draft-ietf-httpbis-rfc6265bis-07.txt   draft-ietf-httpbis-rfc6265bis-08.txt 
HTTP M. West, Ed. HTTP L. Chen, Ed.
Internet-Draft Google, Inc Internet-Draft Google LLC
Obsoletes: 6265 (if approved) J. Wilander, Ed. Obsoletes: 6265 (if approved) S. Englehardt, Ed.
Intended status: Standards Track Apple, Inc Intended status: Standards Track Mozilla
Expires: 10 June 2021 7 December 2020 Expires: 4 December 2021 M. West, Ed.
Google LLC
J. Wilander, Ed.
Apple, Inc
2 June 2021
Cookies: HTTP State Management Mechanism Cookies: HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-07 draft-ietf-httpbis-rfc6265bis-08
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 6265. on the Internet. This document obsoletes RFC 6265.
skipping to change at page 2, line 4 skipping to change at page 2, line 9
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 June 2021.
This Internet-Draft will expire on 4 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
skipping to change at page 2, line 40 skipping to change at page 2, line 46
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 18 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 18
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19
5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20
5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21
5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22
5.3. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 23 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23
5.3.1. The Expires Attribute . . . . . . . . . . . . . . . . 25 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23
5.3.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 25 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26
5.3.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26
5.3.4. The Path Attribute . . . . . . . . . . . . . . . . . 26 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26
5.3.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27
5.3.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27
5.3.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27
5.4. Storage Model . . . . . . . . . . . . . . . . . . . . . . 28 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28
5.5. The Cookie Header . . . . . . . . . . . . . . . . . . . . 33 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30
6. Implementation Considerations . . . . . . . . . . . . . . . . 36 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35
6.2. Application Programming Interfaces . . . . . . . . . . . 36 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 35
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 36 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 37 6. Implementation Considerations . . . . . . . . . . . . . . . . 38
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 37 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38
7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 38 6.2. Application Programming Interfaces . . . . . . . . . . . 38
7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 38 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 38 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 39
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 39 7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 39 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 40
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 40 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 40
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 41 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 41 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 42 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 41
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 42 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 43 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 42
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 43 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 43
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 44 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 44 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 44
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 44 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 45
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 44 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 45
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 45 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 46
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 45 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 46
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 45 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 46
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 46 8.8.6. Top-level requests with "unsafe" methods . . . . . . 47
10.1. Normative References . . . . . . . . . . . . . . . . . . 46 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 47
10.2. Informative References . . . . . . . . . . . . . . . . . 48 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 48
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 49 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 48
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 49 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 48
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 50 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 48
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 50 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 49
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . 49
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 52 10.2. Informative References . . . . . . . . . . . . . . . . . 51
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 52 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 53
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 52 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 53
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 53 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 53
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 54
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 54
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 55
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 55
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 55
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 56
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 56
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header field.
Although simple on their surface, cookies have a number of Although simple on their surface, cookies have a number of
complexities. For example, the server indicates a scope for each complexities. For example, the server indicates a scope for each
cookie when sending it to the user agent. The scope indicates the cookie when sending it to the user agent. The scope indicates the
maximum amount of time in which the user agent should return the maximum amount of time in which the user agent should return the
cookie, the servers to which the user agent should return the cookie, cookie, the servers to which the user agent should return the cookie,
and the URI schemes for which the cookie is applicable. and the URI schemes for which the cookie is applicable.
For historical reasons, cookies contain a number of security and For historical reasons, cookies contain a number of security and
privacy infelicities. For example, a server can indicate that a privacy infelicities. For example, a server can indicate that a
skipping to change at page 5, line 5 skipping to change at page 5, line 17
To maximize interoperability with user agents, servers SHOULD limit To maximize interoperability with user agents, servers SHOULD limit
themselves to the well-behaved profile defined in Section 4 when themselves to the well-behaved profile defined in Section 4 when
generating cookies. generating cookies.
User agents MUST implement the more liberal processing rules defined User agents MUST implement the more liberal processing rules defined
in Section 5, in order to maximize interoperability with existing in Section 5, in order to maximize interoperability with existing
servers that do not conform to the well-behaved profile defined in servers that do not conform to the well-behaved profile defined in
Section 4. Section 4.
This document specifies the syntax and semantics of these headers as This document specifies the syntax and semantics of these header
they are actually used on the Internet. In particular, this document fields as they are actually used on the Internet. In particular,
does not create new syntax or semantics beyond those in use today. this document does not create new syntax or semantics beyond those in
The recommendations for cookie generation provided in Section 4 use today. The recommendations for cookie generation provided in
represent a preferred subset of current server behavior, and even the Section 4 represent a preferred subset of current server behavior,
more liberal cookie processing algorithm provided in Section 5 does and even the more liberal cookie processing algorithm provided in
not recommend all of the syntactic and semantic variations in use Section 5 does not recommend all of the syntactic and semantic
today. Where some existing software differs from the recommended variations in use today. Where some existing software differs from
protocol in significant ways, the document contains a note explaining the recommended protocol in significant ways, the document contains a
the difference. note explaining the difference.
This document obsoletes [RFC6265]. This document obsoletes [RFC6265].
2. Conventions 2. Conventions
2.1. Conformance Criteria 2.1. Conformance Criteria
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
skipping to change at page 5, line 51 skipping to change at page 6, line 14
The following core rules are included by reference, as defined in The following core rules are included by reference, as defined in
[RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
(CR LF), CTLs (controls), DIGIT (decimal 0-9), DQUOTE (double quote), (CR LF), CTLs (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), NUL (null octet), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), NUL (null octet),
OCTET (any 8-bit sequence of data except NUL), SP (space), HTAB OCTET (any 8-bit sequence of data except NUL), SP (space), HTAB
(horizontal tab), CHAR (any [USASCII] character), VCHAR (any visible (horizontal tab), CHAR (any [USASCII] character), VCHAR (any visible
[USASCII] character), and WSP (whitespace). [USASCII] character), and WSP (whitespace).
The OWS (optional whitespace) and BWS (bad whitespace) rules are The OWS (optional whitespace) and BWS (bad whitespace) rules are
defined in Section 3.2.3 of [RFC7230]. defined in Section 5.6.3 of [HTTPSEM].
2.3. Terminology 2.3. Terminology
The terms "user agent", "client", "server", "proxy", and "origin The terms "user agent", "client", "server", "proxy", and "origin
server" have the same meaning as in the HTTP/1.1 specification server" have the same meaning as in the HTTP/1.1 specification
([RFC7230], Section 2). ([HTTPSEM], Section 3).
The request-host is the name of the host, as known by the user agent, The request-host is the name of the host, as known by the user agent,
to which the user agent is sending an HTTP request or from which it to which the user agent is sending an HTTP request or from which it
is receiving an HTTP response (i.e., the name of the host to which it is receiving an HTTP response (i.e., the name of the host to which it
sent the corresponding HTTP request). sent the corresponding HTTP request).
The term request-uri refers to "request-target" as defined in The term request-uri refers to "target URI" as defined in Section 7.1
Section 5.3 of [RFC7230]. of [HTTPSEM].
Two sequences of octets are said to case-insensitively match each Two sequences of octets are said to case-insensitively match each
other if and only if they are equivalent under the i;ascii-casemap other if and only if they are equivalent under the i;ascii-casemap
collation defined in [RFC4790]. collation defined in [RFC4790].
The term string means a sequence of non-NUL octets. The term string means a sequence of non-NUL octets.
The terms "active document", "ancestor browsing context", "browsing The terms "active document", "ancestor browsing context", "browsing
context", "dedicated worker", "Document", "WorkerGlobalScope", context", "dedicated worker", "Document", "nested browsing context",
"sandboxed origin browsing context flag", "parent browsing context", "opaque origin", "parent browsing context", "sandboxed origin
"shared worker", "the worker's Documents", "nested browsing context", browsing context flag", "shared worker", "the worker's Documents",
and "top-level browsing context" are defined in [HTML]. "top-level browsing context", and "WorkerGlobalScope" are defined in
[HTML].
"Service Workers" are defined in the Service Workers specification "Service Workers" are defined in the Service Workers specification
[SERVICE-WORKERS]. [SERVICE-WORKERS].
The term "origin", the mechanism of deriving an origin from a URI, The term "origin", the mechanism of deriving an origin from a URI,
and the "the same" matching algorithm for origins are defined in and the "the same" matching algorithm for origins are defined in
[RFC6454]. [RFC6454].
"Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as "Safe" HTTP methods include "GET", "HEAD", "OPTIONS", and "TRACE", as
defined in Section 4.2.1 of [RFC7231]. defined in Section 9.2.1 of [HTTPSEM].
A domain's "public suffix" is the portion of a domain that is A domain's "public suffix" is the portion of a domain that is
controlled by a public registry, such as "com", "co.uk", and controlled by a public registry, such as "com", "co.uk", and
"pvt.k12.wy.us". A domain's "registrable domain" is the domain's "pvt.k12.wy.us". A domain's "registrable domain" is the domain's
public suffix plus the label to its left. That is, for public suffix plus the label to its left. That is, for
"https://www.site.example", the public suffix is "example", and the "https://www.site.example", the public suffix is "example", and the
registrable domain is "site.example". Whenever possible, user agents registrable domain is "site.example". Whenever possible, user agents
SHOULD use an up-to-date public suffix list, such as the one SHOULD use an up-to-date public suffix list, such as the one
maintained by the Mozilla project at [PSL]. maintained by the Mozilla project at [PSL].
The term "request", as well as a request's "client", "current url", The term "request", as well as a request's "client", "current url",
"method", and "target browsing context", are defined in [FETCH]. "method", "target browsing context", and "url list", are defined in
[FETCH].
The term "non-HTTP APIs" refers to non-HTTP mechanisms used to set
and retrieve cookies, such as a web browser API that exposes cookies
to scripts.
3. Overview 3. Overview
This section outlines a way for an origin server to send state This section outlines a way for an origin server to send state
information to a user agent and for the user agent to return the information to a user agent and for the user agent to return the
state information to the origin server. state information to the origin server.
To store state, the origin server includes a Set-Cookie header in an To store state, the origin server includes a Set-Cookie header field
HTTP response. In subsequent requests, the user agent returns a in an HTTP response. In subsequent requests, the user agent returns
Cookie request header to the origin server. The Cookie header a Cookie request header field to the origin server. The Cookie
contains cookies the user agent received in previous Set-Cookie header field contains cookies the user agent received in previous
headers. The origin server is free to ignore the Cookie header or Set-Cookie header fields. The origin server is free to ignore the
use its contents for an application-defined purpose. Cookie header field or use its contents for an application-defined
purpose.
Origin servers MAY send a Set-Cookie response header with any Origin servers MAY send a Set-Cookie response header field with any
response. User agents MAY ignore Set-Cookie headers contained in response. An origin server can include multiple Set-Cookie header
responses with 100-level status codes but MUST process Set-Cookie fields in a single response. The presence of a Cookie or a Set-
headers contained in other responses (including responses with 400- Cookie header field does not preclude HTTP caches from storing and
and 500-level status codes). An origin server can include multiple reusing a response.
Set-Cookie header fields in a single response. The presence of a
Cookie or a Set-Cookie header field does not preclude HTTP caches
from storing and reusing a response.
Origin servers SHOULD NOT fold multiple Set-Cookie header fields into Origin servers SHOULD NOT fold multiple Set-Cookie header fields into
a single header field. The usual mechanism for folding HTTP headers a single header field. The usual mechanism for folding HTTP headers
fields (i.e., as defined in Section 3.2.2 of [RFC7230]) might change fields (i.e., as defined in Section 5.3 of [HTTPSEM]) might change
the semantics of the Set-Cookie header field because the %x2C (",") the semantics of the Set-Cookie header field because the %x2C (",")
character is used by Set-Cookie in a way that conflicts with such character is used by Set-Cookie in a way that conflicts with such
folding. folding.
User agents MAY ignore Set-Cookie header fieldss based on response
status codes or the user agent's cookie policy (see Section 5.3).
3.1. Examples 3.1. Examples
Using the Set-Cookie header, a server can send the user agent a short Using the Set-Cookie header field, a server can send the user agent a
string in an HTTP response that the user agent will return in future short string in an HTTP response that the user agent will return in
HTTP requests that are within the scope of the cookie. For example, future HTTP requests that are within the scope of the cookie. For
the server can send the user agent a "session identifier" named SID example, the server can send the user agent a "session identifier"
with the value 31d4d96e407aad42. The user agent then returns the named SID with the value 31d4d96e407aad42. The user agent then
session identifier in subsequent requests. returns the session identifier in subsequent requests.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42 Set-Cookie: SID=31d4d96e407aad42
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42 Cookie: SID=31d4d96e407aad42
The server can alter the default scope of the cookie using the Path The server can alter the default scope of the cookie using the Path
and Domain attributes. For example, the server can instruct the user and Domain attributes. For example, the server can instruct the user
agent to return the cookie to every path and every subdomain of agent to return the cookie to every path and every subdomain of
site.example. site.example.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=site.example Set-Cookie: SID=31d4d96e407aad42; Path=/; Domain=site.example
== User Agent -> Server == == User Agent -> Server ==
skipping to change at page 8, line 32 skipping to change at page 9, line 4
the more sensitive session identifier (see Section 4.1.2). the more sensitive session identifier (see Section 4.1.2).
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly Set-Cookie: SID=31d4d96e407aad42; Path=/; Secure; HttpOnly
Set-Cookie: lang=en-US; Path=/; Domain=site.example Set-Cookie: lang=en-US; Path=/; Domain=site.example
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42; lang=en-US Cookie: SID=31d4d96e407aad42; lang=en-US
Notice that the Cookie header field above contains two cookies, one
Notice that the Cookie header above contains two cookies, one named named SID and one named lang. If the server wishes the user agent to
SID and one named lang. If the server wishes the user agent to
persist the cookie over multiple "sessions" (e.g., user agent persist the cookie over multiple "sessions" (e.g., user agent
restarts), the server can specify an expiration date in the Expires restarts), the server can specify an expiration date in the Expires
attribute. Note that the user agent might delete the cookie before attribute. Note that the user agent might delete the cookie before
the expiration date if the user agent's cookie store exceeds its the expiration date if the user agent's cookie store exceeds its
quota or if the user manually deletes the server's cookie. quota or if the user manually deletes the server's cookie.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT
skipping to change at page 9, line 4 skipping to change at page 9, line 19
the expiration date if the user agent's cookie store exceeds its the expiration date if the user agent's cookie store exceeds its
quota or if the user manually deletes the server's cookie. quota or if the user manually deletes the server's cookie.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT Set-Cookie: lang=en-US; Expires=Wed, 09 Jun 2021 10:18:14 GMT
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42; lang=en-US Cookie: SID=31d4d96e407aad42; lang=en-US
Finally, to remove a cookie, the server returns a Set-Cookie header Finally, to remove a cookie, the server returns a Set-Cookie header
with an expiration date in the past. The server will be successful field with an expiration date in the past. The server will be
in removing the cookie only if the Path and the Domain attribute in successful in removing the cookie only if the Path and the Domain
the Set-Cookie header match the values used when the cookie was attribute in the Set-Cookie header field match the values used when
created. the cookie was created.
== Server -> User Agent == == Server -> User Agent ==
Set-Cookie: lang=; Expires=Sun, 06 Nov 1994 08:49:37 GMT Set-Cookie: lang=; Expires=Sun, 06 Nov 1994 08:49:37 GMT
== User Agent -> Server == == User Agent -> Server ==
Cookie: SID=31d4d96e407aad42 Cookie: SID=31d4d96e407aad42
4. Server Requirements 4. Server Requirements
This section describes the syntax and semantics of a well-behaved This section describes the syntax and semantics of a well-behaved
profile of the Cookie and Set-Cookie headers. profile of the Cookie and Set-Cookie header fields.
4.1. Set-Cookie 4.1. Set-Cookie
The Set-Cookie HTTP response header is used to send cookies from the The Set-Cookie HTTP response header field is used to send cookies
server to the user agent. from the server to the user agent.
4.1.1. Syntax 4.1.1. Syntax
Informally, the Set-Cookie response header contains the header name Informally, the Set-Cookie response header field contains a cookie,
"Set-Cookie" followed by a ":" and a cookie. Each cookie begins with which begins with a name-value-pair, followed by zero or more
a name-value-pair, followed by zero or more attribute-value pairs. attribute-value pairs. Servers SHOULD NOT send Set-Cookie header
Servers SHOULD NOT send Set-Cookie headers that fail to conform to fields that fail to conform to the following grammar:
the following grammar:
set-cookie-header = "Set-Cookie:" SP BWS set-cookie-string set-cookie = set-cookie-string
set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av ) set-cookie-string = BWS cookie-pair *( BWS ";" OWS cookie-av )
cookie-pair = cookie-name BWS "=" BWS cookie-value cookie-pair = cookie-name BWS "=" BWS cookie-value
cookie-name = 1*cookie-octet cookie-name = 1*cookie-octet
cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE ) cookie-value = *cookie-octet / ( DQUOTE *cookie-octet DQUOTE )
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
/ %x80-FF / %x80-FF
; octets excluding CTLs, ; octets excluding CTLs,
; whitespace DQUOTE, comma, semicolon, ; whitespace DQUOTE, comma, semicolon,
; and backslash ; and backslash
cookie-av = expires-av / max-age-av / domain-av / cookie-av = expires-av / max-age-av / domain-av /
path-av / secure-av / httponly-av / path-av / secure-av / httponly-av /
samesite-av / extension-av samesite-av / extension-av
expires-av = "Expires" BWS "=" BWS sane-cookie-date expires-av = "Expires" BWS "=" BWS sane-cookie-date
sane-cookie-date = sane-cookie-date =
<IMF-fixdate, defined in [RFC7231], Section 7.1.1.1> <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7>
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT
; In practice, both expires-av and max-age-av ; In practice, both expires-av and max-age-av
; are limited to dates representable by the ; are limited to dates representable by the
; user agent. ; user agent.
non-zero-digit = %x31-39 non-zero-digit = %x31-39
; digits 1 through 9 ; digits 1 through 9
domain-av = "Domain" BWS "=" BWS domain-value domain-av = "Domain" BWS "=" BWS domain-value
domain-value = <subdomain> domain-value = <subdomain>
; defined in [RFC1034], Section 3.5, as ; defined in [RFC1034], Section 3.5, as
; enhanced by [RFC1123], Section 2.1 ; enhanced by [RFC1123], Section 2.1
skipping to change at page 11, line 8 skipping to change at page 11, line 8
The semantics of the cookie-value are not defined by this document. The semantics of the cookie-value are not defined by this document.
To maximize compatibility with user agents, servers that wish to To maximize compatibility with user agents, servers that wish to
store arbitrary data in a cookie-value SHOULD encode that data, for store arbitrary data in a cookie-value SHOULD encode that data, for
example, using Base64 [RFC4648]. example, using Base64 [RFC4648].
