draft-ietf-httpbis-rfc6265bis-10.txt | draft-ietf-httpbis-rfc6265bis-latest.txt | |||
---|---|---|---|---|
HTTP Working Group L. Chen, Ed. | HTTP Working Group L. Chen, Ed. | |||
Internet-Draft Google LLC | Internet-Draft Google LLC | |||
Obsoletes: 6265 (if approved) S. Englehardt, Ed. | Obsoletes: 6265 (if approved) S. Englehardt, Ed. | |||
Intended status: Standards Track Mozilla | Intended status: Standards Track Mozilla | |||
Expires: October 26, 2022 M. West, Ed. | Expires: January 8, 2023 M. West, Ed. | |||
Google LLC | Google LLC | |||
J. Wilander, Ed. | J. Wilander, Ed. | |||
Apple, Inc | Apple, Inc | |||
April 24, 2022 | July 7, 2022 | |||
Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
draft-ietf-httpbis-rfc6265bis-10 | draft-ietf-httpbis-rfc6265bis-latest | |||
Abstract | Abstract | |||
This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
(called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
skipping to change at page 2, line 10 ¶ | skipping to change at page 2, line 10 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on October 26, 2022. | This Internet-Draft will expire on January 8, 2023. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 51 ¶ | skipping to change at page 2, line 51 ¶ | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | |||
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 | 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 | |||
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | |||
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10 | 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10 | 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 | 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 12 | |||
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15 | 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15 | |||
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | |||
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17 | 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17 | |||
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | |||
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 | 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | |||
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20 | 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20 | |||
skipping to change at page 3, line 31 ¶ | skipping to change at page 3, line 31 ¶ | |||
5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27 | 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27 | |||
5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28 | 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28 | |||
5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28 | 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28 | |||
5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28 | 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28 | |||
5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 | 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 | |||
5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 | 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 | |||
5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36 | 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36 | |||
5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36 | 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36 | |||
5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 | 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 | |||
5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37 | 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37 | |||
6. Implementation Considerations . . . . . . . . . . . . . . . . 39 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | |||
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 39 | 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
6.2. Application Programming Interfaces . . . . . . . . . . . 39 | 6.2. Application Programming Interfaces . . . . . . . . . . . 39 | |||
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 40 | 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 | |||
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40 | |||
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41 | |||
7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41 | 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41 | |||
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42 | |||
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42 | |||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 | |||
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 43 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 42 | |||
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43 | |||
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 44 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44 | |||
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45 | |||
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 46 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 45 | |||
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 47 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 46 | |||
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 47 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 46 | |||
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 47 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 46 | |||
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47 | |||
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 48 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 47 | |||
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48 | |||
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48 | |||
8.8.6. Top-level requests with "unsafe" methods . . . . . . 49 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 49 | |||
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49 | |||
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 50 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50 | |||
