draft-ietf-httpbis-rfc6265bis-03.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group A. Barth HTTP Working Group A. Barth
Internet-Draft M. West Internet-Draft M. West
Obsoletes: 6265 (if approved) Google, Inc Obsoletes: 6265 (if approved) Google, Inc
Intended status: Standards Track April 27, 2019 Intended status: Standards Track January 10, 2020
Expires: October 29, 2019 Expires: July 13, 2020
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-03 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 29, 2019. This Internet-Draft will expire on July 13, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 21 skipping to change at page 3, line 21
5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26
5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27
5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28 5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28
5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33 5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33
6. Implementation Considerations . . . . . . . . . . . . . . . . 35 6. Implementation Considerations . . . . . . . . . . . . . . . . 35
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2. Application Programming Interfaces . . . . . . . . . . . 35 6.2. Application Programming Interfaces . . . . . . . . . . . 36
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 36
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 36 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 37
7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37 7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 37
7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 37 7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 8. Security Considerations . . . . . . . . . . . . . . . . . . . 38
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 38
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 40
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 42
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 42
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 43
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 43
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 43 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.1. Normative References . . . . . . . . . . . . . . . . . . 44 10.1. Normative References . . . . . . . . . . . . . . . . . . 44
10.2. Informative References . . . . . . . . . . . . . . . . . 45 10.2. Informative References . . . . . . . . . . . . . . . . . 46
10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 47 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 48
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 48 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 49
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 48 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 49
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 49
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 49 A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 50
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 50
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 49 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 6, line 44 skipping to change at page 6, line 44
The term "origin", the mechanism of deriving an origin from a URI, The term "origin", the mechanism of deriving an origin from a URI,
and the "the same" matching algorithm for origins are defined in and the "the same" matching algorithm for origins are defined in
[RFC6454]. [RFC6454].
"Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as "Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as
defined in Section 4.2.1 of [RFC7231]. defined in Section 4.2.1 of [RFC7231].
The term "public suffix" is defined in a note in Section 5.3 of The term "public suffix" is defined in a note in Section 5.3 of
[RFC6265] as "a domain that is controlled by a public registry", and [RFC6265] as "a domain that is controlled by a public registry", and
are also known as "effective top-level domains" (eTLDs). For are also known as "effective top-level domains" (eTLDs). For
example, "example.com"'s public suffix is "com". User agents SHOULD example, "site.example"'s public suffix is "com". User agents SHOULD
use an up-to-date public suffix list, such as the one maintained by use an up-to-date public suffix list, such as the one maintained by
Mozilla at [PSL]. Mozilla at [PSL].
An origin's "registered domain" is the origin's host's public suffix An origin's "registered domain" is the origin's host's public suffix
plus the label to its left. That is, for "https://www.example.com", plus the label to its left. That is, for "https://www.site.example",
the public suffix is "com", and the registered domain is the public suffix is "example", and the registered domain is
"example.com". This concept is defined more rigorously in [PSL], and "site.example". This concept is defined more rigorously in [PSL],
is also known as "effective top-level domain plus one" (eTLD+1). and is also known as "effective top-level domain plus one" (eTLD+1).
The term "request", as well as a request's "client", "current url", The term "request", as well as a request's "client", "current url",
"method", and "target browsing context", are defined in [FETCH]. "method", and "target browsing context", are defined in [FETCH].
3. Overview 3. Overview
This section outlines a way for an origin server to send state This section outlines a way for an origin server to send state
information to a user agent and for the user agent to return the information to a user agent and for the user agent to return the
state information to the origin server. state information to the origin server.
skipping to change at page 8, line 7 skipping to change at page 8, line 7
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42 Set-Cookie: SID=31d4d96e407aad42
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42 Cookie: SID=31d4d96e407aad42
The server can alter the default scope of the cookie using the Path The server can alter the default scope of the cookie using the Path
and Domain attributes. For example, the server can instruct the user and Domain attributes. For example, the server can instruct the user
agent to return the cookie to every path and every subdomain of agent to return the cookie to every path and every subdomain of
example.com. site.example.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=example.com Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=site.example
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42 Cookie: SID=31d4d96e407aad42
As shown in the next example, the server can store multiple cookies As shown in the next example, the server can store multiple cookies
at the user agent. For example, the server can store a session at the user agent. For example, the server can store a session
identifier as well as the user's preferred language by returning two identifier as well as the user's preferred language by returning two
Set-Cookie header fields. Notice that the server uses the Secure and Set-Cookie header fields. Notice that the server uses the Secure and
HttpOnly attributes to provide additional security protections for HttpOnly attributes to provide additional security protections for
the more sensitive session identifier (see Section 4.1.2). the more sensitive session identifier (see Section 4.1.2).
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
Set-Cookie: lang=en-US; Path=/; Domain=example.com Set-Cookie: lang=en-US; Path=/; Domain=site.example
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42; lang=en-US Cookie: SID=31d4d96e407aad42; lang=en-US
Notice that the Cookie header above contains two cookies, one named Notice that the Cookie header above contains two cookies, one named
SID and one named lang. If the server wishes the user agent to SID and one named lang. If the server wishes the user agent to
persist the cookie over multiple "sessions" (e.g., user agent persist the cookie over multiple "sessions" (e.g., user agent
restarts), the server can specify an expiration date in the Expires restarts), the server can specify an expiration date in the Expires
attribute. Note that the user agent might delete the cookie before attribute. Note that the user agent might delete the cookie before
skipping to change at page 12, line 41 skipping to change at page 12, line 41
If a cookie has both the Max-Age and the Expires attribute, the Max- If a cookie has both the Max-Age and the Expires attribute, the Max-
Age attribute has precedence and controls the expiration date of the Age attribute has precedence and controls the expiration date of the
cookie. If a cookie has neither the Max-Age nor the Expires cookie. If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute 4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is be sent. For example, if the value of the Domain attribute is
"example.com", the user agent will include the cookie in the Cookie "site.example", the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and header when making HTTP requests to site.example, www.site.example,
www.corp.example.com. (Note that a leading %x2E ("."), if present, and www.corp.site.example. (Note that a leading %x2E ("."), if
is ignored even though that character is not permitted, but a present, is ignored even though that character is not permitted, but
trailing %x2E ("."), if present, will cause the user agent to ignore a trailing %x2E ("."), if present, will cause the user agent to
the attribute.) If the server omits the Domain attribute, the user ignore the attribute.) If the server omits the Domain attribute, the
agent will return the cookie only to the origin server. user agent will return the cookie only to the origin server.
WARNING: Some existing user agents treat an absent Domain attribute WARNING: Some existing user agents treat an absent Domain attribute
as if the Domain attribute were present and contained the current as if the Domain attribute were present and contained the current
host name. For example, if example.com returns a Set-Cookie header host name. For example, if site.example returns a Set-Cookie header
without a Domain attribute, these user agents will erroneously send without a Domain attribute, these user agents will erroneously send
the cookie to www.example.com as well. the cookie to www.site.example as well.
The user agent will reject cookies unless the Domain attribute The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin specifies a scope for the cookie that would include the origin
server. For example, the user agent will accept a cookie with a server. For example, the user agent will accept a cookie with a
Domain attribute of "example.com" or of "foo.example.com" from Domain attribute of "site.example" or of "foo.site.example" from
foo.example.com, but the user agent will not accept a cookie with a foo.site.example, but the user agent will not accept a cookie with a
Domain attribute of "bar.example.com" or of "baz.foo.example.com". Domain attribute of "bar.site.example" or of "baz.foo.site.example".
NOTE: For security reasons, many user agents are configured to reject NOTE: For security reasons, many user agents are configured to reject
Domain attributes that correspond to "public suffixes". For example, Domain attributes that correspond to "public suffixes". For example,
some user agents will reject Domain attributes of "com" or "co.uk". some user agents will reject Domain attributes of "com" or "co.uk".
(See Section 5.4 for more information.) (See Section 5.4 for more information.)
4.1.2.4. The Path Attribute 4.1.2.4. The Path Attribute
The scope of each cookie is limited to a set of paths, controlled by The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user the Path attribute. If the server omits the Path attribute, the user
skipping to change at page 14, line 21 skipping to change at page 14, line 21
Note that the HttpOnly attribute is independent of the Secure Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure attribute: a cookie can have both the HttpOnly and the Secure
attribute. attribute.
4.1.2.7. The SameSite Attribute 4.1.2.7. The SameSite Attribute
The "SameSite" attribute limits the scope of the cookie such that it The "SameSite" attribute limits the scope of the cookie such that it
will only be attached to requests if those requests are same-site, as will only be attached to requests if those requests are same-site, as
defined by the algorithm in Section 5.2. For example, requests for defined by the algorithm in Section 5.2. For example, requests for
"https://example.com/sekrit-image" will attach same-site cookies if "https://site.example/sekrit-image" will attach same-site cookies if
and only if initiated from a context whose "site for cookies" is and only if initiated from a context whose "site for cookies" is
"example.com". "site.example".
If the "SameSite" attribute's value is "Strict", the cookie will only If the "SameSite" attribute's value is "Strict", the cookie will only
be sent along with "same-site" requests. If the value is "Lax", the be sent along with "same-site" requests. If the value is "Lax", the
cookie will be sent with same-site requests, and with "cross-site" cookie will be sent with same-site requests, and with "cross-site"
top-level navigations, as described in Section 5.3.7.1. If the value top-level navigations, as described in Section 5.3.7.1. If the value
is "None", the cookie will be sent with same-site and cross-site is "None", the cookie will be sent with same-site and cross-site
requests. If the "SameSite" attribute's value is something other requests. If the "SameSite" attribute's value is something other
than these three known keywords, the attribute's value will be than these three known keywords, the attribute's value will be
treated as "None". treated as "None".
skipping to change at page 15, line 8 skipping to change at page 15, line 8
4.1.3.1. The "__Secure-" Prefix 4.1.3.1. The "__Secure-" Prefix
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Secure-", then the cookie will have been set with a "Secure" "__Secure-", then the cookie will have been set with a "Secure"
attribute. attribute.
For example, the following "Set-Cookie" header would be rejected by a For example, the following "Set-Cookie" header would be rejected by a
conformant user agent, as it does not have a "Secure" attribute. conformant user agent, as it does not have a "Secure" attribute.
Set-Cookie: __Secure-SID=12345; Domain=example.com Set-Cookie: __Secure-SID=12345; Domain=site.example
Whereas the following "Set-Cookie" header would be accepted: Whereas the following "Set-Cookie" header would be accepted:
Set-Cookie: __Secure-SID=12345; Domain=example.com; Secure Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure
4.1.3.2. The "__Host-" Prefix 4.1.3.2. The "__Host-" Prefix
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Host-", then the cookie will have been set with a "Secure" "__Host-", then the cookie will have been set with a "Secure"
attribute, a "Path" attribute with a value of "/", and no "Domain" attribute, a "Path" attribute with a value of "/", and no "Domain"
attribute. attribute.
This combination yields a cookie that hews as closely as a cookie can This combination yields a cookie that hews as closely as a cookie can
to treating the origin as a security boundary. The lack of a to treating the origin as a security boundary. The lack of a
skipping to change at page 15, line 37 skipping to change at page 15, line 37
specific paths. The "Secure" attribute ensures that the cookie is specific paths. The "Secure" attribute ensures that the cookie is
unaltered by non-secure origins, and won't span protocols. unaltered by non-secure origins, and won't span protocols.
Ports are the only piece of the origin model that "__Host-" cookies Ports are the only piece of the origin model that "__Host-" cookies
continue to ignore. continue to ignore.
For example, the following cookies would always be rejected: For example, the following cookies would always be rejected:
Set-Cookie: __Host-SID=12345 Set-Cookie: __Host-SID=12345
Set-Cookie: __Host-SID=12345; Secure Set-Cookie: __Host-SID=12345; Secure
Set-Cookie: __Host-SID=12345; Domain=example.com Set-Cookie: __Host-SID=12345; Domain=site.example
Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ Set-Cookie: __Host-SID=12345; Domain=site.example; Path=/
Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ Set-Cookie: __Host-SID=12345; Secure; Domain=site.example; Path=/
While the would be accepted if set from a secure origin (e.g. While the would be accepted if set from a secure origin (e.g.
"https://example.com/"), and rejected otherwise: "https://site.example/"), and rejected otherwise:
Set-Cookie: __Host-SID=12345; Secure; Path=/ Set-Cookie: __Host-SID=12345; Secure; Path=/
4.2. Cookie 4.2. Cookie
4.2.1. Syntax 4.2.1. Syntax
The user agent sends stored cookies to the origin server in the The user agent sends stored cookies to the origin server in the
Cookie header. If the server conforms to the requirements in Cookie header. If the server conforms to the requirements in
Section 4.1 (and the user agent conforms to the requirements in Section 4.1 (and the user agent conforms to the requirements in
skipping to change at page 24, line 9 skipping to change at page 24, line 9
but not including, the first %x3B (";"), and the unparsed- but not including, the first %x3B (";"), and the unparsed-
attributes consist of the remainder of the set-cookie-string attributes consist of the remainder of the set-cookie-string
(including the %x3B (";") in question). (including the %x3B (";") in question).
Otherwise: Otherwise:
1. The name-value-pair string consists of all the characters 1. The name-value-pair string consists of all the characters
contained in the set-cookie-string, and the unparsed- contained in the set-cookie-string, and the unparsed-
attributes is the empty string. attributes is the empty string.
2. If the name-value-pair string lacks a %x3D ("=") character, 2. If the name-value-pair string lacks a %x3D ("=") character, then
ignore the set-cookie-string entirely. the name string is empty, and the value string is the value of
name-value-pair.
3. The (possibly empty) name string consists of the characters up Otherwise, the name string consists of the characters up to, but
to, but not including, the first %x3D ("=") character, and the not including, the first %x3D ("=") character, and the (possibly
(possibly empty) value string consists of the characters after empty) value string consists of the characters after the first
the first %x3D ("=") character. %x3D ("=") character.
4. Remove any leading or trailing WSP characters from the name 3. Remove any leading or trailing WSP characters from the name
string and the value string. string and the value string.
5. If the name string is empty, ignore the set-cookie-string 4. If both the name string and the value string are empty, ignore
entirely. the set-cookie-string entirely.
6. The cookie-name is the name string, and the cookie-value is the 5. The cookie-name is the name string, and the cookie-value is the
value string. value string.
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse the unparsed-attributes: algorithm to parse the unparsed-attributes:
1. If the unparsed-attributes string is empty, skip the rest of 1. If the unparsed-attributes string is empty, skip the rest of
these steps. these steps.
2. Discard the first character of the unparsed-attributes (which 2. Discard the first character of the unparsed-attributes (which
will be a %x3B (";") character). will be a %x3B (";") character).
skipping to change at page 30, line 17 skipping to change at page 30, line 17
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
Otherwise: Otherwise:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
NOTE: A "public suffix" is a domain that is controlled by a NOTE: A "public suffix" is a domain that is controlled by a
public registry, such as "com", "co.uk", and "pvt.k12.wy.us". public registry, such as "com", "co.uk", and "pvt.k12.wy.us".
This step is essential for preventing attacker.com from This step is essential for preventing attacker.com from
disrupting the integrity of example.com by setting a cookie with disrupting the integrity of site.example by setting a cookie
a Domain attribute of "com". Unfortunately, the set of public with a Domain attribute of "com". Unfortunately, the set of
suffixes (also known as "registry controlled domains") changes public suffixes (also known as "registry controlled domains")
over time. If feasible, user agents SHOULD use an up-to-date changes over time. If feasible, user agents SHOULD use an up-
public suffix list, such as the one maintained by the Mozilla to-date public suffix list, such as the one maintained by the
project at http://publicsuffix.org/ [4]. Mozilla project at http://publicsuffix.org/ [4].
6. If the domain-attribute is non-empty: 6. If the domain-attribute is non-empty:
1. If the canonicalized request-host does not domain-match the 1. If the canonicalized request-host does not domain-match the
domain-attribute: domain-attribute:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
Otherwise: Otherwise:
skipping to change at page 31, line 47 skipping to change at page 31, line 47
attacks. That is, given an existing secure cookie named 'a' attacks. That is, given an existing secure cookie named 'a'
with a path of '/login', a non-secure cookie named 'a' could be with a path of '/login', a non-secure cookie named 'a' could be
set for a path of '/' or '/foo', but not for a path of '/login' set for a path of '/' or '/foo', but not for a path of '/login'
or '/login/en'. or '/login/en'.
13. If the cookie-attribute-list contains an attribute with an 13. If the cookie-attribute-list contains an attribute with an
attribute-name of "SameSite", set the cookie's same-site-flag to attribute-name of "SameSite", set the cookie's same-site-flag to
attribute-value (i.e. either "Strict", "Lax", or "None"). attribute-value (i.e. either "Strict", "Lax", or "None").
Otherwise, set the cookie's same-site-flag to "None". Otherwise, set the cookie's same-site-flag to "None".
14. If the cookie's "same-site-flag" is not "None", and the cookie 14. If the cookie's "same-site-flag" is not "None":
is being set from a context whose "site for cookies" is not an
exact match for request-uri's host's registered domain, then 1. If the cookie was received from a "non-HTTP" API, and the
abort these steps and ignore the newly created cookie entirely. API was called from a context whose "site for cookies" is
not an exact match for request-uri's host's registered
domain, then abort these steps and ignore the newly created
cookie entirely.
2. If the cookie was received from a "same-site" request (as
defined in Section 5.2), skip the remaining substeps and
continue processing the cookie.
3. If the cookie was received from a request which is
navigating a top-level browsing context [HTML] (e.g. if the
request's "reserved client" is either "null" or an
environment whose "target browsing context" is a top-level
browing context), skip the remaining substeps and continue
processing the cookie.
Note: Top-level navigations can create a cookie with any
"SameSite" value, even if the new cookie wouldn't have been
sent along with the request had it already existed prior to
the navigation.
4. Abort these steps and ignore the newly created cookie
entirely.
15. If the cookie-name begins with a case-sensitive match for the 15. If the cookie-name begins with a case-sensitive match for the
string "__Secure-", abort these steps and ignore the cookie string "__Secure-", abort these steps and ignore the cookie
entirely unless the cookie's secure-only-flag is true. entirely unless the cookie's secure-only-flag is true.
16. If the cookie-name begins with a case-sensitive match for the 16. If the cookie-name begins with a case-sensitive match for the
string "__Host-", abort these steps and ignore the cookie string "__Host-", abort these steps and ignore the cookie
entirely unless the cookie meets all the following criteria: entirely unless the cookie meets all the following criteria:
1. The cookie's secure-only-flag is true. 1. The cookie's secure-only-flag is true.
skipping to change at page 41, line 16 skipping to change at page 41, line 29
network-level protocol does not send cookies stored for one path to network-level protocol does not send cookies stored for one path to
another, some user agents expose cookies via non-HTTP APIs, such as another, some user agents expose cookies via non-HTTP APIs, such as
HTML's document.cookie API. Because some of these user agents (e.g., HTML's document.cookie API. Because some of these user agents (e.g.,
web browsers) do not isolate resources received from different paths, web browsers) do not isolate resources received from different paths,
a resource retrieved from one path might be able to access cookies a resource retrieved from one path might be able to access cookies
stored for another path. stored for another path.
8.6. Weak Integrity 8.6. Weak Integrity
Cookies do not provide integrity guarantees for sibling domains (and Cookies do not provide integrity guarantees for sibling domains (and
their subdomains). For example, consider foo.example.com and their subdomains). For example, consider foo.site.example and
bar.example.com. The foo.example.com server can set a cookie with a bar.site.example. The foo.site.example server can set a cookie with
Domain attribute of "example.com" (possibly overwriting an existing a Domain attribute of "site.example" (possibly overwriting an
"example.com" cookie set by bar.example.com), and the user agent will existing "site.example" cookie set by bar.site.example), and the user
include that cookie in HTTP requests to bar.example.com. In the agent will include that cookie in HTTP requests to bar.site.example.
worst case, bar.example.com will be unable to distinguish this cookie In the worst case, bar.site.example will be unable to distinguish
from a cookie it set itself. The foo.example.com server might be this cookie from a cookie it set itself. The foo.site.example server
able to leverage this ability to mount an attack against might be able to leverage this ability to mount an attack against
bar.example.com. bar.site.example.
Even though the Set-Cookie header supports the Path attribute, the Even though the Set-Cookie header supports the Path attribute, the
Path attribute does not provide any integrity protection because the Path attribute does not provide any integrity protection because the
user agent will accept an arbitrary Path attribute in a Set-Cookie user agent will accept an arbitrary Path attribute in a Set-Cookie
header. For example, an HTTP response to a request for header. For example, an HTTP response to a request for
http://example.com/foo/bar can set a cookie with a Path attribute of http://site.example/foo/bar can set a cookie with a Path attribute of
"/qux". Consequently, servers SHOULD NOT both run mutually "/qux". Consequently, servers SHOULD NOT both run mutually
distrusting services on different paths of the same host and use distrusting services on different paths of the same host and use
cookies to store security-sensitive information. cookies to store security-sensitive information.
An active network attacker can also inject cookies into the Cookie An active network attacker can also inject cookies into the Cookie
header sent to https://example.com/ by impersonating a response from header sent to https://site.example/ by impersonating a response from
http://example.com/ and injecting a Set-Cookie header. The HTTPS http://site.example/ and injecting a Set-Cookie header. The HTTPS
server at example.com will be unable to distinguish these cookies server at site.example will be unable to distinguish these cookies
from cookies that it set itself in an HTTPS response. An active from cookies that it set itself in an HTTPS response. An active
network attacker might be able to leverage this ability to mount an network attacker might be able to leverage this ability to mount an
attack against example.com even if example.com uses HTTPS attack against site.example even if site.example uses HTTPS
exclusively. exclusively.
Servers can partially mitigate these attacks by encrypting and Servers can partially mitigate these attacks by encrypting and
signing the contents of their cookies. However, using cryptography signing the contents of their cookies. However, using cryptography
does not mitigate the issue completely because an attacker can replay does not mitigate the issue completely because an attacker can replay
a cookie he or she received from the authentic example.com server in a cookie he or she received from the authentic site.example server in
the user's session, with unpredictable results. the user's session, with unpredictable results.
Finally, an attacker might be able to force the user agent to delete Finally, an attacker might be able to force the user agent to delete
cookies by storing a large number of cookies. Once the user agent cookies by storing a large number of cookies. Once the user agent
reaches its storage limit, the user agent will be forced to evict reaches its storage limit, the user agent will be forced to evict
some cookies. Servers SHOULD NOT rely upon user agents retaining some cookies. Servers SHOULD NOT rely upon user agents retaining
cookies. cookies.
8.7. Reliance on DNS 8.7. Reliance on DNS
skipping to change at page 42, line 41 skipping to change at page 43, line 8
8.8.2. Top-level Navigations 8.8.2. Top-level Navigations
Setting the "SameSite" attribute in "strict" mode provides robust Setting the "SameSite" attribute in "strict" mode provides robust
defense in depth against CSRF attacks, but has the potential to defense in depth against CSRF attacks, but has the potential to
confuse users unless sites' developers carefully ensure that their confuse users unless sites' developers carefully ensure that their
cookie-based session management systems deal reasonably well with cookie-based session management systems deal reasonably well with
top-level navigations. top-level navigations.
Consider the scenario in which a user reads their email at MegaCorp Consider the scenario in which a user reads their email at MegaCorp
Inc's webmail provider "https://example.com/". They might expect Inc's webmail provider "https://site.example/". They might expect
that clicking on an emailed link to "https://projects.com/secret/ that clicking on an emailed link to "https://projects.example/secret/
project" would show them the secret project that they're authorized project" would show them the secret project that they're authorized
to see, but if "projects.com" has marked their session cookies as to see, but if "projects.example" has marked their session cookies as
"SameSite", then this cross-site navigation won't send them along "SameSite", then this cross-site navigation won't send them along
with the request. "projects.com" will render a 404 error to avoid with the request. "projects.com" will render a 404 error to avoid
leaking secret information, and the user will be quite confused. leaking secret information, and the user will be quite confused.
Developers can avoid this confusion by adopting a session management Developers can avoid this confusion by adopting a session management
system that relies on not one, but two cookies: one conceptually system that relies on not one, but two cookies: one conceptually
granting "read" access, another granting "write" access. The latter granting "read" access, another granting "write" access. The latter
could be marked as "SameSite", and its absence would prompt a could be marked as "SameSite", and its absence would prompt a
reauthentication step before executing any non-idempotent action. reauthentication step before executing any non-idempotent action.
The former could drop the "SameSite" attribute entirely, or choose The former could drop the "SameSite" attribute entirely, or choose
skipping to change at page 48, line 19 skipping to change at page 48, line 41
[13] https://github.com/httpwg/http-extensions/issues/295 [13] https://github.com/httpwg/http-extensions/issues/295
[14] https://github.com/httpwg/http-extensions/issues/302 [14] https://github.com/httpwg/http-extensions/issues/302
[15] https://github.com/httpwg/http-extensions/issues/389 [15] https://github.com/httpwg/http-extensions/issues/389
[16] https://github.com/httpwg/http-extensions/issues/199 [16] https://github.com/httpwg/http-extensions/issues/199
[17] https://github.com/httpwg/http-extensions/issues/788 [17] https://github.com/httpwg/http-extensions/issues/788
Appendix A. Changes [18] https://github.com/httpwg/http-extensions/issues/594
[19] https://github.com/httpwg/http-extensions/issues/159
[20] https://github.com/httpwg/http-extensions/issues/159
Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
o Port [RFC6265] to Markdown. No (intentional) normative changes. o Port [RFC6265] to Markdown. No (intentional) normative changes.
A.2. draft-ietf-httpbis-rfc6265bis-01 A.2. draft-ietf-httpbis-rfc6265bis-01
o Fixes to formatting caused by mistakes in the initial port to o Fixes to formatting caused by mistakes in the initial port to
Markdown: Markdown:
* https://github.com/httpwg/http-extensions/issues/243 [5] * https://github.com/httpwg/http-extensions/issues/243 [5]
skipping to change at page 49, line 47 skipping to change at page 50, line 29
o Clarified handling of invalid SameSite values: o Clarified handling of invalid SameSite values:
https://github.com/httpwg/http-extensions/issues/389 [15] https://github.com/httpwg/http-extensions/issues/389 [15]
o Reflect widespread implementation practice of including a cookie's o Reflect widespread implementation practice of including a cookie's
"host-only-flag" when calculating its uniqueness: "host-only-flag" when calculating its uniqueness:
https://github.com/httpwg/http-extensions/issues/199 [16] https://github.com/httpwg/http-extensions/issues/199 [16]
o Introduced an explicit "None" value for the SameSite attribute: o Introduced an explicit "None" value for the SameSite attribute:
https://github.com/httpwg/http-extensions/issues/788 [17] https://github.com/httpwg/http-extensions/issues/788 [17]
A.5. draft-ietf-httpbis-rfc6265bis-04
o Allow "SameSite" cookies to be set for all top-level navigations.
https://github.com/httpwg/http-extensions/issues/594 [18]
o Treat "Set-Cookie: token" as creating the cookie "("", "token")":
https://github.com/httpwg/http-extensions/issues/159 [19]
o Reject cookies with neither name nor value (e.g. "Set-Cookie: ="
and "Set-Cookie:": https://github.com/httpwg/http-extensions/
issues/159 [20]
Acknowledgements Acknowledgements
This document is a minor update of RFC 6265, adding small features, This document is a minor update of RFC 6265, adding small features,
and aligning the specification with the reality of today's and aligning the specification with the reality of today's
deployments. Here, we're standing upon the shoulders of giants. deployments. Here, we're standing upon the shoulders of giants.
Authors' Addresses Authors' Addresses
Adam Barth Adam Barth
Google, Inc Google, Inc
 End of changes. 43 change blocks. 
84 lines changed or deleted 124 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/