Per the grammar above, the cookie-value MAY be wrapped in DQUOTE Per the grammar above, the cookie-value MAY be wrapped in DQUOTE
characters. Note that in this case, the initial and trailing DQUOTE characters. Note that in this case, the initial and trailing DQUOTE
characters are not stripped. They are part of the cookie-value, and characters are not stripped. They are part of the cookie-value, and
will be included in Cookie headers sent to the server. will be included in Cookie header fields sent to the server.
The portions of the set-cookie-string produced by the cookie-av term The portions of the set-cookie-string produced by the cookie-av term
are known as attributes. To maximize compatibility with user agents, are known as attributes. To maximize compatibility with user agents,
servers SHOULD NOT produce two attributes with the same name in the servers SHOULD NOT produce two attributes with the same name in the
same set-cookie-string. (See Section 5.4 for how user agents handle same set-cookie-string. (See Section 5.5 for how user agents handle
this case.) this case.)
Servers SHOULD NOT include more than one Set-Cookie header field in Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name. (See Section 5.3 for the same response with the same cookie-name. (See Section 5.4 for
how user agents handle this case.) how user agents handle this case.)
If a server sends multiple responses containing Set-Cookie headers If a server sends multiple responses containing Set-Cookie header
concurrently to the user agent (e.g., when communicating with the fields concurrently to the user agent (e.g., when communicating with
user agent over multiple sockets), these responses create a "race the user agent over multiple sockets), these responses create a "race
condition" that can lead to unpredictable behavior. condition" that can lead to unpredictable behavior.
NOTE: Some existing user agents differ in their interpretation of NOTE: Some existing user agents differ in their interpretation of
two-digit years. To avoid compatibility issues, servers SHOULD use two-digit years. To avoid compatibility issues, servers SHOULD use
the rfc1123-date format, which requires a four-digit year. the rfc1123-date format, which requires a four-digit year.
NOTE: Some user agents store and process dates in cookies as 32-bit NOTE: Some user agents store and process dates in cookies as 32-bit
UNIX time_t values. Implementation bugs in the libraries supporting UNIX time_t values. Implementation bugs in the libraries supporting
time_t processing on some systems might cause such user agents to time_t processing on some systems might cause such user agents to
process dates after the year 2038 incorrectly. process dates after the year 2038 incorrectly.
4.1.2. Semantics (Non-Normative) 4.1.2. Semantics (Non-Normative)
This section describes simplified semantics of the Set-Cookie header. This section describes simplified semantics of the Set-Cookie header
These semantics are detailed enough to be useful for understanding field. These semantics are detailed enough to be useful for
the most common uses of cookies by servers. The full semantics are understanding the most common uses of cookies by servers. The full
described in Section 5. semantics are described in Section 5.
When the user agent receives a Set-Cookie header, the user agent When the user agent receives a Set-Cookie header field, the user
stores the cookie together with its attributes. Subsequently, when agent stores the cookie together with its attributes. Subsequently,
the user agent makes an HTTP request, the user agent includes the when the user agent makes an HTTP request, the user agent includes
applicable, non-expired cookies in the Cookie header. the applicable, non-expired cookies in the Cookie header field.
If the user agent receives a new cookie with the same cookie-name, If the user agent receives a new cookie with the same cookie-name,
domain-value, and path-value as a cookie that it has already stored, domain-value, and path-value as a cookie that it has already stored,
the existing cookie is evicted and replaced with the new cookie. the existing cookie is evicted and replaced with the new cookie.
Notice that servers can delete cookies by sending the user agent a Notice that servers can delete cookies by sending the user agent a
new cookie with an Expires attribute with a value in the past. new cookie with an Expires attribute with a value in the past.
Unless the cookie's attributes indicate otherwise, the cookie is Unless the cookie's attributes indicate otherwise, the cookie is
returned only to the origin server (and not, for example, to any returned only to the origin server (and not, for example, to any
subdomains), and it expires at the end of the current session (as subdomains), and it expires at the end of the current session (as
skipping to change at page 12, line 42 skipping to change at page 12, line 42
Age attribute has precedence and controls the expiration date of the Age attribute has precedence and controls the expiration date of the
cookie. If a cookie has neither the Max-Age nor the Expires cookie. If a cookie has neither the Max-Age nor the Expires
attribute, the user agent will retain the cookie until "the current attribute, the user agent will retain the cookie until "the current
session is over" (as defined by the user agent). session is over" (as defined by the user agent).
4.1.2.3. The Domain Attribute 4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will The Domain attribute specifies those hosts to which the cookie will
be sent. For example, if the value of the Domain attribute is be sent. For example, if the value of the Domain attribute is
"site.example", the user agent will include the cookie in the Cookie "site.example", the user agent will include the cookie in the Cookie
header when making HTTP requests to site.example, www.site.example, header field when making HTTP requests to site.example,
and www.corp.site.example. (Note that a leading %x2E ("."), if www.site.example, and www.corp.site.example. (Note that a leading
present, is ignored even though that character is not permitted, but %x2E ("."), if present, is ignored even though that character is not
a trailing %x2E ("."), if present, will cause the user agent to permitted, but a trailing %x2E ("."), if present, will cause the user
ignore the attribute.) If the server omits the Domain attribute, the agent to ignore the attribute.) If the server omits the Domain
user agent will return the cookie only to the origin server. attribute, the user agent will return the cookie only to the origin
server.
WARNING: Some existing user agents treat an absent Domain attribute WARNING: Some existing user agents treat an absent Domain attribute
as if the Domain attribute were present and contained the current as if the Domain attribute were present and contained the current
host name. For example, if site.example returns a Set-Cookie header host name. For example, if site.example returns a Set-Cookie header
without a Domain attribute, these user agents will erroneously send field without a Domain attribute, these user agents will erroneously
the cookie to www.site.example as well. send the cookie to www.site.example as well.
The user agent will reject cookies unless the Domain attribute The user agent will reject cookies unless the Domain attribute
specifies a scope for the cookie that would include the origin specifies a scope for the cookie that would include the origin
server. For example, the user agent will accept a cookie with a server. For example, the user agent will accept a cookie with a
Domain attribute of "site.example" or of "foo.site.example" from Domain attribute of "site.example" or of "foo.site.example" from
foo.site.example, but the user agent will not accept a cookie with a foo.site.example, but the user agent will not accept a cookie with a
Domain attribute of "bar.site.example" or of "baz.foo.site.example". Domain attribute of "bar.site.example" or of "baz.foo.site.example".
NOTE: For security reasons, many user agents are configured to reject NOTE: For security reasons, many user agents are configured to reject
Domain attributes that correspond to "public suffixes". For example, Domain attributes that correspond to "public suffixes". For example,
some user agents will reject Domain attributes of "com" or "co.uk". some user agents will reject Domain attributes of "com" or "co.uk".
(See Section 5.4 for more information.) (See Section 5.5 for more information.)
4.1.2.4. The Path Attribute 4.1.2.4. The Path Attribute
The scope of each cookie is limited to a set of paths, controlled by The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user the Path attribute. If the server omits the Path attribute, the user
agent will use the "directory" of the request-uri's path component as agent will use the "directory" of the request-uri's path component as
the default value. (See Section 5.1.4 for more details.) the default value. (See Section 5.1.4 for more details.)
The user agent will include the cookie in an HTTP request only if the The user agent will include the cookie in an HTTP request only if the
path portion of the request-uri matches (or is a subdirectory of) the path portion of the request-uri matches (or is a subdirectory of) the
skipping to change at page 14, line 9 skipping to change at page 14, line 9
Although seemingly useful for protecting cookies from active network Although seemingly useful for protecting cookies from active network
attackers, the Secure attribute protects only the cookie's attackers, the Secure attribute protects only the cookie's
confidentiality. An active network attacker can overwrite Secure confidentiality. An active network attacker can overwrite Secure
cookies from an insecure channel, disrupting their integrity (see cookies from an insecure channel, disrupting their integrity (see
Section 8.6 for more details). Section 8.6 for more details).
4.1.2.6. The HttpOnly Attribute 4.1.2.6. The HttpOnly Attribute
The HttpOnly attribute limits the scope of the cookie to HTTP The HttpOnly attribute limits the scope of the cookie to HTTP
requests. In particular, the attribute instructs the user agent to requests. In particular, the attribute instructs the user agent to
omit the cookie when providing access to cookies via "non-HTTP" APIs omit the cookie when providing access to cookies via non-HTTP APIs.
(such as a web browser API that exposes cookies to scripts).
Note that the HttpOnly attribute is independent of the Secure Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure attribute: a cookie can have both the HttpOnly and the Secure
attribute. attribute.
4.1.2.7. The SameSite Attribute 4.1.2.7. The SameSite Attribute
The "SameSite" attribute limits the scope of the cookie such that it The "SameSite" attribute limits the scope of the cookie such that it
will only be attached to requests if those requests are same-site, as will only be attached to requests if those requests are same-site, as
defined by the algorithm in Section 5.2. For example, requests for defined by the algorithm in Section 5.2. For example, requests for
"https://site.example/sekrit-image" will attach same-site cookies if "https://site.example/sekrit-image" will attach same-site cookies if
and only if initiated from a context whose "site for cookies" is an and only if initiated from a context whose "site for cookies" is an
origin with a scheme and registered domain of "https" and origin with a scheme and registered domain of "https" and
"site.example" respectively. "site.example" respectively.
If the "SameSite" attribute's value is "Strict", the cookie will only If the "SameSite" attribute's value is "Strict", the cookie will only
be sent along with "same-site" requests. If the value is "Lax", the be sent along with "same-site" requests. If the value is "Lax", the
cookie will be sent with same-site requests, and with "cross-site" cookie will be sent with same-site requests, and with "cross-site"
top-level navigations, as described in Section 5.3.7.1. If the value top-level navigations, as described in Section 5.4.7.1. If the value
is "None", the cookie will be sent with same-site and cross-site is "None", the cookie will be sent with same-site and cross-site
requests. If the "SameSite" attribute's value is something other requests. If the "SameSite" attribute's value is something other
than these three known keywords, the attribute's value will be than these three known keywords, the attribute's value will be
subject to a default enforcement mode that is equivalent to "Lax". subject to a default enforcement mode that is equivalent to "Lax".
The "SameSite" attribute affects cookie creation as well as delivery. The "SameSite" attribute affects cookie creation as well as delivery.
Cookies which assert "SameSite=Lax" or "SameSite=Strict" cannot be Cookies which assert "SameSite=Lax" or "SameSite=Strict" cannot be
set in responses to cross-site subresource requests, or cross-site set in responses to cross-site subresource requests, or cross-site
nested navigations. They can be set along with any top-level nested navigations. They can be set along with any top-level
navigation, cross-site or otherwise. navigation, cross-site or otherwise.
skipping to change at page 14, line 52 skipping to change at page 14, line 51
Section 8.5 and Section 8.6 of this document spell out some of the Section 8.5 and Section 8.6 of this document spell out some of the
drawbacks of cookies' historical implementation. In particular, it drawbacks of cookies' historical implementation. In particular, it
is impossible for a server to have confidence that a given cookie was is impossible for a server to have confidence that a given cookie was
set with a particular set of attributes. In order to provide such set with a particular set of attributes. In order to provide such
confidence in a backwards-compatible way, two common sets of confidence in a backwards-compatible way, two common sets of
requirements can be inferred from the first few characters of the requirements can be inferred from the first few characters of the
cookie's name. cookie's name.
The normative requirements for the prefixes described below are The normative requirements for the prefixes described below are
detailed in the storage model algorithm defined in Section 5.4. detailed in the storage model algorithm defined in Section 5.5.
4.1.3.1. The "__Secure-" Prefix 4.1.3.1. The "__Secure-" Prefix
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Secure-", then the cookie will have been set with a "Secure" "__Secure-", then the cookie will have been set with a "Secure"
attribute. attribute.
For example, the following "Set-Cookie" header would be rejected by a For example, the following "Set-Cookie" header field would be
conformant user agent, as it does not have a "Secure" attribute. rejected by a conformant user agent, as it does not have a "Secure"
attribute.
Set-Cookie: __Secure-SID=12345; Domain=site.example Set-Cookie: __Secure-SID=12345; Domain=site.example
Whereas the following "Set-Cookie" header would be accepted: Whereas the following "Set-Cookie" header field would be accepted:
Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure Set-Cookie: __Secure-SID=12345; Domain=site.example; Secure
4.1.3.2. The "__Host-" Prefix 4.1.3.2. The "__Host-" Prefix
If a cookie's name begins with a case-sensitive match for the string If a cookie's name begins with a case-sensitive match for the string
"__Host-", then the cookie will have been set with a "Secure" "__Host-", then the cookie will have been set with a "Secure"
attribute, a "Path" attribute with a value of "/", and no "Domain" attribute, a "Path" attribute with a value of "/", and no "Domain"
attribute. attribute.
skipping to change at page 16, line 10 skipping to change at page 16, line 10
While the following would be accepted if set from a secure origin While the following would be accepted if set from a secure origin
(e.g. "https://site.example/"), and rejected otherwise: (e.g. "https://site.example/"), and rejected otherwise:
Set-Cookie: __Host-SID=12345; Secure; Path=/ Set-Cookie: __Host-SID=12345; Secure; Path=/
4.2. Cookie 4.2. Cookie
4.2.1. Syntax 4.2.1. Syntax
The user agent sends stored cookies to the origin server in the The user agent sends stored cookies to the origin server in the
Cookie header. If the server conforms to the requirements in Cookie header field. If the server conforms to the requirements in
Section 4.1 (and the user agent conforms to the requirements in Section 4.1 (and the user agent conforms to the requirements in
Section 5), the user agent will send a Cookie header that conforms to Section 5), the user agent will send a Cookie header field that
the following grammar: conforms to the following grammar:
cookie-header = "Cookie:" SP cookie-string cookie = cookie-string
cookie-string = cookie-pair *( ";" SP cookie-pair ) cookie-string = cookie-pair *( ";" SP cookie-pair )
4.2.2. Semantics 4.2.2. Semantics
Each cookie-pair represents a cookie stored by the user agent. The Each cookie-pair represents a cookie stored by the user agent. The
cookie-pair contains the cookie-name and cookie-value the user agent cookie-pair contains the cookie-name and cookie-value the user agent
received in the Set-Cookie header. received in the Set-Cookie header field.
Notice that the cookie attributes are not returned. In particular, Notice that the cookie attributes are not returned. In particular,
the server cannot determine from the Cookie header alone when a the server cannot determine from the Cookie field alone when a cookie
cookie will expire, for which hosts the cookie is valid, for which will expire, for which hosts the cookie is valid, for which paths the
paths the cookie is valid, or whether the cookie was set with the cookie is valid, or whether the cookie was set with the Secure or
Secure or HttpOnly attributes. HttpOnly attributes.
The semantics of individual cookies in the Cookie header are not The semantics of individual cookies in the Cookie header field are
defined by this document. Servers are expected to imbue these not defined by this document. Servers are expected to imbue these
cookies with application-specific semantics. cookies with application-specific semantics.
Although cookies are serialized linearly in the Cookie header, Although cookies are serialized linearly in the Cookie header field,
servers SHOULD NOT rely upon the serialization order. In particular, servers SHOULD NOT rely upon the serialization order. In particular,
if the Cookie header contains two cookies with the same name (e.g., if the Cookie header field contains two cookies with the same name
that were set with different Path or Domain attributes), servers (e.g., that were set with different Path or Domain attributes),
SHOULD NOT rely upon the order in which these cookies appear in the servers SHOULD NOT rely upon the order in which these cookies appear
header. in the header field.
5. User Agent Requirements 5. User Agent Requirements
This section specifies the Cookie and Set-Cookie headers in This section specifies the Cookie and Set-Cookie header fields in
sufficient detail that a user agent implementing these requirements sufficient detail that a user agent implementing these requirements
precisely can interoperate with existing servers (even those that do precisely can interoperate with existing servers (even those that do
not conform to the well-behaved profile described in Section 4). not conform to the well-behaved profile described in Section 4).
A user agent could enforce more restrictions than those specified A user agent could enforce more restrictions than those specified
herein (e.g., for the sake of improved security); however, herein (e.g., restrictions specified by its cookie policy, described
experiments have shown that such strictness reduces the likelihood in Section 7.2). However, such additional restrictions may reduce
that a user agent will be able to interoperate with existing servers. the likelihood that a user agent will be able to interoperate with
existing servers.
5.1. Subcomponent Algorithms 5.1. Subcomponent Algorithms
This section defines some algorithms used by user agents to process This section defines some algorithms used by user agents to process
specific subcomponents of the Cookie and Set-Cookie headers. specific subcomponents of the Cookie and Set-Cookie header fields.
5.1.1. Dates 5.1.1. Dates
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse a cookie-date. Note that the various boolean algorithm to parse a cookie-date. Note that the various boolean
flags defined as a part of the algorithm (i.e., found-time, found- flags defined as a part of the algorithm (i.e., found-time, found-
day-of-month, found-month, found-year) are initially "not set". day-of-month, found-month, found-year) are initially "not set".
1. Using the grammar below, divide the cookie-date into date-tokens. 1. Using the grammar below, divide the cookie-date into date-tokens.
cookie-date = *delimiter date-token-list *delimiter cookie-date = *delimiter date-token-list *delimiter
date-token-list = date-token *( 1*delimiter date-token ) date-token-list = date-token *( 1*delimiter date-token )
date-token = 1*non-delimiter date-token = 1*non-delimiter
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E
non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF
non-digit = %x00-2F / %x3A-FF non-digit = %x00-2F / %x3A-FF
day-of-month = 1*2DIGIT [ non-digit *OCTET ] day-of-month = 1*2DIGIT [ non-digit *OCTET ]
month = ( "jan" / "feb" / "mar" / "apr" / month = ( "jan" / "feb" / "mar" / "apr" /
"may" / "jun" / "jul" / "aug" / "may" / "jun" / "jul" / "aug" /
"sep" / "oct" / "nov" / "dec" ) *OCTET "sep" / "oct" / "nov" / "dec" ) *OCTET
year = 2*4DIGIT [ non-digit *OCTET ] year = 2*4DIGIT [ non-digit *OCTET ]
time = hms-time [ non-digit *OCTET ] time = hms-time [ non-digit *OCTET ]
hms-time = time-field ":" time-field ":" time-field hms-time = time-field ":" time-field ":" time-field
time-field = 1*2DIGIT time-field = 1*2DIGIT
2. Process each date-token sequentially in the order the date-tokens 2. Process each date-token sequentially in the order the date-tokens
appear in the cookie-date: appear in the cookie-date:
1. If the found-time flag is not set and the token matches the 1. If the found-time flag is not set and the token matches the
time production, set the found-time flag and set the hour- time production, set the found-time flag and set the hour-
value, minute-value, and second-value to the numbers denoted value, minute-value, and second-value to the numbers denoted
by the digits in the date-token, respectively. Skip the by the digits in the date-token, respectively. Skip the
remaining sub-steps and continue to the next date-token. remaining sub-steps and continue to the next date-token.
skipping to change at page 19, line 41 skipping to change at page 19, line 41
domain string is a %x2E (".") character. domain string is a %x2E (".") character.
- The string is a host name (i.e., not an IP address). - The string is a host name (i.e., not an IP address).
5.1.4. Paths and Path-Match 5.1.4. Paths and Path-Match
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to compute the default-path of a cookie: algorithm to compute the default-path of a cookie:
1. Let uri-path be the path portion of the request-uri if such a 1. Let uri-path be the path portion of the request-uri if such a
portion exists (and empty otherwise). For example, if the portion exists (and empty otherwise).
request-uri contains just a path (and optional query string),
then the uri-path is that path (without the %x3F ("?") character
or query string), and if the request-uri contains a full
absoluteURI, the uri-path is the path component of that URI.
2. If the uri-path is empty or if the first character of the uri- 2. If the uri-path is empty or if the first character of the uri-
path is not a %x2F ("/") character, output %x2F ("/") and skip path is not a %x2F ("/") character, output %x2F ("/") and skip
the remaining steps. the remaining steps.
3. If the uri-path contains no more than one %x2F ("/") character, 3. If the uri-path contains no more than one %x2F ("/") character,
output %x2F ("/") and skip the remaining step. output %x2F ("/") and skip the remaining step.
4. Output the characters of the uri-path from the first character up 4. Output the characters of the uri-path from the first character up
to, but not including, the right-most %x2F ("/"). to, but not including, the right-most %x2F ("/").
skipping to change at page 20, line 26 skipping to change at page 20, line 23
* The cookie-path is a prefix of the request-path, and the last * The cookie-path is a prefix of the request-path, and the last
character of the cookie-path is %x2F ("/"). character of the cookie-path is %x2F ("/").
* The cookie-path is a prefix of the request-path, and the first * The cookie-path is a prefix of the request-path, and the first
character of the request-path that is not included in the cookie- character of the request-path that is not included in the cookie-
path is a %x2F ("/") character. path is a %x2F ("/") character.
5.2. "Same-site" and "cross-site" Requests 5.2. "Same-site" and "cross-site" Requests
Two origins, A and B, are considered same-site if the following Two origins are same-site if they satisfy the "same site" criteria
algorithm returns true: defined in [SAMESITE]. A request is "same-site" if the following
criteria are true:
1. If A and B are both the same globally unique identifier, return
true.
2. If A and B are both scheme/host/port triples:
1. If A's scheme does not equal B's scheme, return false.
2. Let hostA be A's host, and hostB be B's host.
3. If hostA equals hostB and hostA's registrable domain is null,
return true.
4. If hostA's registrable domain equals hostB's registrable 1. The request is not the result of a cross-site redirect. That is,
domain and is non-null, return true. the origin of every url in the request's url list is same-site
with the request's current url's origin.
3. Return false. 2. The request is not the result of a reload navigation triggered
through a user interface element (as defined by the user agent;
e.g., a request triggered by the user clicking a refresh button
on a toolbar).
Note: The port component of the origins is not considered. 3. The request's current url's origin is same-site with the
request's client's "site for cookies" (which is an origin), or if
the request has no client or the request's client is null.
A request is "same-site" if its target's URI's origin is same-site Requests which are the result of a reload navigation triggered
with the request's client's "site for cookies" (which is an origin), through a user interface element are same-site if the reloaded
or if the request has no client. The request is otherwise "cross- document was originally navigated to via a same-site request. A
site". request that is not "same-site" is instead "cross-site".
The request's client's "site for cookies" is calculated depending The request's client's "site for cookies" is calculated depending
upon its client's type, as described in the following subsections: upon its client's type, as described in the following subsections:
5.2.1. Document-based requests 5.2.1. Document-based requests
The URI displayed in a user agent's address bar is the only security The URI displayed in a user agent's address bar is the only security
context directly exposed to users, and therefore the only signal context directly exposed to users, and therefore the only signal
users can reasonably rely upon to determine whether or not they trust users can reasonably rely upon to determine whether or not they trust
a particular website. The origin of that URI represents the context a particular website. The origin of that URI represents the context
skipping to change at page 21, line 28 skipping to change at page 21, line 25
For a document displayed in a top-level browsing context, we can stop For a document displayed in a top-level browsing context, we can stop
here: the document's "site for cookies" is the top-level origin. here: the document's "site for cookies" is the top-level origin.
For documents which are displayed in nested browsing contexts, we For documents which are displayed in nested browsing contexts, we
need to audit the origins of each of a document's ancestor browsing need to audit the origins of each of a document's ancestor browsing
contexts' active documents in order to account for the "multiple- contexts' active documents in order to account for the "multiple-
nested scenarios" described in Section 4 of [RFC7034]. A document's nested scenarios" described in Section 4 of [RFC7034]. A document's
"site for cookies" is the top-level origin if and only if the top- "site for cookies" is the top-level origin if and only if the top-
level origin is same-site with the document's origin, and with each level origin is same-site with the document's origin, and with each
of the document's ancestor documents' origins. Otherwise its "site of the document's ancestor documents' origins. Otherwise its "site
for cookies" is an origin set to a globally unique identifier. for cookies" is an origin set to an opaque origin.
Given a Document ("document"), the following algorithm returns its Given a Document ("document"), the following algorithm returns its
"site for cookies": "site for cookies":
1. Let "top-document" be the active document in "document"'s 1. Let "top-document" be the active document in "document"'s
browsing context's top-level browsing context. browsing context's top-level browsing context.
2. Let "top-origin" be the origin of "top-document"'s URI if "top- 2. Let "top-origin" be the origin of "top-document"'s URI if "top-
document"'s sandboxed origin browsing context flag is set, and document"'s sandboxed origin browsing context flag is set, and
"top-document"'s origin otherwise. "top-document"'s origin otherwise.
skipping to change at page 21, line 50 skipping to change at page 21, line 47
3. Let "documents" be a list containing "document" and each of 3. Let "documents" be a list containing "document" and each of
"document"'s ancestor browsing contexts' active documents. "document"'s ancestor browsing contexts' active documents.
4. For each "item" in "documents": 4. For each "item" in "documents":
1. Let "origin" be the origin of "item"'s URI if "item"'s 1. Let "origin" be the origin of "item"'s URI if "item"'s
sandboxed origin browsing context flag is set, and "item"'s sandboxed origin browsing context flag is set, and "item"'s
origin otherwise. origin otherwise.
2. If "origin" is not same-site with "top-origin", return an 2. If "origin" is not same-site with "top-origin", return an
origin set to a globally unique identifier. origin set to an opaque origin.
5. Return "top-origin". 5. Return "top-origin".
5.2.2. Worker-based requests 5.2.2. Worker-based requests
Worker-driven requests aren't as clear-cut as document-driven Worker-driven requests aren't as clear-cut as document-driven
requests, as there isn't a clear link between a top-level browsing requests, as there isn't a clear link between a top-level browsing
context and a worker. This is especially true for Service Workers context and a worker. This is especially true for Service Workers
[SERVICE-WORKERS], which may execute code in the background, without [SERVICE-WORKERS], which may execute code in the background, without
any document visible at all. any document visible at all.
skipping to change at page 22, line 28 skipping to change at page 22, line 28
5.2.2.1. Dedicated and Shared Workers 5.2.2.1. Dedicated and Shared Workers
Dedicated workers are simple, as each dedicated worker is bound to Dedicated workers are simple, as each dedicated worker is bound to
one and only one document. Requests generated from a dedicated one and only one document. Requests generated from a dedicated
worker (via "importScripts", "XMLHttpRequest", "fetch()", etc) define worker (via "importScripts", "XMLHttpRequest", "fetch()", etc) define
their "site for cookies" as that document's "site for cookies". their "site for cookies" as that document's "site for cookies".
Shared workers may be bound to multiple documents at once. As it is Shared workers may be bound to multiple documents at once. As it is
quite possible for those documents to have distinct "site for quite possible for those documents to have distinct "site for
cookies" values, the worker's "site for cookies" will be an origin cookies" values, the worker's "site for cookies" will be an origin
set to a globally unique identifier in cases where the values are not set to an opaque origin in cases where the values are not all same-
all same-site with the worker's origin, and the worker's origin in site with the worker's origin, and the worker's origin in cases where
cases where the values agree. the values agree.
Given a WorkerGlobalScope ("worker"), the following algorithm returns Given a WorkerGlobalScope ("worker"), the following algorithm returns
its "site for cookies": its "site for cookies":
1. Let "site" be "worker"'s origin. 1. Let "site" be "worker"'s origin.
2. For each "document" in "worker"'s Documents: 2. For each "document" in "worker"'s Documents:
1. Let "document-site" be "document"'s "site for cookies" (as 1. Let "document-site" be "document"'s "site for cookies" (as
defined in Section 5.2.1). defined in Section 5.2.1).
2. If "document-site" is not same-site with "site", return an 2. If "document-site" is not same-site with "site", return an
origin set to a globally unique identifier. origin set to an opaque origin.
3. Return "site". 3. Return "site".
5.2.2.2. Service Workers 5.2.2.2. Service Workers
Service Workers are more complicated, as they act as a completely Service Workers are more complicated, as they act as a completely
separate execution context with only tangential relationship to the separate execution context with only tangential relationship to the
Document which registered them. Document which registered them.
