draft-ietf-httpbis-rfc6265bis-03.txt		draft-ietf-httpbis-rfc6265bis-latest.txt
	HTTP Working Group A. Barth		HTTP Working Group A. Barth
	Internet-Draft M. West		Internet-Draft M. West
	Obsoletes: 6265 (if approved) Google, Inc		Obsoletes: 6265 (if approved) Google, Inc
	Intended status: Standards Track April 27, 2019		Intended status: Standards Track October 17, 2019
	Expires: October 29, 2019		Expires: April 19, 2020
	Cookies: HTTP State Management Mechanism		Cookies: HTTP State Management Mechanism
	draft-ietf-httpbis-rfc6265bis-03		draft-ietf-httpbis-rfc6265bis-latest
	Abstract		Abstract
	This document defines the HTTP Cookie and Set-Cookie header fields.		This document defines the HTTP Cookie and Set-Cookie header fields.
	These header fields can be used by HTTP servers to store state		These header fields can be used by HTTP servers to store state
	(called cookies) at HTTP user agents, letting the servers maintain a		(called cookies) at HTTP user agents, letting the servers maintain a
	stateful session over the mostly stateless HTTP protocol. Although		stateful session over the mostly stateless HTTP protocol. Although
	cookies have many historical infelicities that degrade their security		cookies have many historical infelicities that degrade their security
	and privacy, the Cookie and Set-Cookie header fields are widely used		and privacy, the Cookie and Set-Cookie header fields are widely used
	on the Internet. This document obsoletes RFC 6265.		on the Internet. This document obsoletes RFC 6265.
	skipping to change at page 1, line 47 ¶		skipping to change at page 1, line 47 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at https://datatracker.ietf.org/drafts/current/.		Drafts is at https://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on October 29, 2019.		This Internet-Draft will expire on April 19, 2020.
	Copyright Notice		Copyright Notice
	Copyright (c) 2019 IETF Trust and the persons identified as the		Copyright (c) 2019 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(https://trustee.ietf.org/license-info) in effect on the date of		(https://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 3, line 21 ¶		skipping to change at page 3, line 21 ¶
	5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26		5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
	5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26		5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26
	5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27		5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
	5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27		5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
	5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27		5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
	5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27		5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27
	5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28		5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28
	5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33		5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33
	6. Implementation Considerations . . . . . . . . . . . . . . . . 35		6. Implementation Considerations . . . . . . . . . . . . . . . . 35
	6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35		6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35
	6.2. Application Programming Interfaces . . . . . . . . . . . 35		6.2. Application Programming Interfaces . . . . . . . . . . . 36
	6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36		6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36
	7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36		7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36
	7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 36		7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 37
	7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37		7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37
	7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 37		7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 38
	8. Security Considerations . . . . . . . . . . . . . . . . . . . 38		8. Security Considerations . . . . . . . . . . . . . . . . . . . 38
	8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38		8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38
	8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38		8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38
	8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39		8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39
	8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40		8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40
	8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40		8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40
	8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41		8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41
	8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42		8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42
	8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42		8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42
	8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42		8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42
	8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42		8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42
	8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43		8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43
	8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43		8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43
	9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43		9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
	9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 43		9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44
	9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44		9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44
	10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44		10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
	10.1. Normative References . . . . . . . . . . . . . . . . . . 44		10.1. Normative References . . . . . . . . . . . . . . . . . . 44
	10.2. Informative References . . . . . . . . . . . . . . . . . 45		10.2. Informative References . . . . . . . . . . . . . . . . . 46
	10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 47		10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
	Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48		Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48
	A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48		A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48
	A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 48		A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 49
	A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49		A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49
	A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 49		A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 50
			A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 50
	Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 49		Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
	1. Introduction		1. Introduction
	This document defines the HTTP Cookie and Set-Cookie header fields.		This document defines the HTTP Cookie and Set-Cookie header fields.
	Using the Set-Cookie header field, an HTTP server can pass name/value		Using the Set-Cookie header field, an HTTP server can pass name/value
	pairs and associated metadata (called cookies) to a user agent. When		pairs and associated metadata (called cookies) to a user agent. When
	the user agent makes subsequent requests to the server, the user		the user agent makes subsequent requests to the server, the user
	agent uses the metadata and other information to determine whether to		agent uses the metadata and other information to determine whether to
	return the name/value pairs in the Cookie header.		return the name/value pairs in the Cookie header.
	skipping to change at page 31, line 47 ¶		skipping to change at page 31, line 47 ¶
	attacks. That is, given an existing secure cookie named 'a'		attacks. That is, given an existing secure cookie named 'a'
	with a path of '/login', a non-secure cookie named 'a' could be		with a path of '/login', a non-secure cookie named 'a' could be
	set for a path of '/' or '/foo', but not for a path of '/login'		set for a path of '/' or '/foo', but not for a path of '/login'
	or '/login/en'.		or '/login/en'.
	13. If the cookie-attribute-list contains an attribute with an		13. If the cookie-attribute-list contains an attribute with an
	attribute-name of "SameSite", set the cookie's same-site-flag to		attribute-name of "SameSite", set the cookie's same-site-flag to
	attribute-value (i.e. either "Strict", "Lax", or "None").		attribute-value (i.e. either "Strict", "Lax", or "None").
	Otherwise, set the cookie's same-site-flag to "None".		Otherwise, set the cookie's same-site-flag to "None".
	14. If the cookie's "same-site-flag" is not "None", and the cookie		14. If the cookie's "same-site-flag" is not "None":
	is being set from a context whose "site for cookies" is not an
	exact match for request-uri's host's registered domain, then		1. If the cookie was received from a "non-HTTP" API, and the
	abort these steps and ignore the newly created cookie entirely.		API was called from a context whose "site for cookies" is
			not an exact match for request-uri's host's registered
			domain, then abort these steps and ignore the newly created
			cookie entirely.
			2. If the cookie was received from a "same-site" request (as
			defined in Section 5.2), skip the remaining substeps and
			continue processing the cookie.
			3. If the cookie was received from a request which is
			navigating a top-level browsing context [HTML] (e.g. if the
			request's "reserved client" is either "null" or an
			environment whose "target browsing context" is a top-level
			browing context), skip the remaining substeps and continue
			processing the cookie.
			Note: Top-level navigations can create a cookie with any
			"SameSite" value, even if the new cookie wouldn't have been
			sent along with the request had it already existed prior to
			the navigation.
			4. Abort these steps and ignore the newly created cookie
			entirely.
	15. If the cookie-name begins with a case-sensitive match for the		15. If the cookie-name begins with a case-sensitive match for the
	string "__Secure-", abort these steps and ignore the cookie		string "__Secure-", abort these steps and ignore the cookie
	entirely unless the cookie's secure-only-flag is true.		entirely unless the cookie's secure-only-flag is true.
	16. If the cookie-name begins with a case-sensitive match for the		16. If the cookie-name begins with a case-sensitive match for the
	string "__Host-", abort these steps and ignore the cookie		string "__Host-", abort these steps and ignore the cookie
	entirely unless the cookie meets all the following criteria:		entirely unless the cookie meets all the following criteria:
	1. The cookie's secure-only-flag is true.		1. The cookie's secure-only-flag is true.
	skipping to change at page 48, line 19 ¶		skipping to change at page 48, line 41 ¶
	[13] https://github.com/httpwg/http-extensions/issues/295		[13] https://github.com/httpwg/http-extensions/issues/295
	[14] https://github.com/httpwg/http-extensions/issues/302		[14] https://github.com/httpwg/http-extensions/issues/302
	[15] https://github.com/httpwg/http-extensions/issues/389		[15] https://github.com/httpwg/http-extensions/issues/389
	[16] https://github.com/httpwg/http-extensions/issues/199		[16] https://github.com/httpwg/http-extensions/issues/199
	[17] https://github.com/httpwg/http-extensions/issues/788		[17] https://github.com/httpwg/http-extensions/issues/788
			[18] https://github.com/httpwg/http-extensions/issues/594
	Appendix A. Changes		Appendix A. Changes
	A.1. draft-ietf-httpbis-rfc6265bis-00		A.1. draft-ietf-httpbis-rfc6265bis-00
	o Port [RFC6265] to Markdown. No (intentional) normative changes.		o Port [RFC6265] to Markdown. No (intentional) normative changes.
	A.2. draft-ietf-httpbis-rfc6265bis-01		A.2. draft-ietf-httpbis-rfc6265bis-01
	o Fixes to formatting caused by mistakes in the initial port to		o Fixes to formatting caused by mistakes in the initial port to
	Markdown:		Markdown:
	skipping to change at page 49, line 47 ¶		skipping to change at page 50, line 25 ¶
	o Clarified handling of invalid SameSite values:		o Clarified handling of invalid SameSite values:
	https://github.com/httpwg/http-extensions/issues/389 [15]		https://github.com/httpwg/http-extensions/issues/389 [15]
	o Reflect widespread implementation practice of including a cookie's		o Reflect widespread implementation practice of including a cookie's
	"host-only-flag" when calculating its uniqueness:		"host-only-flag" when calculating its uniqueness:
	https://github.com/httpwg/http-extensions/issues/199 [16]		https://github.com/httpwg/http-extensions/issues/199 [16]
	o Introduced an explicit "None" value for the SameSite attribute:		o Introduced an explicit "None" value for the SameSite attribute:
	https://github.com/httpwg/http-extensions/issues/788 [17]		https://github.com/httpwg/http-extensions/issues/788 [17]
			A.5. draft-ietf-httpbis-rfc6265bis-04
			o Allow "SameSite" cookies to be set for all top-level navigations.
			https://github.com/httpwg/http-extensions/issues/594 [18]
	Acknowledgements		Acknowledgements
	This document is a minor update of RFC 6265, adding small features,		This document is a minor update of RFC 6265, adding small features,
	and aligning the specification with the reality of today's		and aligning the specification with the reality of today's
	deployments. Here, we're standing upon the shoulders of giants.		deployments. Here, we're standing upon the shoulders of giants.
	Authors' Addresses		Authors' Addresses
	Adam Barth		Adam Barth
	Google, Inc		Google, Inc
End of changes. 13 change blocks.
	19 lines changed or deleted		48 lines changed or added
This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/