Skip to content

Commit

Permalink
Require "Secure" for "SameSite=None". (#1323)
Browse files Browse the repository at this point in the history 
* Treat cookies as "SameSite=Lax" by default.

* Update non-normative language to mention default Lax-like enforcement.

Also update the changelog.

* Require "Secure" for "SameSite=None".

* Update changelog for Secure-"SameSite=None"

* Update draft-ietf-httpbis-rfc6265bis.md

Co-authored-by: Mike West <[email protected]>
  • Loading branch information
@miketaylr @mikewest
miketaylr and mikewest committed Dec 2, 2020
1 parent 5585dfd commit 9708262
Showing 1 changed file with 11 additions and 4 deletions.
15 changes: 11 additions & 4 deletions draft-ietf-httpbis-rfc6265bis.md
View file
Expand Up @@ -1462,11 +1462,14 @@ user agent MUST process the cookie as follows:

4. Abort these steps and ignore the newly created cookie entirely.

16. If the cookie-name begins with a case-sensitive match for the string
16. If the cookie's "same-site-flag" is "None", abort these steps and ignore the
cookie entirely unless the cookie's secure-only-flag is true.

17. If the cookie-name begins with a case-sensitive match for the string
"__Secure-", abort these steps and ignore the cookie entirely unless the
cookie's secure-only-flag is true.

17. If the cookie-name begins with a case-sensitive match for the string
18. If the cookie-name begins with a case-sensitive match for the string
"__Host-", abort these steps and ignore the cookie entirely unless the
cookie meets all the following criteria:

Expand All @@ -1477,7 +1480,7 @@ user agent MUST process the cookie as follows:
3. The cookie-attribute-list contains an attribute with an attribute-name
of "Path", and the cookie's path is `/`.

18. If the cookie store contains a cookie with the same name, domain,
19. If the cookie store contains a cookie with the same name, domain,
host-only-flag, and path as the newly-created cookie:

1. Let old-cookie be the existing cookie with the same name, domain,
Expand All @@ -1494,7 +1497,7 @@ user agent MUST process the cookie as follows:

4. Remove the old-cookie from the cookie store.

19. Insert the newly-created cookie into the cookie store.
20. Insert the newly-created cookie into the cookie store.

A cookie is "expired" if the cookie has an expiry date in the past.

Expand Down Expand Up @@ -2170,6 +2173,10 @@ The "Cookie Attribute Registry" will be updated with the registrations below:
"SameSite=Lax":
<https://github.com/httpwg/http-extensions/pull/1325>.

* Require a Secure attribute for "SameSite=None":
<https://github.com/httpwg/http-extensions/pull/1323>.


# Acknowledgements
{:numbered="false"}
RFC 6265 was written by Adam Barth. This document is a minor update of
Expand Down

0 comments on commit 9708262

Please sign in to comment.