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 50 | |||
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 51 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 50 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . 51 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 51 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . 53 | 10.2. Informative References . . . . . . . . . . . . . . . . . 52 | |||
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54 | 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 54 | |||
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 56 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 57 | |||
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 56 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 57 | |||
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 56 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 57 | |||
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 57 | |||
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 58 | |||
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 58 | |||
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 58 | |||
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 58 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 59 | |||
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 59 | |||
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 59 | |||
A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60 | A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 60 | |||
A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60 | A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 60 | |||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | A.12. draft-ietf-httpbis-rfc6265bis-11 . . . . . . . . . . . . 61 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 61 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||
1. Introduction | 1. Introduction | |||
This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
return the name/value pairs in the Cookie header field. | return the name/value pairs in the Cookie header field. | |||
skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 23 ¶ | |||
which begins with a name-value-pair, followed by zero or more | which begins with a name-value-pair, followed by zero or more | |||
attribute-value pairs. Servers SHOULD NOT send Set-Cookie header | attribute-value pairs. Servers SHOULD NOT send Set-Cookie header | |||
fields that fail to conform to the following grammar: | fields that fail to conform to the following grammar: | |||
set-cookie = set-cookie-string | set-cookie = set-cookie-string | |||
set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) | set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) | |||
cookie-pair = cookie-name BWS "=" BWS cookie-value | cookie-pair = cookie-name BWS "=" BWS cookie-value | |||
cookie-name = 1*cookie-octet | cookie-name = 1*cookie-octet | |||
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) | cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) | |||
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E | cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E | |||
/ %x80-FF | ; US-ASCII characters excluding CTLs, | |||
; octets excluding CTLs, | ||||
; whitespace DQUOTE, comma, semicolon, | ; whitespace DQUOTE, comma, semicolon, | |||
; and backslash | ; and backslash | |||
cookie-av = expires-av / max-age-av / domain-av / | cookie-av = expires-av / max-age-av / domain-av / | |||
path-av / secure-av / httponly-av / | path-av / secure-av / httponly-av / | |||
samesite-av / extension-av | samesite-av / extension-av | |||
expires-av = "Expires" BWS "=" BWS sane-cookie-date | expires-av = "Expires" BWS "=" BWS sane-cookie-date | |||
sane-cookie-date = | sane-cookie-date = | |||
<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | |||
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | |||
skipping to change at page 11, line 5 ¶ | skipping to change at page 11, line 5 ¶ | |||
samesite-av = "SameSite" BWS "=" BWS samesite-value | samesite-av = "SameSite" BWS "=" BWS samesite-value | |||
samesite-value = "Strict" / "Lax" / "None" | samesite-value = "Strict" / "Lax" / "None" | |||
extension-av = *av-octet | extension-av = *av-octet | |||
av-octet = %x20-3A / %x3C-7E | av-octet = %x20-3A / %x3C-7E | |||
; any CHAR except CTLs or ";" | ; any CHAR except CTLs or ";" | |||
Note that some of the grammatical terms above reference documents | Note that some of the grammatical terms above reference documents | |||
that use different grammatical notations than this document (which | that use different grammatical notations than this document (which | |||
uses ABNF from [RFC5234]). | uses ABNF from [RFC5234]). | |||
NOTE: The name of an attribute-value pair is not case sensitive. So | ||||
while they are presented here in CamelCase, such as "HttpOnly" or | ||||
"SameSite", any case is accepted. E.x.: "httponly", "Httponly", | ||||
"hTTPoNLY", etc. | ||||
The semantics of the cookie-value are not defined by this document. | The semantics of the cookie-value are not defined by this document. | |||
To maximize compatibility with user agents, servers that wish to | To maximize compatibility with user agents, servers that wish to | |||
store arbitrary data in a cookie-value SHOULD encode that data, for | store arbitrary data in a cookie-value SHOULD encode that data, for | |||
example, using Base64 [RFC4648]. | example, using Base64 [RFC4648]. | |||
The domain-value is a subdomain as defined by [RFC1034], Section 3.5, | The domain-value is a subdomain as defined by [RFC1034], Section 3.5, | |||
and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a | and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a | |||
string of [USASCII] characters, such as one obtained by applying the | string of [USASCII] characters, such as one obtained by applying the | |||
"ToASCII" operation defined in Section 4 of [RFC3490]. | "ToASCII" operation defined in Section 4 of [RFC3490]. | |||
skipping to change at page 13, line 23 ¶ | skipping to change at page 13, line 30 ¶ | |||
session is over" (as defined by the user agent). | session is over" (as defined by the user agent). | |||
4.1.2.3. The Domain Attribute | 4.1.2.3. The Domain Attribute | |||
The Domain attribute specifies those hosts to which the cookie will | The Domain attribute specifies those hosts to which the cookie will | |||
be sent. For example, if the value of the Domain attribute is | be sent. For example, if the value of the Domain attribute is | |||
"site.example", the user agent will include the cookie in the Cookie | "site.example", the user agent will include the cookie in the Cookie | |||
header field when making HTTP requests to site.example, | header field when making HTTP requests to site.example, | |||
www.site.example, and www.corp.site.example. (Note that a leading | www.site.example, and www.corp.site.example. (Note that a leading | |||
%x2E ("."), if present, is ignored even though that character is not | %x2E ("."), if present, is ignored even though that character is not | |||
permitted, but a trailing %x2E ("."), if present, will cause the user | permitted.) If the server omits the Domain attribute, the user agent | |||
agent to ignore the attribute.) If the server omits the Domain | will return the cookie only to the origin server. | |||
attribute, the user agent will return the cookie only to the origin | ||||
server. | ||||
WARNING: Some existing user agents treat an absent Domain attribute | WARNING: Some existing user agents treat an absent Domain attribute | |||
as if the Domain attribute were present and contained the current | as if the Domain attribute were present and contained the current | |||
host name. For example, if site.example returns a Set-Cookie header | host name. For example, if site.example returns a Set-Cookie header | |||
field without a Domain attribute, these user agents will erroneously | field without a Domain attribute, these user agents will erroneously | |||
send the cookie to www.site.example as well. | send the cookie to www.site.example as well. | |||
The user agent will reject cookies unless the Domain attribute | The user agent will reject cookies unless the Domain attribute | |||
specifies a scope for the cookie that would include the origin | specifies a scope for the cookie that would include the origin | |||
server. For example, the user agent will accept a cookie with a | server. For example, the user agent will accept a cookie with a | |||
skipping to change at page 32, line 5 ¶ | skipping to change at page 32, line 5 ¶ | |||
date. | date. | |||
7. If the cookie-attribute-list contains an attribute with an | 7. If the cookie-attribute-list contains an attribute with an | |||
attribute-name of "Domain": | attribute-name of "Domain": | |||
1. Let the domain-attribute be the attribute-value of the last | 1. Let the domain-attribute be the attribute-value of the last | |||
attribute in the cookie-attribute-list with both an | attribute in the cookie-attribute-list with both an | |||
attribute-name of "Domain" and an attribute-value whose | attribute-name of "Domain" and an attribute-value whose | |||
length is no more than 1024 octets. (Note that a leading | length is no more than 1024 octets. (Note that a leading | |||
%x2E ("."), if present, is ignored even though that | %x2E ("."), if present, is ignored even though that | |||
character is not permitted, but a trailing %x2E ("."), if | character is not permitted.) | |||
present, will cause the user agent to ignore the attribute.) | ||||
Otherwise: | Otherwise: | |||
1. Let the domain-attribute be the empty string. | 1. Let the domain-attribute be the empty string. | |||
8. If the domain-attribute contains a character that is not in the | 8. If the domain-attribute contains a character that is not in the | |||
range of [USASCII] characters, abort these steps and ignore the | range of [USASCII] characters, abort these steps and ignore the | |||
cookie entirely. | cookie entirely. | |||
9. If the user agent is configured to reject "public suffixes" and | 9. If the user agent is configured to reject "public suffixes" and | |||
skipping to change at page 38, line 45 ¶ | skipping to change at page 38, line 43 ¶ | |||
1. If the cookies' name is not empty, output the cookie's name | 1. If the cookies' name is not empty, output the cookie's name | |||
followed by the %x3D ("=") character. | followed by the %x3D ("=") character. | |||
2. If the cookies' value is not empty, output the cookie's | 2. If the cookies' value is not empty, output the cookie's | |||
value. | value. | |||
3. If there is an unprocessed cookie in the cookie-list, output | 3. If there is an unprocessed cookie in the cookie-list, output | |||
the characters %x3B and %x20 ("; "). | the characters %x3B and %x20 ("; "). | |||
NOTE: Despite its name, the cookie-string is actually a sequence of | ||||
octets, not a sequence of characters. To convert the cookie-string | ||||
(or components thereof) into a sequence of characters (e.g., for | ||||
presentation to the user), the user agent might wish to try using the | ||||
UTF-8 character encoding [RFC3629] to decode the octet sequence. | ||||
This decoding might fail, however, because not every sequence of | ||||
octets is valid UTF-8. | ||||
6. Implementation Considerations | 6. Implementation Considerations | |||
6.1. Limits | 6.1. Limits | |||
Practical user agent implementations have limits on the number and | Practical user agent implementations have limits on the number and | |||
size of cookies that they can store. General-use user agents SHOULD | size of cookies that they can store. General-use user agents SHOULD | |||
provide each of the following minimum capabilities: | provide each of the following minimum capabilities: | |||
o At least 50 cookies per domain. | o At least 50 cookies per domain. | |||
skipping to change at page 54, line 9 ¶ | skipping to change at page 53, line 49 ¶ | |||
<https://publicsuffix.org/list/>. | <https://publicsuffix.org/list/>. | |||
[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management | [RFC2109] Kristol, D. and L. Montulli, "HTTP State Management | |||
Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, | Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, | |||
<https://www.rfc-editor.org/info/rfc2109>. | <https://www.rfc-editor.org/info/rfc2109>. | |||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
<https://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | ||||
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | ||||
2003, <https://www.rfc-editor.org/info/rfc3629>. | ||||
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
DOI 10.17487/RFC3864, September 2004, | DOI 10.17487/RFC3864, September 2004, | |||
<https://www.rfc-editor.org/info/rfc3864>. | <https://www.rfc-editor.org/info/rfc3864>. | |||
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
<https://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
skipping to change at page 56, line 39 ¶ | skipping to change at page 56, line 27 ¶ | |||
[41] https://github.com/httpwg/http-extensions/pull/1563 | [41] https://github.com/httpwg/http-extensions/pull/1563 | |||
[42] https://github.com/httpwg/http-extensions/pull/1576 | [42] https://github.com/httpwg/http-extensions/pull/1576 | |||
[43] https://github.com/httpwg/http-extensions/pull/1589 | [43] https://github.com/httpwg/http-extensions/pull/1589 | |||
[44] https://github.com/httpwg/http-extensions/pull/1709 | [44] https://github.com/httpwg/http-extensions/pull/1709 | |||
[45] https://github.com/httpwg/http-extensions/pull/1732 | [45] https://github.com/httpwg/http-extensions/pull/1732 | |||
[46] https://github.com/httpwg/http-extensions/pull/1980 | ||||
[47] https://github.com/httpwg/http-extensions/pull/1878 | ||||
[48] https://github.com/httpwg/http-extensions/pull/1902 | ||||
[49] https://github.com/httpwg/http-extensions/pull/1969 | ||||
[50] https://github.com/httpwg/http-extensions/pull/1789 | ||||
[51] https://github.com/httpwg/http-extensions/pull/1858 | ||||
[52] https://github.com/httpwg/http-extensions/pull/2069 | ||||
[53] https://github.com/httpwg/http-extensions/pull/2087 | ||||
[54] https://github.com/httpwg/http-extensions/pull/2092 | ||||
[55] https://github.com/httpwg/http-extensions/pull/2090 | ||||
[56] https://github.com/httpwg/http-extensions/pull/2165 | ||||
[57] https://github.com/httpwg/http-extensions/pull/2167 | ||||
Appendix A. Changes | Appendix A. Changes | |||
A.1. draft-ietf-httpbis-rfc6265bis-00 | A.1. draft-ietf-httpbis-rfc6265bis-00 | |||
o Port [RFC6265] to Markdown. No (intentional) normative changes. | o Port [RFC6265] to Markdown. No (intentional) normative changes. | |||
A.2. draft-ietf-httpbis-rfc6265bis-01 | A.2. draft-ietf-httpbis-rfc6265bis-01 | |||
o Fixes to formatting caused by mistakes in the initial port to | o Fixes to formatting caused by mistakes in the initial port to | |||
Markdown: | Markdown: | |||
skipping to change at page 60, line 22 ¶ | skipping to change at page 60, line 38 ¶ | |||
o No longer treat horizontal tab as a control character: | o No longer treat horizontal tab as a control character: | |||
https://github.com/httpwg/http-extensions/pull/1589 [43] | https://github.com/httpwg/http-extensions/pull/1589 [43] | |||
o Specify empty domain attribute handling: | o Specify empty domain attribute handling: | |||
https://github.com/httpwg/http-extensions/pull/1709 [44] | https://github.com/httpwg/http-extensions/pull/1709 [44] | |||
A.11. draft-ietf-httpbis-rfc6265bis-10 | A.11. draft-ietf-httpbis-rfc6265bis-10 | |||
o Standardize Max-Age/Expires upper bound: | o Standardize Max-Age/Expires upper bound: | |||
https://github.com/httpwg/http-extensions/pull/1732 [45] | https://github.com/httpwg/http-extensions/pull/1732 [45], | |||
https://github.com/httpwg/http-extensions/pull/1980 [46]. | ||||
o Expand on privacy considerations and third-party cookies: | ||||
https://github.com/httpwg/http-extensions/pull/1878 [47] | ||||
o Specify that no decoding of Set-Cookie line should occur: | ||||
https://github.com/httpwg/http-extensions/pull/1902 [48] | ||||
o Require ASCII for domain attributes: https://github.com/httpwg/ | ||||
http-extensions/pull/1969 [49] | ||||
o Typos, formatting and editorial fixes: https://github.com/httpwg/ | ||||
http-extensions/pull/1789 [50], https://github.com/httpwg/http- | ||||
extensions/pull/1858 [51], https://github.com/httpwg/http- | ||||
extensions/pull/2069 [52]. | ||||
A.12. draft-ietf-httpbis-rfc6265bis-11 | ||||
o Remove note to ignore Domain attribute with trailing dot: | ||||
https://github.com/httpwg/http-extensions/pull/2087 [53], | ||||
https://github.com/httpwg/http-extensions/pull/2092 [54]. | ||||
o Remove an inadvertant change to cookie-octet: | ||||
https://github.com/httpwg/http-extensions/pull/2090 [55] | ||||
o Remove note regarding cookie serialization: | ||||
https://github.com/httpwg/http-extensions/pull/2165 [56] | ||||
o Add case insensitivity note to Set-Cookie Syntax: | ||||
https://github.com/httpwg/http-extensions/pull/2167 [57] | ||||
Acknowledgements | Acknowledgements | |||
RFC 6265 was written by Adam Barth. This document is an update of | RFC 6265 was written by Adam Barth. This document is an update of | |||
RFC 6265, adding features and aligning the specification with the | RFC 6265, adding features and aligning the specification with the | |||
reality of today's deployments. Here, we're standing upon the | reality of today's deployments. Here, we're standing upon the | |||
shoulders of a giant since the majority of the text is still Adam's. | shoulders of a giant since the majority of the text is still Adam's. | |||
Authors' Addresses | Authors' Addresses | |||
End of changes. 25 change blocks. | ||||
47 lines changed or deleted | 91 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |