< draft-west-first-party-cookies | draft-ietf-httpbis-cookie-same-site-00.txt > | |||
---|---|---|---|---|
HTTPbis M. West | HTTP Working Group M. West | |||
Internet-Draft Google, Inc | Internet-Draft Google, Inc | |||
Updates: 6265 (if approved) M. Goodwin | Updates: 6265 (if approved) M. Goodwin | |||
Intended status: Standards Track Mozilla | Intended status: Standards Track Mozilla | |||
Expires: October 8, 2016 April 6, 2016 | Expires: December 22, 2016 June 20, 2016 | |||
Same-site Cookies | Same-Site Cookies | |||
draft-west-first-party-cookies-07 | draft-ietf-httpbis-cookie-same-site-00 | |||
Abstract | Abstract | |||
This document updates RFC6265 by defining a "SameSite" attribute | This document updates RFC6265 by defining a "SameSite" attribute | |||
which allows servers to assert that a cookie ought not to be sent | which allows servers to assert that a cookie ought not to be sent | |||
along with cross-site requests. This assertion allows user agents to | along with cross-site requests. This assertion allows user agents to | |||
mitigate the risk of cross-origin information leakage, and provides | mitigate the risk of cross-origin information leakage, and provides | |||
some protection against cross-site request forgery attacks. | some protection against cross-site request forgery attacks. | |||
Note to Readers | ||||
Discussion of this draft takes place on the HTTP working group | ||||
mailing list ([email protected]), which is archived at | ||||
https://lists.w3.org/Archives/Public/ietf-http-wg/ . | ||||
Working Group information can be found at http://httpwg.github.io/ ; | ||||
source code and issues list for this draft can be found at | ||||
https://github.com/httpwg/http-extensions/labels/cookie-same-site . | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on October 8, 2016. | This Internet-Draft will expire on December 22, 2016. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | described in the Simplified BSD License. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
1.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
2. Terminology and notation . . . . . . . . . . . . . . . . . . 4 | 2. Terminology and notation . . . . . . . . . . . . . . . . . . 4 | |||
2.1. "Same-site" and "cross-site" Requests . . . . . . . . . . 4 | 2.1. "Same-site" and "cross-site" Requests . . . . . . . . . . 5 | |||
2.1.1. Document-based requests . . . . . . . . . . . . . . . 5 | 2.1.1. Document-based requests . . . . . . . . . . . . . . . 5 | |||
2.1.2. Worker-based requests . . . . . . . . . . . . . . . . 6 | 2.1.2. Worker-based requests . . . . . . . . . . . . . . . . 6 | |||
3. Server Requirements . . . . . . . . . . . . . . . . . . . . . 7 | 3. Server Requirements . . . . . . . . . . . . . . . . . . . . . 7 | |||
3.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.1. Grammar . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
3.2. Semantics of the "SameSite" Attribute (Non-Normative) . . 8 | 3.2. Semantics of the "SameSite" Attribute (Non-Normative) . . 8 | |||
4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 8 | 4. User Agent Requirements . . . . . . . . . . . . . . . . . . . 8 | |||
4.1. The "SameSite" attribute . . . . . . . . . . . . . . . . 8 | 4.1. The "SameSite" attribute . . . . . . . . . . . . . . . . 8 | |||
4.1.1. "Strict" and "Lax" enforcement . . . . . . . . . . . 8 | 4.1.1. "Strict" and "Lax" enforcement . . . . . . . . . . . 9 | |||
4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 9 | 4.2. Monkey-patching the Storage Model . . . . . . . . . . . . 9 | |||
4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 10 | 4.3. Monkey-patching the "Cookie" header . . . . . . . . . . . 10 | |||
5. Authoring Considerations . . . . . . . . . . . . . . . . . . 10 | 5. Authoring Considerations . . . . . . . . . . . . . . . . . . 10 | |||
5.1. Defense in depth . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Defense in depth . . . . . . . . . . . . . . . . . . . . 10 | |||
5.2. Top-level Navigations . . . . . . . . . . . . . . . . . . 11 | 5.2. Top-level Navigations . . . . . . . . . . . . . . . . . . 10 | |||
5.3. Mashups and Widgets . . . . . . . . . . . . . . . . . . . 11 | 5.3. Mashups and Widgets . . . . . . . . . . . . . . . . . . . 11 | |||
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
6.1. Server-controlled . . . . . . . . . . . . . . . . . . . . 11 | 6.1. Server-controlled . . . . . . . . . . . . . . . . . . . . 11 | |||
6.2. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 12 | 6.2. Pervasive Monitoring . . . . . . . . . . . . . . . . . . 12 | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
7.2. Informative References . . . . . . . . . . . . . . . . . 13 | 7.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
skipping to change at page 8, line 36 ¶ | skipping to change at page 8, line 42 ¶ | |||
implement the client-side requirements of the "SameSite" attribute. | implement the client-side requirements of the "SameSite" attribute. | |||
4.1. The "SameSite" attribute | 4.1. The "SameSite" attribute | |||
The following attribute definition should be considered part of the | The following attribute definition should be considered part of the | |||
the "Set-Cookie" algorithm as described in Section 5.2 of [RFC6265]: | the "Set-Cookie" algorithm as described in Section 5.2 of [RFC6265]: | |||
If the "attribute-name" case-insensitively matches the string | If the "attribute-name" case-insensitively matches the string | |||
"SameSite", the user agent MUST process the "cookie-av" as follows: | "SameSite", the user agent MUST process the "cookie-av" as follows: | |||
1. If "cookie-av"'s "attribute-value" is not a case-sensitive match | 1. If "cookie-av"'s "attribute-value" is not a case-insensitive | |||
for "Strict" or "Lax", ignore the "cookie-av". | match for "Strict" or "Lax", ignore the "cookie-av". | |||
2. Let "enforcement" be "Lax" if "cookie-av"'s "attribute-value" is | 2. Let "enforcement" be "Lax" if "cookie-av"'s "attribute-value" is | |||
a case-insensitive match for "Lax", and "Strict" otherwise. | a case-insensitive match for "Lax", and "Strict" otherwise. | |||
3. Append an attribute to the "cookie-attribute-list" with an | 3. Append an attribute to the "cookie-attribute-list" with an | |||
"attribute-name" of "SameSite" and an "attribute-value" of | "attribute-name" of "SameSite" and an "attribute-value" of | |||
"enforcement". | "enforcement". | |||
4.1.1. "Strict" and "Lax" enforcement | 4.1.1. "Strict" and "Lax" enforcement | |||
By default, same-site cookies will not be sent along with top-level | By default, same-site cookies will not be sent along with top-level | |||
navigations. As discussed in Section 5.2, this might or might not be | navigations. As discussed in Section 5.2, this might or might not be | |||
compatible with existing session management systems. In the | compatible with existing session management systems. In the | |||
interests of providing a drop-in mechanism that mitigates the risk of | interests of providing a drop-in mechanism that mitigates the risk of | |||
End of changes. 12 change blocks. | ||||
14 lines changed or deleted | 22 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |