| draft-ietf-httpbis-rfc6265bis-08.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group L. Chen, Ed. | HTTP Working Group L. Chen, Ed. | |||
| Internet-Draft Google LLC | Internet-Draft Google LLC | |||
| Obsoletes: 6265 (if approved) S. Englehardt, Ed. | Obsoletes: 6265 (if approved) S. Englehardt, Ed. | |||
| Intended status: Standards Track Mozilla | Intended status: Standards Track Mozilla | |||
| Expires: December 4, 2021 M. West, Ed. | Expires: April 19, 2022 M. West, Ed. | |||
| Google LLC | Google LLC | |||
| J. Wilander, Ed. | J. Wilander, Ed. | |||
| Apple, Inc | Apple, Inc | |||
| June 2, 2021 | October 16, 2021 | |||
| Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
| draft-ietf-httpbis-rfc6265bis-08 | draft-ietf-httpbis-rfc6265bis-latest | |||
| Abstract | Abstract | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
| (called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
| stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
| cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
| and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
| on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 4, 2021. | This Internet-Draft will expire on April 19, 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 19 ¶ | skipping to change at page 3, line 19 ¶ | |||
| 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | |||
| 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | |||
| 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | |||
| 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 | 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 | |||
| 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | |||
| 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 | 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 | |||
| 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 | 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 | |||
| 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 | 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 | |||
| 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 | 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 | |||
| 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 | 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 | |||
| 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 | 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 | |||
| 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 | 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 29 | |||
| 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 | 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 | |||
| 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 | 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 | |||
| 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35 | 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35 | |||
| 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 | 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 | |||
| 6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | |||
| 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 6.2. Application Programming Interfaces . . . . . . . . . . . 38 | 6.2. Application Programming Interfaces . . . . . . . . . . . 38 | |||
| 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 38 | 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 | |||
| 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | |||
| 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39 | |||
| 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 | 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40 | |||
| 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 40 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 | |||
| 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41 | |||
| 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 41 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 41 | |||
| 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
| 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 42 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43 | |||
| 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43 | |||
| 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 44 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45 | |||
| 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45 | |||
| 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46 | |||
| 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46 | |||
| 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46 | |||
| 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48 | |||
| 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48 | |||
| 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 48 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 49 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 49 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 51 | 10.2. Informative References . . . . . . . . . . . . . . . . . 51 | |||
| 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 52 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 53 | |||
| Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 54 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55 | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 54 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55 | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 54 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55 | |||
| A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 | |||
| A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 55 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56 | |||
| A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 | |||
| A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 | |||
| A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 56 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57 | |||
| A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 | |||
| A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57 | A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
| Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
| pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
| the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
| agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
| return the name/value pairs in the Cookie header field. | return the name/value pairs in the Cookie header field. | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 7, line 46 ¶ | |||
