's deployments. Here, we're standing upon the
shoulders of a giant since the majority of the text is still Adam's. shoulders of a giant since the majority of the text is still Adam's.
Authors' Addresses Authors' Addresses
 End of changes. 116 change blocks. 
139 lines changed or deleted 156 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/