Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require "Secure" for "SameSite=None". #1323

Merged
merged 6 commits into from
Dec 2, 2020
Merged

Require "Secure" for "SameSite=None". #1323

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1379480
Treat cookies as "SameSite=Lax" by default.
miketaylr Oct 14, 2020
0001e89
Update non-normative language to mention default Lax-like enforcement.
miketaylr Nov 25, 2020
ae49319
Require "Secure" for "SameSite=None".
miketaylr Oct 14, 2020
d241895
Update changelog for Secure-"SameSite=None"
miketaylr Nov 25, 2020
c918432
Merge branch 'master' into samesite-none-secure
mikewest Dec 2, 2020
0924992
Update draft-ietf-httpbis-rfc6265bis.md
mikewest Dec 2, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 11 additions & 4 deletions draft-ietf-httpbis-rfc6265bis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1462,11 +1462,14 @@ user agent MUST process the cookie as follows:

4. Abort these steps and ignore the newly created cookie entirely.

16. If the cookie-name begins with a case-sensitive match for the string
16. If the cookie's "same-site-flag" is "None", abort these steps and ignore the
cookie entirely unless the cookie's secure-only-flag is true.

17. If the cookie-name begins with a case-sensitive match for the string
"__Secure-", abort these steps and ignore the cookie entirely unless the
cookie's secure-only-flag is true.

17. If the cookie-name begins with a case-sensitive match for the string
18. If the cookie-name begins with a case-sensitive match for the string
"__Host-", abort these steps and ignore the cookie entirely unless the
cookie meets all the following criteria:

Expand All @@ -1477,7 +1480,7 @@ user agent MUST process the cookie as follows:
3. The cookie-attribute-list contains an attribute with an attribute-name
of "Path", and the cookie's path is `/`.

18. If the cookie store contains a cookie with the same name, domain,
19. If the cookie store contains a cookie with the same name, domain,
host-only-flag, and path as the newly-created cookie:

1. Let old-cookie be the existing cookie with the same name, domain,
Expand All @@ -1494,7 +1497,7 @@ user agent MUST process the cookie as follows:

4. Remove the old-cookie from the cookie store.

19. Insert the newly-created cookie into the cookie store.
20. Insert the newly-created cookie into the cookie store.

A cookie is "expired" if the cookie has an expiry date in the past.

Expand Down Expand Up @@ -2170,6 +2173,10 @@ The "Cookie Attribute Registry" will be updated with the registrations below:
"SameSite=Lax":
<https://github.com/httpwg/http-extensions/pull/1325>.

* Require a Secure attribute for "SameSite=None":
<https://github.com/httpwg/http-extensions/pull/1323>.


# Acknowledgements
{:numbered="false"}
RFC 6265 was written by Adam Barth. This document is a minor update of
Expand Down