| Cookie header field does not preclude HTTP caches from storing and | Cookie header field does not preclude HTTP caches from storing and | |||
| reusing a response. | reusing a response. | |||
| Origin servers SHOULD NOT fold multiple Set-Cookie header fields into | Origin servers SHOULD NOT fold multiple Set-Cookie header fields into | |||
| a single header field. The usual mechanism for folding HTTP headers | a single header field. The usual mechanism for folding HTTP headers | |||
| fields (i.e., as defined in Section 5.3 of [HTTPSEM]) might change | fields (i.e., as defined in Section 5.3 of [HTTPSEM]) might change | |||
| the semantics of the Set-Cookie header field because the %x2C (",") | the semantics of the Set-Cookie header field because the %x2C (",") | |||
| character is used by Set-Cookie in a way that conflicts with such | character is used by Set-Cookie in a way that conflicts with such | |||
| folding. | folding. | |||
| User agents MAY ignore Set-Cookie header fieldss based on response | User agents MAY ignore Set-Cookie header fields based on response | |||
| status codes or the user agent's cookie policy (see Section 5.3). | status codes or the user agent's cookie policy (see Section 5.3). | |||
| 3.1. Examples | 3.1. Examples | |||
| Using the Set-Cookie header field, a server can send the user agent a | Using the Set-Cookie header field, a server can send the user agent a | |||
| short string in an HTTP response that the user agent will return in | short string in an HTTP response that the user agent will return in | |||
| future HTTP requests that are within the scope of the cookie. For | future HTTP requests that are within the scope of the cookie. For | |||
| example, the server can send the user agent a "session identifier" | example, the server can send the user agent a "session identifier" | |||
| named SID with the value 31d4d96e407aad42. The user agent then | named SID with the value 31d4d96e407aad42. The user agent then | |||
| returns the session identifier in subsequent requests. | returns the session identifier in subsequent requests. | |||
| skipping to change at page 13, line 44 ¶ | skipping to change at page 13, line 44 ¶ | |||
| 4.1.2.5. The Secure Attribute | 4.1.2.5. The Secure Attribute | |||
| The Secure attribute limits the scope of the cookie to "secure" | The Secure attribute limits the scope of the cookie to "secure" | |||
| channels (where "secure" is defined by the user agent). When a | channels (where "secure" is defined by the user agent). When a | |||
| cookie has the Secure attribute, the user agent will include the | cookie has the Secure attribute, the user agent will include the | |||
| cookie in an HTTP request only if the request is transmitted over a | cookie in an HTTP request only if the request is transmitted over a | |||
| secure channel (typically HTTP over Transport Layer Security (TLS) | secure channel (typically HTTP over Transport Layer Security (TLS) | |||
| [RFC2818]). | [RFC2818]). | |||
| Although seemingly useful for protecting cookies from active network | ||||
| attackers, the Secure attribute protects only the cookie's | ||||
| confidentiality. An active network attacker can overwrite Secure | ||||
| cookies from an insecure channel, disrupting their integrity (see | ||||
| Section 8.6 for more details). | ||||
| 4.1.2.6. The HttpOnly Attribute | 4.1.2.6. The HttpOnly Attribute | |||
| The HttpOnly attribute limits the scope of the cookie to HTTP | The HttpOnly attribute limits the scope of the cookie to HTTP | |||
| requests. In particular, the attribute instructs the user agent to | requests. In particular, the attribute instructs the user agent to | |||
| omit the cookie when providing access to cookies via non-HTTP APIs. | omit the cookie when providing access to cookies via non-HTTP APIs. | |||
| Note that the HttpOnly attribute is independent of the Secure | Note that the HttpOnly attribute is independent of the Secure | |||
| attribute: a cookie can have both the HttpOnly and the Secure | attribute: a cookie can have both the HttpOnly and the Secure | |||
| attribute. | attribute. | |||
| skipping to change at page 15, line 17 ¶ | skipping to change at page 15, line 11 ¶ | |||
| If a cookie's name begins with a case-sensitive match for the string | If a cookie's name begins with a case-sensitive match for the string | |||
| "__Secure-", then the cookie will have been set with a "Secure" | "__Secure-", then the cookie will have been set with a "Secure" | |||
| attribute. | attribute. | |||
| For example, the following "Set-Cookie" header field would be | For example, the following "Set-Cookie" header field would be | |||
| rejected by a conformant user agent, as it does not have a "Secure" | rejected by a conformant user agent, as it does not have a "Secure" | |||
| attribute. | attribute. | |||
| Set-Cookie: __Secure-SID=12345; Domain=site.example | Set-Cookie: __Secure-SID=12345; Domain=site.example | |||
| Whereas the following "Set-Cookie" header field would be accepted: | Whereas the following "Set-Cookie" header field would be accepted if | |||
| set from a secure origin (e.g. "https://site.example/"), and rejected | ||||
| otherwise: | ||||
| Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure | Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure | |||
| 4.1.3.2. The "__Host-" Prefix | 4.1.3.2. The "__Host-" Prefix | |||
| If a cookie's name begins with a case-sensitive match for the string | If a cookie's name begins with a case-sensitive match for the string | |||
| "__Host-", then the cookie will have been set with a "Secure" | "__Host-", then the cookie will have been set with a "Secure" | |||
| attribute, a "Path" attribute with a value of "/", and no "Domain" | attribute, a "Path" attribute with a value of "/", and no "Domain" | |||
| attribute. | attribute. | |||
| skipping to change at page 24, line 7 ¶ | skipping to change at page 24, line 4 ¶ | |||
| Section 4.1. For example, the algorithm strips leading and trailing | Section 4.1. For example, the algorithm strips leading and trailing | |||
| whitespace from the cookie name and value (but maintains internal | whitespace from the cookie name and value (but maintains internal | |||
| whitespace), whereas the grammar in Section 4.1 forbids whitespace in | whitespace), whereas the grammar in Section 4.1 forbids whitespace in | |||
| these positions. In addition, the algorithm below accommodates some | these positions. In addition, the algorithm below accommodates some | |||
| characters that are not cookie-octets according to the grammar in | characters that are not cookie-octets according to the grammar in | |||
| Section 4.1. User agents use this algorithm so as to interoperate | Section 4.1. User agents use this algorithm so as to interoperate | |||
| with servers that do not follow the recommendations in Section 4. | with servers that do not follow the recommendations in Section 4. | |||
| NOTE: As set-cookie-string may originate from a non-HTTP API, it is | NOTE: As set-cookie-string may originate from a non-HTTP API, it is | |||
| not guaranteed to be free of CTL characters, so this algorithm | not guaranteed to be free of CTL characters, so this algorithm | |||
| handles them explicitly. | handles them explicitly. Horizontal tab (%x09) is excluded from the | |||
| CTL characters that lead to set-cookie-string rejection, as it is | ||||
| considered whitespace, which is handled separately. | ||||
| A user agent MUST use an algorithm equivalent to the following | A user agent MUST use an algorithm equivalent to the following | |||
| algorithm to parse a set-cookie-string: | algorithm to parse a set-cookie-string: | |||
| 1. If the set-cookie-string contains a %x0D (CR), %x0A (LF), or %x00 | 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F | |||
| (NUL) octet, then set the set-cookie-string equal to all the | character (CTL characters excluding HTAB): Abort these steps and | |||
| characters of set-cookie-string up to, but not including, the | ignore the set-cookie-string entirely. | |||
| first such octet. | ||||
| 2. If the set-cookie-string contains a %x00-1F / %x7F (CTL) | ||||
| character: Abort these steps and ignore the set-cookie-string | ||||
| entirely. | ||||
| 3. If the set-cookie-string contains a %x3B (";") character: | 2. If the set-cookie-string contains a %x3B (";") character: | |||
| 1. The name-value-pair string consists of the characters up to, | 1. The name-value-pair string consists of the characters up to, | |||
| but not including, the first %x3B (";"), and the unparsed- | but not including, the first %x3B (";"), and the unparsed- | |||
| attributes consist of the remainder of the set-cookie-string | attributes consist of the remainder of the set-cookie-string | |||
| (including the %x3B (";") in question). | (including the %x3B (";") in question). | |||
| Otherwise: | Otherwise: | |||
| 1. The name-value-pair string consists of all the characters | 1. The name-value-pair string consists of all the characters | |||
| contained in the set-cookie-string, and the unparsed- | contained in the set-cookie-string, and the unparsed- | |||
| attributes is the empty string. | attributes is the empty string. | |||
| 4. If the name-value-pair string lacks a %x3D ("=") character, then | 3. If the name-value-pair string lacks a %x3D ("=") character, then | |||
| the name string is empty, and the value string is the value of | the name string is empty, and the value string is the value of | |||
| name-value-pair. | name-value-pair. | |||
| Otherwise, the name string consists of the characters up to, but | Otherwise, the name string consists of the characters up to, but | |||
| not including, the first %x3D ("=") character, and the (possibly | not including, the first %x3D ("=") character, and the (possibly | |||
| empty) value string consists of the characters after the first | empty) value string consists of the characters after the first | |||
| %x3D ("=") character. | %x3D ("=") character. | |||
| 5. Remove any leading or trailing WSP characters from the name | 4. Remove any leading or trailing WSP characters from the name | |||
| string and the value string. | string and the value string. | |||
| 5. If the sum of the lengths of the name string and the value string | ||||
| is more than 4096 octets, abort these steps and ignore the set- | ||||
| cookie-string entirely. | ||||
| 6. The cookie-name is the name string, and the cookie-value is the | 6. The cookie-name is the name string, and the cookie-value is the | |||
| value string. | value string. | |||
| The user agent MUST use an algorithm equivalent to the following | The user agent MUST use an algorithm equivalent to the following | |||
| algorithm to parse the unparsed-attributes: | algorithm to parse the unparsed-attributes: | |||
| 1. If the unparsed-attributes string is empty, skip the rest of | 1. If the unparsed-attributes string is empty, skip the rest of | |||
| these steps. | these steps. | |||
| 2. Discard the first character of the unparsed-attributes (which | 2. Discard the first character of the unparsed-attributes (which | |||
| skipping to change at page 25, line 39 ¶ | skipping to change at page 25, line 36 ¶ | |||
| character. | character. | |||
| Otherwise: | Otherwise: | |||
| 1. The attribute-name string consists of the entire cookie-av | 1. The attribute-name string consists of the entire cookie-av | |||
| string, and the attribute-value string is empty. | string, and the attribute-value string is empty. | |||
| 5. Remove any leading or trailing WSP characters from the attribute- | 5. Remove any leading or trailing WSP characters from the attribute- | |||
| name string and the attribute-value string. | name string and the attribute-value string. | |||
| 6. Process the attribute-name and attribute-value according to the | 6. If the attribute-value is longer than 1024 octets, ignore the | |||
| cookie-av string and return to Step 1 of this algorithm. | ||||
| 7. Process the attribute-name and attribute-value according to the | ||||
| requirements in the following subsections. (Notice that | requirements in the following subsections. (Notice that | |||
| attributes with unrecognized attribute-names are ignored.) | attributes with unrecognized attribute-names are ignored.) | |||
| 7. Return to Step 1 of this algorithm. | 8. Return to Step 1 of this algorithm. | |||
| When the user agent finishes parsing the set-cookie-string, the user | When the user agent finishes parsing the set-cookie-string, the user | |||
| agent is said to "receive a cookie" from the request-uri with name | agent is said to "receive a cookie" from the request-uri with name | |||
| cookie-name, value cookie-value, and attributes cookie-attribute- | cookie-name, value cookie-value, and attributes cookie-attribute- | |||
| list. (See Section 5.5 for additional requirements triggered by | list. (See Section 5.5 for additional requirements triggered by | |||