Requests which simply pass through a Service Worker will be handled Requests which simply pass through a Service Worker will be handled
skipping to change at page 23, line 20 skipping to change at page 23, line 20
Requests which are initiated by the Service Worker itself (via a Requests which are initiated by the Service Worker itself (via a
direct call to "fetch()", for instance), on the other hand, will have direct call to "fetch()", for instance), on the other hand, will have
a client which is a ServiceWorkerGlobalScope. Its "site for cookies" a client which is a ServiceWorkerGlobalScope. Its "site for cookies"
will be the Service Worker's URI's origin. will be the Service Worker's URI's origin.
Given a ServiceWorkerGlobalScope ("worker"), the following algorithm Given a ServiceWorkerGlobalScope ("worker"), the following algorithm
returns its "site for cookies": returns its "site for cookies":
1. Return "worker"'s origin. 1. Return "worker"'s origin.
5.3. The Set-Cookie Header 5.3. Ignoring Set-Cookie Header Fields
User agents MAY ignore Set-Cookie header fields contained in
responses with 100-level status codes or based on its cookie policy
(see Section 7.2).
All other Set-Cookie header fields SHOULD be processed according to
Section 5.4. That is, Set-Cookie header fields contained in
responses with non-100-level status codes (including those in
responses with 400- and 500-level status codes) SHOULD be processed
unless ignored according to the user agent's cookie policy.
5.4. The Set-Cookie Header Field
When a user agent receives a Set-Cookie header field in an HTTP When a user agent receives a Set-Cookie header field in an HTTP
response, the user agent MAY ignore the Set-Cookie header field in response, the user agent MAY ignore the Set-Cookie header field in
its entirety. For example, the user agent might wish to block its entirety (see Section 5.3).
responses to "third-party" requests from setting cookies (see
Section 7.1).
If the user agent does not ignore the Set-Cookie header field in its If the user agent does not ignore the Set-Cookie header field in its
entirety, the user agent MUST parse the field-value of the Set-Cookie entirety, the user agent MUST parse the field-value of the Set-Cookie
header field as a set-cookie-string (defined below). header field as a set-cookie-string (defined below).
NOTE: The algorithm below is more permissive than the grammar in NOTE: The algorithm below is more permissive than the grammar in
Section 4.1. For example, the algorithm strips leading and trailing Section 4.1. For example, the algorithm strips leading and trailing
whitespace from the cookie name and value (but maintains internal whitespace from the cookie name and value (but maintains internal
whitespace), whereas the grammar in Section 4.1 forbids whitespace in whitespace), whereas the grammar in Section 4.1 forbids whitespace in
these positions. User agents use this algorithm so as to these positions. In addition, the algorithm below accommodates some
interoperate with servers that do not follow the recommendations in characters that are not cookie-octets according to the grammar in
Section 4. Section 4.1. User agents use this algorithm so as to interoperate
with servers that do not follow the recommendations in Section 4.
NOTE: As set-cookie-string may originate from a non-HTTP API, it is
not guaranteed to be free of CTL characters, so this algorithm
handles them explicitly.
A user agent MUST use an algorithm equivalent to the following A user agent MUST use an algorithm equivalent to the following
algorithm to parse a set-cookie-string: algorithm to parse a set-cookie-string:
1. If the set-cookie-string contains a %x3B (";") character: 1. If the set-cookie-string contains a %x0D (CR), %x0A (LF), or %x00
(NUL) octet, then set the set-cookie-string equal to all the
characters of set-cookie-string up to, but not including, the
first such octet.
2. If the set-cookie-string contains a %x00-1F / %x7F (CTL)
character: Abort these steps and ignore the set-cookie-string
entirely.
3. If the set-cookie-string contains a %x3B (";") character:
1. The name-value-pair string consists of the characters up to, 1. The name-value-pair string consists of the characters up to,
but not including, the first %x3B (";"), and the unparsed- but not including, the first %x3B (";"), and the unparsed-
attributes consist of the remainder of the set-cookie-string attributes consist of the remainder of the set-cookie-string
(including the %x3B (";") in question). (including the %x3B (";") in question).
Otherwise: Otherwise:
1. The name-value-pair string consists of all the characters 1. The name-value-pair string consists of all the characters
contained in the set-cookie-string, and the unparsed- contained in the set-cookie-string, and the unparsed-
attributes is the empty string. attributes is the empty string.
2. If the name-value-pair string lacks a %x3D ("=") character, then 4. If the name-value-pair string lacks a %x3D ("=") character, then
the name string is empty, and the value string is the value of the name string is empty, and the value string is the value of
name-value-pair. name-value-pair.
Otherwise, the name string consists of the characters up to, but Otherwise, the name string consists of the characters up to, but
not including, the first %x3D ("=") character, and the (possibly not including, the first %x3D ("=") character, and the (possibly
empty) value string consists of the characters after the first empty) value string consists of the characters after the first
%x3D ("=") character. %x3D ("=") character.
3. Remove any leading or trailing WSP characters from the name 5. Remove any leading or trailing WSP characters from the name
string and the value string. string and the value string.
4. The cookie-name is the name string, and the cookie-value is the 6. The cookie-name is the name string, and the cookie-value is the
value string. value string.
The user agent MUST use an algorithm equivalent to the following The user agent MUST use an algorithm equivalent to the following
algorithm to parse the unparsed-attributes: algorithm to parse the unparsed-attributes:
1. If the unparsed-attributes string is empty, skip the rest of 1. If the unparsed-attributes string is empty, skip the rest of
these steps. these steps.
2. Discard the first character of the unparsed-attributes (which 2. Discard the first character of the unparsed-attributes (which
will be a %x3B (";") character). will be a %x3B (";") character).
skipping to change at page 25, line 22 skipping to change at page 25, line 48
6. Process the attribute-name and attribute-value according to the 6. Process the attribute-name and attribute-value according to the
requirements in the following subsections. (Notice that requirements in the following subsections. (Notice that
attributes with unrecognized attribute-names are ignored.) attributes with unrecognized attribute-names are ignored.)
7. Return to Step 1 of this algorithm. 7. Return to Step 1 of this algorithm.
When the user agent finishes parsing the set-cookie-string, the user When the user agent finishes parsing the set-cookie-string, the user
agent is said to "receive a cookie" from the request-uri with name agent is said to "receive a cookie" from the request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute- cookie-name, value cookie-value, and attributes cookie-attribute-
list. (See Section 5.4 for additional requirements triggered by list. (See Section 5.5 for additional requirements triggered by
receiving a cookie.) receiving a cookie.)
5.3.1. The Expires Attribute 5.4.1. The Expires Attribute
If the attribute-name case-insensitively matches the string If the attribute-name case-insensitively matches the string
"Expires", the user agent MUST process the cookie-av as follows. "Expires", the user agent MUST process the cookie-av as follows.
1. Let the expiry-time be the result of parsing the attribute-value 1. Let the expiry-time be the result of parsing the attribute-value
as cookie-date (see Section 5.1.1). as cookie-date (see Section 5.1.1).
2. If the attribute-value failed to parse as a cookie date, ignore 2. If the attribute-value failed to parse as a cookie date, ignore
the cookie-av. the cookie-av.
skipping to change at page 25, line 47 skipping to change at page 26, line 27
represent, the user agent MAY replace the expiry-time with the represent, the user agent MAY replace the expiry-time with the
last representable date. last representable date.
4. If the expiry-time is earlier than the earliest date the user 4. If the expiry-time is earlier than the earliest date the user
agent can represent, the user agent MAY replace the expiry-time agent can represent, the user agent MAY replace the expiry-time
with the earliest representable date. with the earliest representable date.
5. Append an attribute to the cookie-attribute-list with an 5. Append an attribute to the cookie-attribute-list with an
attribute-name of Expires and an attribute-value of expiry-time. attribute-name of Expires and an attribute-value of expiry-time.
5.3.2. The Max-Age Attribute 5.4.2. The Max-Age Attribute
If the attribute-name case-insensitively matches the string "Max- If the attribute-name case-insensitively matches the string "Max-
Age", the user agent MUST process the cookie-av as follows. Age", the user agent MUST process the cookie-av as follows.
1. If the first character of the attribute-value is not a DIGIT or a 1. If the first character of the attribute-value is not a DIGIT or a
"-" character, ignore the cookie-av. "-" character, ignore the cookie-av.
2. If the remainder of attribute-value contains a non-DIGIT 2. If the remainder of attribute-value contains a non-DIGIT
character, ignore the cookie-av. character, ignore the cookie-av.
3. Let delta-seconds be the attribute-value converted to an integer. 3. Let delta-seconds be the attribute-value converted to an integer.
4. If delta-seconds is less than or equal to zero (0), let expiry- 4. If delta-seconds is less than or equal to zero (0), let expiry-
time be the earliest representable date and time. Otherwise, let time be the earliest representable date and time. Otherwise, let
the expiry-time be the current date and time plus delta-seconds the expiry-time be the current date and time plus delta-seconds
seconds. seconds.
5. Append an attribute to the cookie-attribute-list with an 5. Append an attribute to the cookie-attribute-list with an
attribute-name of Max-Age and an attribute-value of expiry-time. attribute-name of Max-Age and an attribute-value of expiry-time.
5.3.3. The Domain Attribute 5.4.3. The Domain Attribute
If the attribute-name case-insensitively matches the string "Domain", If the attribute-name case-insensitively matches the string "Domain",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. If the attribute-value is empty, the behavior is undefined. 1. If the attribute-value is empty, the behavior is undefined.
However, the user agent SHOULD ignore the cookie-av entirely. However, the user agent SHOULD ignore the cookie-av entirely.
2. If the first character of the attribute-value string is %x2E 2. If the first character of the attribute-value string is %x2E
("."): ("."):
skipping to change at page 26, line 44 skipping to change at page 27, line 23
Otherwise: Otherwise:
1. Let cookie-domain be the entire attribute-value. 1. Let cookie-domain be the entire attribute-value.
3. Convert the cookie-domain to lower case. 3. Convert the cookie-domain to lower case.
4. Append an attribute to the cookie-attribute-list with an 4. Append an attribute to the cookie-attribute-list with an
attribute-name of Domain and an attribute-value of cookie-domain. attribute-name of Domain and an attribute-value of cookie-domain.
5.3.4. The Path Attribute 5.4.4. The Path Attribute
If the attribute-name case-insensitively matches the string "Path", If the attribute-name case-insensitively matches the string "Path",
the user agent MUST process the cookie-av as follows. the user agent MUST process the cookie-av as follows.
1. If the attribute-value is empty or if the first character of the 1. If the attribute-value is empty or if the first character of the
attribute-value is not %x2F ("/"): attribute-value is not %x2F ("/"):
1. Let cookie-path be the default-path. 1. Let cookie-path be the default-path.
Otherwise: Otherwise:
1. Let cookie-path be the attribute-value. 1. Let cookie-path be the attribute-value.
2. Append an attribute to the cookie-attribute-list with an 2. Append an attribute to the cookie-attribute-list with an
attribute-name of Path and an attribute-value of cookie-path. attribute-name of Path and an attribute-value of cookie-path.
5.3.5. The Secure Attribute 5.4.5. The Secure Attribute
If the attribute-name case-insensitively matches the string "Secure", If the attribute-name case-insensitively matches the string "Secure",
the user agent MUST append an attribute to the cookie-attribute-list the user agent MUST append an attribute to the cookie-attribute-list
with an attribute-name of Secure and an empty attribute-value. with an attribute-name of Secure and an empty attribute-value.
5.3.6. The HttpOnly Attribute 5.4.6. The HttpOnly Attribute
If the attribute-name case-insensitively matches the string If the attribute-name case-insensitively matches the string
"HttpOnly", the user agent MUST append an attribute to the cookie- "HttpOnly", the user agent MUST append an attribute to the cookie-
attribute-list with an attribute-name of HttpOnly and an empty attribute-list with an attribute-name of HttpOnly and an empty
attribute-value. attribute-value.
5.3.7. The SameSite Attribute 5.4.7. The SameSite Attribute
If the attribute-name case-insensitively matches the string If the attribute-name case-insensitively matches the string
"SameSite", the user agent MUST process the cookie-av as follows: "SameSite", the user agent MUST process the cookie-av as follows:
1. Let "enforcement" be "Default". 1. Let "enforcement" be "Default".
2. If cookie-av's attribute-value is a case-insensitive match for 2. If cookie-av's attribute-value is a case-insensitive match for
"None", set "enforcement" to "None". "None", set "enforcement" to "None".
3. If cookie-av's attribute-value is a case-insensitive match for 3. If cookie-av's attribute-value is a case-insensitive match for
"Strict", set "enforcement" to "Strict". "Strict", set "enforcement" to "Strict".
4. If cookie-av's attribute-value is a case-insensitive match for 4. If cookie-av's attribute-value is a case-insensitive match for
"Lax", set "enforcement" to "Lax". "Lax", set "enforcement" to "Lax".
5. Append an attribute to the cookie-attribute-list with an 5. Append an attribute to the cookie-attribute-list with an
attribute-name of "SameSite" and an attribute-value of attribute-name of "SameSite" and an attribute-value of
"enforcement". "enforcement".
Note: This algorithm maps the "None" value, as well as any unknown 5.4.7.1. "Strict" and "Lax" enforcement
value, to the "None" behavior, which is helpful for backwards
compatibility when introducing new variants.
5.3.7.1. "Strict" and "Lax" enforcement
Same-site cookies in "Strict" enforcement mode will not be sent along Same-site cookies in "Strict" enforcement mode will not be sent along
with top-level navigations which are triggered from a cross-site with top-level navigations which are triggered from a cross-site
document context. As discussed in Section 8.8.2, this might or might document context. As discussed in Section 8.8.2, this might or might
not be compatible with existing session management systems. In the not be compatible with existing session management systems. In the
interests of providing a drop-in mechanism that mitigates the risk of interests of providing a drop-in mechanism that mitigates the risk of
CSRF attacks, developers may set the "SameSite" attribute in a "Lax" CSRF attacks, developers may set the "SameSite" attribute in a "Lax"
enforcement mode that carves out an exception which sends same-site enforcement mode that carves out an exception which sends same-site
cookies along with cross-site requests if and only if they are top- cookies along with cross-site requests if and only if they are top-
level navigations which use a "safe" (in the [RFC7231] sense) HTTP level navigations which use a "safe" (in the [HTTPSEM] sense) HTTP
method. (Note that a request's method may be changed from POST to method. (Note that a request's method may be changed from POST to
GET for some redirects (see sections 6.4.2 and 6.4.3 of [RFC7231]); GET for some redirects (see Sections 15.4.2 and 15.4.3 of [HTTPSEM]);
in these cases, a request's "safe"ness is determined based on the in these cases, a request's "safe"ness is determined based on the
method of the current redirect hop.) method of the current redirect hop.)
Lax enforcement provides reasonable defense in depth against CSRF Lax enforcement provides reasonable defense in depth against CSRF
attacks that rely on unsafe HTTP methods (like "POST"), but does not attacks that rely on unsafe HTTP methods (like "POST"), but does not
offer a robust defense against CSRF as a general category of attack: offer a robust defense against CSRF as a general category of attack:
1. Attackers can still pop up new windows or trigger top-level 1. Attackers can still pop up new windows or trigger top-level
navigations in order to create a "same-site" request (as navigations in order to create a "same-site" request (as
described in Section 5.2.1), which is only a speedbump along the described in Section 5.2.1), which is only a speedbump along the
road to exploitation. road to exploitation.
2. Features like "<link rel='prerender'>" [prerendering] can be 2. Features like "<link rel='prerender'>" [prerendering] can be
exploited to create "same-site" requests without the risk of user exploited to create "same-site" requests without the risk of user
detection. detection.
When possible, developers should use a session management mechanism When possible, developers should use a session management mechanism
such as that described in Section 8.8.2 to mitigate the risk of CSRF such as that described in Section 8.8.2 to mitigate the risk of CSRF
more completely. more completely.
5.4. Storage Model 5.4.7.2. "Lax-Allowing-Unsafe" enforcement
As discussed in Section 8.8.6, compatibility concerns may necessitate
the use of a "Lax-allowing-unsafe" enforcement mode that allows
cookies to be sent with a cross-site HTTP request if and only if it
is a top-level request, regardless of request method. That is, the
"Lax-allowing-unsafe" enforcement mode waives the requirement for the
HTTP request's method to be "safe" in the "SameSite" enforcement step
of the retrieval algorithm in Section 5.6.3. (All cookies,
regardless of "SameSite" enforcement mode, may be set for top-level
navigations, regardless of HTTP request method, as specified in
Section 5.5.)
"Lax-allowing-unsafe" is not a distinct value of the "SameSite"
attribute. Rather, user agents MAY apply "Lax-allowing-unsafe"
enforcement only to cookies that did not explicitly specify a
"SameSite" attribute (i.e., those whose same-site-flag was set to
"Default" by default). To limit the scope of this compatibility
mode, user agents which apply "Lax-allowing-unsafe" enforcement
SHOULD restrict the enforcement to cookies which were created
recently. Deployment experience has shown a cookie age of 2 minutes
or less to be a reasonable limit.
If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST
apply the following modification to the retrieval algorithm defined
in Section 5.6.3:
Replace the condition in the penultimate bullet point of step 1 of
the retrieval algorithm reading
* The HTTP request associated with the retrieval uses a "safe" method.
with
* At least one of the following is true:
1. The HTTP request associated with the retrieval uses a "safe" method.
2. The cookie's same-site-flag is "Default" and the amount of time
elapsed since the cookie's creation-time is at most a duration of the
user agent's choosing.
5.5. Storage Model
The user agent stores the following fields about each cookie: name, The user agent stores the following fields about each cookie: name,
value, expiry-time, domain, path, creation-time, last-access-time, value, expiry-time, domain, path, creation-time, last-access-time,
persistent-flag, host-only-flag, secure-only-flag, http-only-flag, persistent-flag, host-only-flag, secure-only-flag, http-only-flag,
and same-site-flag. and same-site-flag.
When the user agent "receives a cookie" from a request-uri with name When the user agent "receives a cookie" from a request-uri with name
cookie-name, value cookie-value, and attributes cookie-attribute- cookie-name, value cookie-value, and attributes cookie-attribute-
list, the user agent MUST process the cookie as follows: list, the user agent MUST process the cookie as follows:
1. A user agent MAY ignore a received cookie in its entirety. For 1. A user agent MAY ignore a received cookie in its entirety. See
example, the user agent might wish to block receiving cookies Section 5.3.
from "third-party" responses or the user agent might not wish to
store cookies that exceed some size.
2. If cookie-name is empty and cookie-value is empty, abort these 2. If cookie-name is empty and cookie-value is empty, abort these
steps and ignore the cookie entirely. steps and ignore the cookie entirely.
3. Create a new cookie with name cookie-name, value cookie-value. 3. If the cookie-name or the cookie-value contains a %x00-1F / %x7F
(CTL) character, abort these steps and ignore the cookie
entirely.
