draft-ietf-httpbis-rfc6265bis-03.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group A. Barth HTTP Working Group A. Barth
Internet-Draft M. West Internet-Draft M. West
Obsoletes: 6265 (if approved) Google, Inc Obsoletes: 6265 (if approved) Google, Inc
Intended status: Standards Track April 27, 2019 Intended status: Standards Track December 13, 2019
Expires: October 29, 2019 Expires: June 15, 2020
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-03 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 29, 2019. This Internet-Draft will expire on June 15, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 21 skipping to change at page 3, line 21
5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26
5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27
5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28 5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28
5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33 5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33
6. Implementation Considerations . . . . . . . . . . . . . . . . 35 6. Implementation Considerations . . . . . . . . . . . . . . . . 35
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2. Application Programming Interfaces . . . . . . . . . . . 35 6.2. Application Programming Interfaces . . . . . . . . . . . 36
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 36 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 37
7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37 7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37
7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 37 7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 8. Security Considerations . . . . . . . . . . . . . . . . . . . 38
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 43 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.1. Normative References . . . . . . . . . . . . . . . . . . 44 10.1. Normative References . . . . . . . . . . . . . . . . . . 44
10.2. Informative References . . . . . . . . . . . . . . . . . 45 10.2. Informative References . . . . . . . . . . . . . . . . . 46
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 47 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 48 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 49
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 49 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 50
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 50
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 49 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 31, line 47 skipping to change at page 31, line 47
attacks. That is, given an existing secure cookie named 'a' attacks. That is, given an existing secure cookie named 'a'
with a path of '/login', a non-secure cookie named 'a' could be with a path of '/login', a non-secure cookie named 'a' could be
set for a path of '/' or '/foo', but not for a path of '/login' set for a path of '/' or '/foo', but not for a path of '/login'
or '/login/en'. or '/login/en'.
13. If the cookie-attribute-list contains an attribute with an 13. If the cookie-attribute-list contains an attribute with an
attribute-name of "SameSite", set the cookie's same-site-flag to attribute-name of "SameSite", set the cookie's same-site-flag to
attribute-value (i.e. either "Strict", "Lax", or "None"). attribute-value (i.e. either "Strict", "Lax", or "None").
Otherwise, set the cookie's same-site-flag to "None". Otherwise, set the cookie's same-site-flag to "None".
14. If the cookie's "same-site-flag" is not "None", and the cookie 14. If the cookie's "same-site-flag" is not "None":
is being set from a context whose "site for cookies" is not an
exact match for request-uri's host's registered domain, then 1. If the cookie was received from a "non-HTTP" API, and the
abort these steps and ignore the newly created cookie entirely. API was called from a context whose "site for cookies" is
not an exact match for request-uri's host's registered
domain, then abort these steps and ignore the newly created
cookie entirely.
2. If the cookie was received from a "same-site" request (as
defined in Section 5.2), skip the remaining substeps and
continue processing the cookie.
3. If the cookie was received from a request which is
navigating a top-level browsing context [HTML] (e.g. if the
request's "reserved client" is either "null" or an
environment whose "target browsing context" is a top-level
browing context), skip the remaining substeps and continue
processing the cookie.
Note: Top-level navigations can create a cookie with any
"SameSite" value, even if the new cookie wouldn't have been
sent along with the request had it already existed prior to
the navigation.
4. Abort these steps and ignore the newly created cookie
entirely.
15. If the cookie-name begins with a case-sensitive match for the 15. If the cookie-name begins with a case-sensitive match for the
string "__Secure-", abort these steps and ignore the cookie string "__Secure-", abort these steps and ignore the cookie
entirely unless the cookie's secure-only-flag is true. entirely unless the cookie's secure-only-flag is true.
16. If the cookie-name begins with a case-sensitive match for the 16. If the cookie-name begins with a case-sensitive match for the
string "__Host-", abort these steps and ignore the cookie string "__Host-", abort these steps and ignore the cookie
entirely unless the cookie meets all the following criteria: entirely unless the cookie meets all the following criteria:
1. The cookie's secure-only-flag is true. 1. The cookie's secure-only-flag is true.
skipping to change at page 48, line 19 skipping to change at page 48, line 41
[13] https://github.com/httpwg/http-extensions/issues/295 [13] https://github.com/httpwg/http-extensions/issues/295
[14] https://github.com/httpwg/http-extensions/issues/302 [14] https://github.com/httpwg/http-extensions/issues/302
[15] https://github.com/httpwg/http-extensions/issues/389 [15] https://github.com/httpwg/http-extensions/issues/389
[16] https://github.com/httpwg/http-extensions/issues/199 [16] https://github.com/httpwg/http-extensions/issues/199
[17] https://github.com/httpwg/http-extensions/issues/788 [17] https://github.com/httpwg/http-extensions/issues/788
[18] https://github.com/httpwg/http-extensions/issues/594
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
skipping to change at page 49, line 47 skipping to change at page 50, line 25
o Clarified handling of invalid SameSite values: o Clarified handling of invalid SameSite values:
https://github.com/httpwg/http-extensions/issues/389 [15] https://github.com/httpwg/http-extensions/issues/389 [15]
o Reflect widespread implementation practice of including a cookie's o Reflect widespread implementation practice of including a cookie's
"host-only-flag" when calculating its uniqueness: "host-only-flag" when calculating its uniqueness:
https://github.com/httpwg/http-extensions/issues/199 [16] https://github.com/httpwg/http-extensions/issues/199 [16]
o Introduced an explicit "None" value for the SameSite attribute: o Introduced an explicit "None" value for the SameSite attribute:
https://github.com/httpwg/http-extensions/issues/788 [17] https://github.com/httpwg/http-extensions/issues/788 [17]
A.5. draft-ietf-httpbis-rfc6265bis-04
o Allow "SameSite" cookies to be set for all top-level navigations.
https://github.com/httpwg/http-extensions/issues/594 [18]
Acknowledgements Acknowledgements
This document is a minor update of RFC 6265, adding small features, This document is a minor update of RFC 6265, adding small features,
and aligning the specification with the reality of today's and aligning the specification with the reality of today's
deployments. Here, we're standing upon the shoulders of giants. deployments. Here, we're standing upon the shoulders of giants.
Authors' Addresses Authors' Addresses
Adam Barth Adam Barth
Google, Inc Google, Inc
 End of changes. 13 change blocks. 
19 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/