| receiving a cookie.) | receiving a cookie.) | |||
| 5.4.1. The Expires Attribute | 5.4.1. The Expires Attribute | |||
| If the attribute-name case-insensitively matches the string | If the attribute-name case-insensitively matches the string | |||
| skipping to change at page 27, line 5 ¶ | skipping to change at page 27, line 5 ¶ | |||
| seconds. | seconds. | |||
| 5. Append an attribute to the cookie-attribute-list with an | 5. Append an attribute to the cookie-attribute-list with an | |||
| attribute-name of Max-Age and an attribute-value of expiry-time. | attribute-name of Max-Age and an attribute-value of expiry-time. | |||
| 5.4.3. The Domain Attribute | 5.4.3. The Domain Attribute | |||
| If the attribute-name case-insensitively matches the string "Domain", | If the attribute-name case-insensitively matches the string "Domain", | |||
| the user agent MUST process the cookie-av as follows. | the user agent MUST process the cookie-av as follows. | |||
| 1. If the attribute-value is empty, the behavior is undefined. | 1. Let cookie-domain be the attribute-value. | |||
| However, the user agent SHOULD ignore the cookie-av entirely. | ||||
| 2. If the first character of the attribute-value string is %x2E | ||||
| ("."): | ||||
| 1. Let cookie-domain be the attribute-value without the leading | ||||
| %x2E (".") character. | ||||
| Otherwise: | ||||
| 1. Let cookie-domain be the entire attribute-value. | 2. If cookie-domain starts with %x2E ("."), let cookie-domain be | |||
| cookie-domain without its leading %x2E ("."). | ||||
| 3. Convert the cookie-domain to lower case. | 3. Convert the cookie-domain to lower case. | |||
| 4. Append an attribute to the cookie-attribute-list with an | 4. Append an attribute to the cookie-attribute-list with an | |||
| attribute-name of Domain and an attribute-value of cookie-domain. | attribute-name of Domain and an attribute-value of cookie-domain. | |||
| 5.4.4. The Path Attribute | 5.4.4. The Path Attribute | |||
| If the attribute-name case-insensitively matches the string "Path", | If the attribute-name case-insensitively matches the string "Path", | |||
| the user agent MUST process the cookie-av as follows. | the user agent MUST process the cookie-av as follows. | |||
| skipping to change at page 30, line 22 ¶ | skipping to change at page 30, line 15 ¶ | |||
| When the user agent "receives a cookie" from a request-uri with name | When the user agent "receives a cookie" from a request-uri with name | |||
| cookie-name, value cookie-value, and attributes cookie-attribute- | cookie-name, value cookie-value, and attributes cookie-attribute- | |||
| list, the user agent MUST process the cookie as follows: | list, the user agent MUST process the cookie as follows: | |||
| 1. A user agent MAY ignore a received cookie in its entirety. See | 1. A user agent MAY ignore a received cookie in its entirety. See | |||
| Section 5.3. | Section 5.3. | |||
| 2. If cookie-name is empty and cookie-value is empty, abort these | 2. If cookie-name is empty and cookie-value is empty, abort these | |||
| steps and ignore the cookie entirely. | steps and ignore the cookie entirely. | |||
| 3. If the cookie-name or the cookie-value contains a %x00-1F / %x7F | 3. If the cookie-name or the cookie-value contains a %x00-08 / | |||
| (CTL) character, abort these steps and ignore the cookie | %x0A-1F / %x7F character (CTL characters excluding HTAB), abort | |||
| these steps and ignore the cookie entirely. | ||||
| 4. If the sum of the lengths of cookie-name and cookie-value is | ||||
| more than 4096 octets, abort these steps and ignore the cookie | ||||
| entirely. | entirely. | |||
| 4. Create a new cookie with name cookie-name, value cookie-value. | 5. Create a new cookie with name cookie-name, value cookie-value. | |||
| Set the creation-time and the last-access-time to the current | Set the creation-time and the last-access-time to the current | |||
| date and time. | date and time. | |||
| 5. If the cookie-attribute-list contains an attribute with an | 6. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "Max-Age": | attribute-name of "Max-Age": | |||
| 1. Set the cookie's persistent-flag to true. | 1. Set the cookie's persistent-flag to true. | |||
| 2. Set the cookie's expiry-time to attribute-value of the last | 2. Set the cookie's expiry-time to attribute-value of the last | |||
| attribute in the cookie-attribute-list with an attribute- | attribute in the cookie-attribute-list with an attribute- | |||
| name of "Max-Age". | name of "Max-Age". | |||
| Otherwise, if the cookie-attribute-list contains an attribute | Otherwise, if the cookie-attribute-list contains an attribute | |||
| with an attribute-name of "Expires" (and does not contain an | with an attribute-name of "Expires" (and does not contain an | |||
| skipping to change at page 31, line 8 ¶ | skipping to change at page 31, line 5 ¶ | |||
| attribute in the cookie-attribute-list with an attribute- | attribute in the cookie-attribute-list with an attribute- | |||
| name of "Expires". | name of "Expires". | |||
| Otherwise: | Otherwise: | |||
| 1. Set the cookie's persistent-flag to false. | 1. Set the cookie's persistent-flag to false. | |||
| 2. Set the cookie's expiry-time to the latest representable | 2. Set the cookie's expiry-time to the latest representable | |||
| date. | date. | |||
| 6. If the cookie-attribute-list contains an attribute with an | 7. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "Domain": | attribute-name of "Domain": | |||
| 1. Let the domain-attribute be the attribute-value of the last | 1. Let the domain-attribute be the attribute-value of the last | |||
| attribute in the cookie-attribute-list with an attribute- | attribute in the cookie-attribute-list with both an | |||
| name of "Domain". | attribute-name of "Domain" and an attribute-value whose | |||
| length is no more than 1024 octets. (Note that a leading | ||||
| %x2E ("."), if present, is ignored even though that | ||||
| character is not permitted, but a trailing %x2E ("."), if | ||||
| present, will cause the user agent to ignore the attribute.) | ||||
| Otherwise: | Otherwise: | |||
| 1. Let the domain-attribute be the empty string. | 1. Let the domain-attribute be the empty string. | |||
| 7. If the user agent is configured to reject "public suffixes" and | 8. If the user agent is configured to reject "public suffixes" and | |||
| the domain-attribute is a public suffix: | the domain-attribute is a public suffix: | |||
| 1. If the domain-attribute is identical to the canonicalized | 1. If the domain-attribute is identical to the canonicalized | |||
| request-host: | request-host: | |||
| 1. Let the domain-attribute be the empty string. | 1. Let the domain-attribute be the empty string. | |||
| Otherwise: | Otherwise: | |||
| 1. Ignore the cookie entirely and abort these steps. | 1. Ignore the cookie entirely and abort these steps. | |||
| NOTE: This step prevents "attacker.example" from disrupting the | NOTE: This step prevents "attacker.example" from disrupting the | |||
| integrity of "site.example" by setting a cookie with a Domain | integrity of "site.example" by setting a cookie with a Domain | |||
| attribute of "example". | attribute of "example". | |||
| 8. If the domain-attribute is non-empty: | 9. If the domain-attribute is non-empty: | |||
| 1. If the canonicalized request-host does not domain-match the | 1. If the canonicalized request-host does not domain-match the | |||
| domain-attribute: | domain-attribute: | |||
| 1. Ignore the cookie entirely and abort these steps. | 1. Ignore the cookie entirely and abort these steps. | |||
| Otherwise: | Otherwise: | |||
| 1. Set the cookie's host-only-flag to false. | 1. Set the cookie's host-only-flag to false. | |||
| 2. Set the cookie's domain to the domain-attribute. | 2. Set the cookie's domain to the domain-attribute. | |||
| Otherwise: | Otherwise: | |||
| 1. Set the cookie's host-only-flag to true. | 1. Set the cookie's host-only-flag to true. | |||
| 2. Set the cookie's domain to the canonicalized request-host. | 2. Set the cookie's domain to the canonicalized request-host. | |||
| 9. If the cookie-attribute-list contains an attribute with an | 10. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "Path", set the cookie's path to attribute- | attribute-name of "Path", set the cookie's path to attribute- | |||
| value of the last attribute in the cookie-attribute-list with an | value of the last attribute in the cookie-attribute-list with | |||
| attribute-name of "Path". Otherwise, set the cookie's path to | both an attribute-name of "Path" and an attribute-value whose | |||
| the default-path of the request-uri. | length is no more than 1024 octets. Otherwise, set the cookie's | |||
| path to the default-path of the request-uri. | ||||
| 10. If the cookie-attribute-list contains an attribute with an | 11. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "Secure", set the cookie's secure-only-flag to | attribute-name of "Secure", set the cookie's secure-only-flag to | |||
| true. Otherwise, set the cookie's secure-only-flag to false. | true. Otherwise, set the cookie's secure-only-flag to false. | |||
| 11. If the scheme component of the request-uri does not denote a | 12. If the scheme component of the request-uri does not denote a | |||
| "secure" protocol (as defined by the user agent), and the | "secure" protocol (as defined by the user agent), and the | |||
| cookie's secure-only-flag is true, then abort these steps and | cookie's secure-only-flag is true, then abort these steps and | |||
| ignore the cookie entirely. | ignore the cookie entirely. | |||
| 12. If the cookie-attribute-list contains an attribute with an | 13. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "HttpOnly", set the cookie's http-only-flag to | attribute-name of "HttpOnly", set the cookie's http-only-flag to | |||
| true. Otherwise, set the cookie's http-only-flag to false. | true. Otherwise, set the cookie's http-only-flag to false. | |||
| 13. If the cookie was received from a "non-HTTP" API and the | 14. If the cookie was received from a "non-HTTP" API and the | |||
| cookie's http-only-flag is true, abort these steps and ignore | cookie's http-only-flag is true, abort these steps and ignore | |||
| the cookie entirely. | the cookie entirely. | |||
| 14. If the cookie's secure-only-flag is false, and the scheme | 15. If the cookie's secure-only-flag is false, and the scheme | |||
| component of request-uri does not denote a "secure" protocol, | component of request-uri does not denote a "secure" protocol, | |||
| then abort these steps and ignore the cookie entirely if the | then abort these steps and ignore the cookie entirely if the | |||
| cookie store contains one or more cookies that meet all of the | cookie store contains one or more cookies that meet all of the | |||
| following criteria: | following criteria: | |||
| 1. Their name matches the name of the newly-created cookie. | 1. Their name matches the name of the newly-created cookie. | |||
| 2. Their secure-only-flag is true. | 2. Their secure-only-flag is true. | |||
| 3. Their domain domain-matches the domain of the newly-created | 3. Their domain domain-matches the domain of the newly-created | |||
| skipping to change at page 33, line 5 ¶ | skipping to change at page 33, line 7 ¶ | |||
| of the existing cookie. | of the existing cookie. | |||
| Note: The path comparison is not symmetric, ensuring only that a | Note: The path comparison is not symmetric, ensuring only that a | |||
| newly-created, non-secure cookie does not overlay an existing | newly-created, non-secure cookie does not overlay an existing | |||
| secure cookie, providing some mitigation against cookie-fixing | secure cookie, providing some mitigation against cookie-fixing | |||
| attacks. That is, given an existing secure cookie named 'a' | attacks. That is, given an existing secure cookie named 'a' | |||
| with a path of '/login', a non-secure cookie named 'a' could be | with a path of '/login', a non-secure cookie named 'a' could be | |||
| set for a path of '/' or '/foo', but not for a path of '/login' | set for a path of '/' or '/foo', but not for a path of '/login' | |||
| or '/login/en'. | or '/login/en'. | |||
| 15. If the cookie-attribute-list contains an attribute with an | 16. If the cookie-attribute-list contains an attribute with an | |||
| attribute-name of "SameSite", and an attribute-value of | attribute-name of "SameSite", and an attribute-value of | |||
| "Strict", "Lax", or "None", set the cookie's same-site-flag to | "Strict", "Lax", or "None", set the cookie's same-site-flag to | |||
| the attribute-value of the last attribute in the cookie- | the attribute-value of the last attribute in the cookie- | |||
| attribute-list with an attribute-name of "SameSite". Otherwise, | attribute-list with an attribute-name of "SameSite". Otherwise, | |||
| set the cookie's same-site-flag to "Default". | set the cookie's same-site-flag to "Default". | |||
| 16. If the cookie's "same-site-flag" is not "None": | 17. If the cookie's "same-site-flag" is not "None": | |||
| 1. If the cookie was received from a "non-HTTP" API, and the | 1. If the cookie was received from a "non-HTTP" API, and the | |||
| API was called from a browsing context's active document | API was called from a browsing context's active document | |||
| whose "site for cookies" is not same-site with the top-level | whose "site for cookies" is not same-site with the top-level | |||
| origin, then abort these steps and ignore the newly created | origin, then abort these steps and ignore the newly created | |||
| cookie entirely. | cookie entirely. | |||
| 2. If the cookie was received from a "same-site" request (as | 2. If the cookie was received from a "same-site" request (as | |||
| defined in Section 5.2), skip the remaining substeps and | defined in Section 5.2), skip the remaining substeps and | |||
| continue processing the cookie. | continue processing the cookie. | |||
| skipping to change at page 33, line 39 ¶ | skipping to change at page 33, line 41 ¶ | |||
| processing the cookie. | processing the cookie. | |||
| Note: Top-level navigations can create a cookie with any | Note: Top-level navigations can create a cookie with any | |||
| "SameSite" value, even if the new cookie wouldn't have been | "SameSite" value, even if the new cookie wouldn't have been | |||
| sent along with the request had it already existed prior to | sent along with the request had it already existed prior to | |||
| the navigation. | the navigation. | |||
| 4. Abort these steps and ignore the newly created cookie | 4. Abort these steps and ignore the newly created cookie | |||
| entirely. | entirely. | |||
| 17. If the cookie's "same-site-flag" is "None", abort these steps | 18. If the cookie's "same-site-flag" is "None", abort these steps | |||
| and ignore the cookie entirely unless the cookie's secure-only- | and ignore the cookie entirely unless the cookie's secure-only- | |||
| flag is true. | flag is true. | |||
| 18. If the cookie-name begins with a case-sensitive match for the | 19. If the cookie-name begins with a case-sensitive match for the | |||
| string "__Secure-", abort these steps and ignore the cookie | string "__Secure-", abort these steps and ignore the cookie | |||
| entirely unless the cookie's secure-only-flag is true. | entirely unless the cookie's secure-only-flag is true. | |||
| 19. If the cookie-name begins with a case-sensitive match for the | 20. If the cookie-name begins with a case-sensitive match for the | |||
| string "__Host-", abort these steps and ignore the cookie | string "__Host-", abort these steps and ignore the cookie | |||
| entirely unless the cookie meets all the following criteria: | entirely unless the cookie meets all the following criteria: | |||
| 1. The cookie's secure-only-flag is true. | 1. The cookie's secure-only-flag is true. | |||
| 2. The cookie's host-only-flag is true. | 2. The cookie's host-only-flag is true. | |||
| 3. The cookie-attribute-list contains an attribute with an | 3. The cookie-attribute-list contains an attribute with an | |||
| attribute-name of "Path", and the cookie's path is "/". | attribute-name of "Path", and the cookie's path is "/". | |||
| 20. If the cookie store contains a cookie with the same name, | 21. If the cookie store contains a cookie with the same name, | |||
| domain, host-only-flag, and path as the newly-created cookie: | domain, host-only-flag, and path as the newly-created cookie: | |||
| 1. Let old-cookie be the existing cookie with the same name, | 1. Let old-cookie be the existing cookie with the same name, | |||
| domain, host-only-flag, and path as the newly-created | domain, host-only-flag, and path as the newly-created | |||
| cookie. (Notice that this algorithm maintains the invariant | cookie. (Notice that this algorithm maintains the invariant | |||
| that there is at most one such cookie.) | that there is at most one such cookie.) | |||
| 2. If the newly-created cookie was received from a "non-HTTP" | 2. If the newly-created cookie was received from a "non-HTTP" | |||
| API and the old-cookie's http-only-flag is true, abort these | API and the old-cookie's http-only-flag is true, abort these | |||
| steps and ignore the newly created cookie entirely. | steps and ignore the newly created cookie entirely. | |||
| 3. Update the creation-time of the newly-created cookie to | 3. Update the creation-time of the newly-created cookie to | |||
| match the creation-time of the old-cookie. | match the creation-time of the old-cookie. | |||
| 4. Remove the old-cookie from the cookie store. | 4. Remove the old-cookie from the cookie store. | |||
| 21. Insert the newly-created cookie into the cookie store. | 22. Insert the newly-created cookie into the cookie store. | |||
| A cookie is "expired" if the cookie has an expiry date in the past. | A cookie is "expired" if the cookie has an expiry date in the past. | |||
| The user agent MUST evict all expired cookies from the cookie store | The user agent MUST evict all expired cookies from the cookie store | |||
| if, at any time, an expired cookie exists in the cookie store. | if, at any time, an expired cookie exists in the cookie store. | |||
| At any time, the user agent MAY "remove excess cookies" from the | At any time, the user agent MAY "remove excess cookies" from the | |||
| cookie store if the number of cookies sharing a domain field exceeds | cookie store if the number of cookies sharing a domain field exceeds | |||
| some implementation-defined upper bound (such as 50 cookies). | some implementation-defined upper bound (such as 50 cookies). | |||
| skipping to change at page 38, line 13 ¶ | skipping to change at page 38, line 16 ¶ | |||
| octets is valid UTF-8. | octets is valid UTF-8. | |||
| 6. Implementation Considerations | 6. Implementation Considerations | |||
| 6.1. Limits | 6.1. Limits | |||
| Practical user agent implementations have limits on the number and | Practical user agent implementations have limits on the number and | |||
| size of cookies that they can store. General-use user agents SHOULD | size of cookies that they can store. General-use user agents SHOULD | |||
| provide each of the following minimum capabilities: | provide each of the following minimum capabilities: | |||
| o At least 4096 bytes per cookie (as measured by the sum of the | ||||
| length of the cookie's name, value, and attributes). | ||||
| o At least 50 cookies per domain. | o At least 50 cookies per domain. | |||
| o At least 3000 cookies total. | o At least 3000 cookies total. | |||
| User agents MAY limit the maximum number of cookies they store, and | ||||
| may evict any cookie at any time (whether at the request of the user | ||||
| or due to implementation limitations). | ||||
| Note that a limit on the maximum number of cookies also limits the | ||||
| total size of the stored cookies, due to the length limits which MUST | ||||
| be enforced in Section 5.4. | ||||
| Servers SHOULD use as few and as small cookies as possible to avoid | Servers SHOULD use as few and as small cookies as possible to avoid | |||
| reaching these implementation limits and to minimize network | reaching these implementation limits and to minimize network | |||
| bandwidth due to the Cookie header field being included in every | bandwidth due to the Cookie header field being included in every | |||
| request. | request. | |||
| Servers SHOULD gracefully degrade if the user agent fails to return | Servers SHOULD gracefully degrade if the user agent fails to return | |||
| one or more cookies in the Cookie header field because the user agent | one or more cookies in the Cookie header field because the user agent | |||
| might evict any cookie at any time on orders from the user. | might evict any cookie at any time. | |||
| 6.2. Application Programming Interfaces | 6.2. Application Programming Interfaces | |||
| One reason the Cookie and Set-Cookie header fields use such esoteric | One reason the Cookie and Set-Cookie header fields use such esoteric | |||
| syntax is that many platforms (both in servers and user agents) | syntax is that many platforms (both in servers and user agents) | |||
| provide a string-based application programming interface (API) to | provide a string-based application programming interface (API) to | |||
| cookies, requiring application-layer programmers to generate and | cookies, requiring application-layer programmers to generate and | |||
| parse the syntax used by the Cookie and Set-Cookie header fields, | parse the syntax used by the Cookie and Set-Cookie header fields, | |||
| which many programmers have done incorrectly, resulting in | which many programmers have done incorrectly, resulting in | |||
| interoperability problems. | interoperability problems. | |||
| skipping to change at page 39, line 37 ¶ | skipping to change at page 39, line 46 ¶ | |||
| another site that contains content from the same third party, the | another site that contains content from the same third party, the | |||
| third party can track the user between the two sites. | third party can track the user between the two sites. | |||
| Given this risk to user privacy, some user agents restrict how third- | Given this risk to user privacy, some user agents restrict how third- | |||
| party cookies behave, and those restrictions vary widly. For | party cookies behave, and those restrictions vary widly. For | |||
| instance, user agents might block third-party cookies entirely by | instance, user agents might block third-party cookies entirely by | |||
| refusing to send Cookie header fields or process Set-Cookie header | refusing to send Cookie header fields or process Set-Cookie header | |||
| fields during third-party requests. They might take a less draconian | fields during third-party requests. They might take a less draconian | |||
| approach by partitioning cookies based on the first-party context, | approach by partitioning cookies based on the first-party context, | |||
| sending one set of cookies to a given third party in one first-party | sending one set of cookies to a given third party in one first-party | |||
| context, and another to the same third party in another. | context, and another to the same third party in another. Or they | |||
| might even allow some third-party cookies but block others depending | ||||
| on user-agent cookie policy or user controls. | ||||
| This document grants user agents wide latitude to experiment with | This document grants user agents wide latitude to experiment with | |||
| third-party cookie policies that balance the privacy and | third-party cookie policies that balance the privacy and | |||
| compatibility needs of their users. However, this document does not | compatibility needs of their users. However, this document does not | |||
| endorse any particular third-party cookie policy. | endorse any particular third-party cookie policy. | |||
| Third-party cookie blocking policies are often ineffective at | Third-party cookie blocking policies are often ineffective at | |||
| achieving their privacy goals if servers attempt to work around their | achieving their privacy goals if servers attempt to work around their | |||
| restrictions to track users. In particular, two collaborating | restrictions to track users. In particular, two collaborating | |||
| servers can often track users without using cookies at all by | servers can often track users without using cookies at all by | |||
| skipping to change at page 44, line 37 ¶ | skipping to change at page 44, line 47 ¶ | |||
| An active network attacker can also inject cookies into the Cookie | An active network attacker can also inject cookies into the Cookie | |||
| header field sent to https://site.example/ by impersonating a | header field sent to https://site.example/ by impersonating a | |||
| response from http://site.example/ and injecting a Set-Cookie header | response from http://site.example/ and injecting a Set-Cookie header | |||
| field. The HTTPS server at site.example will be unable to | field. The HTTPS server at site.example will be unable to | |||
| distinguish these cookies from cookies that it set itself in an HTTPS | distinguish these cookies from cookies that it set itself in an HTTPS | |||
| response. An active network attacker might be able to leverage this | response. An active network attacker might be able to leverage this | |||
| ability to mount an attack against site.example even if site.example | ability to mount an attack against site.example even if site.example | |||
| uses HTTPS exclusively. | uses HTTPS exclusively. | |||
| Servers can partially mitigate these attacks by encrypting and | Servers can partially mitigate these attacks by encrypting and | |||
| signing the contents of their cookies. However, using cryptography | signing the contents of their cookies, or by naming the cookie with | |||
| does not mitigate the issue completely because an attacker can replay | the "__Secure-" prefix. However, using cryptography does not | |||
| a cookie he or she received from the authentic site.example server in | mitigate the issue completely because an attacker can replay a cookie | |||
| the user's session, with unpredictable results. | he or she received from the authentic site.example server in the | |||
| user's session, with unpredictable results. | ||||
| Finally, an attacker might be able to force the user agent to delete | Finally, an attacker might be able to force the user agent to delete | |||
| cookies by storing a large number of cookies. Once the user agent | cookies by storing a large number of cookies. Once the user agent | |||
| reaches its storage limit, the user agent will be forced to evict | reaches its storage limit, the user agent will be forced to evict | |||
| some cookies. Servers SHOULD NOT rely upon user agents retaining | some cookies. Servers SHOULD NOT rely upon user agents retaining | |||
| cookies. | cookies. | |||
| 8.7. Reliance on DNS | 8.7. Reliance on DNS | |||
| Cookies rely upon the Domain Name System (DNS) for security. If the | Cookies rely upon the Domain Name System (DNS) for security. If the | |||
| skipping to change at page 49, line 40 ¶ | skipping to change at page 49, line 50 ¶ | |||
| <https://html.spec.whatwg.org/#dom-document-cookie>. | <https://html.spec.whatwg.org/#dom-document-cookie>. | |||
| [FETCH] van Kesteren, A., "Fetch", n.d., | [FETCH] van Kesteren, A., "Fetch", n.d., | |||
| <https://fetch.spec.whatwg.org/>. | <https://fetch.spec.whatwg.org/>. | |||
| [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, | [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jaegenstedt, | |||
| P., and D. Denicola, "HTML", n.d., | P., and D. Denicola, "HTML", n.d., | |||
| <https://html.spec.whatwg.org/>. | <https://html.spec.whatwg.org/>. | |||
| [HTTPSEM] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP | [HTTPSEM] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP | |||
| Semantics", draft-ietf-httpbis-semantics-16 (work in | Semantics", draft-ietf-httpbis-semantics-19 (work in | |||
| progress), May 2021. | progress), September 2021. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - | [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - | |||
| Application and Support", STD 3, RFC 1123, | Application and Support", STD 3, RFC 1123, | |||
| DOI 10.17487/RFC1123, October 1989, | DOI 10.17487/RFC1123, October 1989, | |||
| <https://www.rfc-editor.org/info/rfc1123>. | <https://www.rfc-editor.org/info/rfc1123>. | |||
| skipping to change at page 54, line 31 ¶ | skipping to change at page 54, line 45 ¶ | |||
| [39] https://github.com/httpwg/http-extensions/pull/1416 | [39] https://github.com/httpwg/http-extensions/pull/1416 | |||
| [40] https://github.com/httpwg/http-extensions/pull/1420 | [40] https://github.com/httpwg/http-extensions/pull/1420 | |||
| [41] https://github.com/httpwg/http-extensions/pull/1428 | [41] https://github.com/httpwg/http-extensions/pull/1428 | |||
| [42] https://github.com/httpwg/http-extensions/pull/1435 | [42] https://github.com/httpwg/http-extensions/pull/1435 | |||
| [43] https://github.com/httpwg/http-extensions/pull/1527 | [43] https://github.com/httpwg/http-extensions/pull/1527 | |||
| [44] https://github.com/httpwg/http-extensions/pull/1563 | ||||
| [45] https://github.com/httpwg/http-extensions/pull/1576 | ||||
| [46] https://github.com/httpwg/http-extensions/pull/1589 | ||||
| [47] https://github.com/httpwg/http-extensions/pull/1709 | ||||
| Appendix A. Changes | Appendix A. Changes | |||
| A.1. draft-ietf-httpbis-rfc6265bis-00 | A.1. draft-ietf-httpbis-rfc6265bis-00 | |||
| o Port [RFC6265] to Markdown. No (intentional) normative changes. | o Port [RFC6265] to Markdown. No (intentional) normative changes. | |||
| A.2. draft-ietf-httpbis-rfc6265bis-01 | A.2. draft-ietf-httpbis-rfc6265bis-01 | |||
| o Fixes to formatting caused by mistakes in the initial port to | o Fixes to formatting caused by mistakes in the initial port to | |||
| Markdown: | Markdown: | |||
| skipping to change at page 57, line 47 ¶ | skipping to change at page 58, line 21 ¶ | |||
| o Refactor cookie retrieval algorithm to support non-HTTP APIs: | o Refactor cookie retrieval algorithm to support non-HTTP APIs: | |||
| https://github.com/httpwg/http-extensions/pull/1428 [41] | https://github.com/httpwg/http-extensions/pull/1428 [41] | |||
| o Define "Lax-allowing-unsafe" SameSite enforcement mode: | o Define "Lax-allowing-unsafe" SameSite enforcement mode: | |||
| https://github.com/httpwg/http-extensions/pull/1435 [42] | https://github.com/httpwg/http-extensions/pull/1435 [42] | |||
| o Consistently use "header field" (vs 'header"): | o Consistently use "header field" (vs 'header"): | |||
| https://github.com/httpwg/http-extensions/pull/1527 [43] | https://github.com/httpwg/http-extensions/pull/1527 [43] | |||
| A.10. draft-ietf-httpbis-rfc6265bis-09 | ||||
| o Update cookie size requirements: https://github.com/httpwg/http- | ||||
| extensions/pull/1563 [44] | ||||
| o Reject cookies with control characters: https://github.com/httpwg/ | ||||
| http-extensions/pull/1576 [45] | ||||
| o No longer treat horizontal tab as a control character: | ||||
| https://github.com/httpwg/http-extensions/pull/1589 [46] | ||||
| o Specify empty domain attribute handling: | ||||
| https://github.com/httpwg/http-extensions/pull/1709 [47] | ||||
| Acknowledgements | Acknowledgements | |||
| RFC 6265 was written by Adam Barth. This document is an update of | RFC 6265 was written by Adam Barth. This document is an update of | |||
| RFC 6265, adding features and aligning the specification with the | RFC 6265, adding features and aligning the specification with the | |||
| reality of today's deployments. Here, we're standing upon the | reality of today's deployments. Here, we're standing upon the | |||
| shoulders of a giant since the majority of the text is still Adam's. | shoulders of a giant since the majority of the text is still Adam's. | |||
| Authors' Addresses | Authors' Addresses | |||
| Lily Chen (editor) | Lily Chen (editor) | |||
| End of changes. 56 change blocks. | ||||
| 87 lines changed or deleted | 119 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||