4. Create a new cookie with name cookie-name, value cookie-value.
Set the creation-time and the last-access-time to the current Set the creation-time and the last-access-time to the current
date and time. date and time.
4. If the cookie-attribute-list contains an attribute with an 5. If the cookie-attribute-list contains an attribute with an
attribute-name of "Max-Age": attribute-name of "Max-Age":
1. Set the cookie's persistent-flag to true. 1. Set the cookie's persistent-flag to true.
2. Set the cookie's expiry-time to attribute-value of the last 2. Set the cookie's expiry-time to attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Max-Age". name of "Max-Age".
Otherwise, if the cookie-attribute-list contains an attribute Otherwise, if the cookie-attribute-list contains an attribute
with an attribute-name of "Expires" (and does not contain an with an attribute-name of "Expires" (and does not contain an
skipping to change at page 29, line 38 skipping to change at page 31, line 8
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Expires". name of "Expires".
Otherwise: Otherwise:
1. Set the cookie's persistent-flag to false. 1. Set the cookie's persistent-flag to false.
2. Set the cookie's expiry-time to the latest representable 2. Set the cookie's expiry-time to the latest representable
date. date.
5. If the cookie-attribute-list contains an attribute with an 6. If the cookie-attribute-list contains an attribute with an
attribute-name of "Domain": attribute-name of "Domain":
1. Let the domain-attribute be the attribute-value of the last 1. Let the domain-attribute be the attribute-value of the last
attribute in the cookie-attribute-list with an attribute- attribute in the cookie-attribute-list with an attribute-
name of "Domain". name of "Domain".
Otherwise: Otherwise:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
6. If the user agent is configured to reject "public suffixes" and 7. If the user agent is configured to reject "public suffixes" and
the domain-attribute is a public suffix: the domain-attribute is a public suffix:
1. If the domain-attribute is identical to the canonicalized 1. If the domain-attribute is identical to the canonicalized
request-host: request-host:
1. Let the domain-attribute be the empty string. 1. Let the domain-attribute be the empty string.
Otherwise: Otherwise:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
NOTE: This step prevents "attacker.example" from disrupting the NOTE: This step prevents "attacker.example" from disrupting the
integrity of "site.example" by setting a cookie with a Domain integrity of "site.example" by setting a cookie with a Domain
attribute of "example". attribute of "example".
7. If the domain-attribute is non-empty: 8. If the domain-attribute is non-empty:
1. If the canonicalized request-host does not domain-match the 1. If the canonicalized request-host does not domain-match the
domain-attribute: domain-attribute:
1. Ignore the cookie entirely and abort these steps. 1. Ignore the cookie entirely and abort these steps.
Otherwise: Otherwise:
1. Set the cookie's host-only-flag to false. 1. Set the cookie's host-only-flag to false.
2. Set the cookie's domain to the domain-attribute. 2. Set the cookie's domain to the domain-attribute.
Otherwise: Otherwise:
1. Set the cookie's host-only-flag to true. 1. Set the cookie's host-only-flag to true.
2. Set the cookie's domain to the canonicalized request-host. 2. Set the cookie's domain to the canonicalized request-host.
8. If the cookie-attribute-list contains an attribute with an 9. If the cookie-attribute-list contains an attribute with an
attribute-name of "Path", set the cookie's path to attribute- attribute-name of "Path", set the cookie's path to attribute-
value of the last attribute in the cookie-attribute-list with an value of the last attribute in the cookie-attribute-list with an
attribute-name of "Path". Otherwise, set the cookie's path to attribute-name of "Path". Otherwise, set the cookie's path to
the default-path of the request-uri. the default-path of the request-uri.
9. If the cookie-attribute-list contains an attribute with an 10. If the cookie-attribute-list contains an attribute with an
attribute-name of "Secure", set the cookie's secure-only-flag to attribute-name of "Secure", set the cookie's secure-only-flag to
true. Otherwise, set the cookie's secure-only-flag to false. true. Otherwise, set the cookie's secure-only-flag to false.
10. If the scheme component of the request-uri does not denote a 11. If the scheme component of the request-uri does not denote a
"secure" protocol (as defined by the user agent), and the "secure" protocol (as defined by the user agent), and the
cookie's secure-only-flag is true, then abort these steps and cookie's secure-only-flag is true, then abort these steps and
ignore the cookie entirely. ignore the cookie entirely.
11. If the cookie-attribute-list contains an attribute with an 12. If the cookie-attribute-list contains an attribute with an
attribute-name of "HttpOnly", set the cookie's http-only-flag to attribute-name of "HttpOnly", set the cookie's http-only-flag to
true. Otherwise, set the cookie's http-only-flag to false. true. Otherwise, set the cookie's http-only-flag to false.
12. If the cookie was received from a "non-HTTP" API and the 13. If the cookie was received from a "non-HTTP" API and the
cookie's http-only-flag is true, abort these steps and ignore cookie's http-only-flag is true, abort these steps and ignore
the cookie entirely. the cookie entirely.
13. If the cookie's secure-only-flag is false, and the scheme 14. If the cookie's secure-only-flag is false, and the scheme
component of request-uri does not denote a "secure" protocol, component of request-uri does not denote a "secure" protocol,
then abort these steps and ignore the cookie entirely if the then abort these steps and ignore the cookie entirely if the
cookie store contains one or more cookies that meet all of the cookie store contains one or more cookies that meet all of the
following criteria: following criteria:
1. Their name matches the name of the newly-created cookie. 1. Their name matches the name of the newly-created cookie.
2. Their secure-only-flag is true. 2. Their secure-only-flag is true.
3. Their domain domain-matches the domain of the newly-created 3. Their domain domain-matches the domain of the newly-created
skipping to change at page 31, line 37 skipping to change at page 33, line 5
of the existing cookie. of the existing cookie.
Note: The path comparison is not symmetric, ensuring only that a Note: The path comparison is not symmetric, ensuring only that a
newly-created, non-secure cookie does not overlay an existing newly-created, non-secure cookie does not overlay an existing
secure cookie, providing some mitigation against cookie-fixing secure cookie, providing some mitigation against cookie-fixing
attacks. That is, given an existing secure cookie named 'a' attacks. That is, given an existing secure cookie named 'a'
with a path of '/login', a non-secure cookie named 'a' could be with a path of '/login', a non-secure cookie named 'a' could be
set for a path of '/' or '/foo', but not for a path of '/login' set for a path of '/' or '/foo', but not for a path of '/login'
or '/login/en'. or '/login/en'.
14. If the cookie-attribute-list contains an attribute with an 15. If the cookie-attribute-list contains an attribute with an
attribute-name of "SameSite", and an attribute-value of attribute-name of "SameSite", and an attribute-value of
"Strict", "Lax", or "None", set the cookie's same-site-flag to "Strict", "Lax", or "None", set the cookie's same-site-flag to
the attribute-value of the last attribute in the cookie- the attribute-value of the last attribute in the cookie-
attribute-list with an attribute-name of "SameSite". Otherwise, attribute-list with an attribute-name of "SameSite". Otherwise,
set the cookie's same-site-flag to "Default". set the cookie's same-site-flag to "Default".
15. If the cookie's "same-site-flag" is not "None": 16. If the cookie's "same-site-flag" is not "None":
1. If the cookie was received from a "non-HTTP" API, and the 1. If the cookie was received from a "non-HTTP" API, and the
API was called from a browsing context's active document API was called from a browsing context's active document
whose "site for cookies" is not same-site with the top-level whose "site for cookies" is not same-site with the top-level
origin, then abort these steps and ignore the newly created origin, then abort these steps and ignore the newly created
cookie entirely. cookie entirely.
2. If the cookie was received from a "same-site" request (as 2. If the cookie was received from a "same-site" request (as
defined in Section 5.2), skip the remaining substeps and defined in Section 5.2), skip the remaining substeps and
continue processing the cookie. continue processing the cookie.
skipping to change at page 32, line 24 skipping to change at page 33, line 39
processing the cookie. processing the cookie.
Note: Top-level navigations can create a cookie with any Note: Top-level navigations can create a cookie with any
"SameSite" value, even if the new cookie wouldn't have been "SameSite" value, even if the new cookie wouldn't have been
sent along with the request had it already existed prior to sent along with the request had it already existed prior to
the navigation. the navigation.
4. Abort these steps and ignore the newly created cookie 4. Abort these steps and ignore the newly created cookie
entirely. entirely.
16. If the cookie's "same-site-flag" is "None", abort these steps 17. If the cookie's "same-site-flag" is "None", abort these steps
and ignore the cookie entirely unless the cookie's secure-only- and ignore the cookie entirely unless the cookie's secure-only-
flag is true. flag is true.
17. If the cookie-name begins with a case-sensitive match for the 18. If the cookie-name begins with a case-sensitive match for the
string "__Secure-", abort these steps and ignore the cookie string "__Secure-", abort these steps and ignore the cookie
entirely unless the cookie's secure-only-flag is true. entirely unless the cookie's secure-only-flag is true.
18. If the cookie-name begins with a case-sensitive match for the 19. If the cookie-name begins with a case-sensitive match for the
string "__Host-", abort these steps and ignore the cookie string "__Host-", abort these steps and ignore the cookie
entirely unless the cookie meets all the following criteria: entirely unless the cookie meets all the following criteria:
1. The cookie's secure-only-flag is true. 1. The cookie's secure-only-flag is true.
2. The cookie's host-only-flag is true. 2. The cookie's host-only-flag is true.
3. The cookie-attribute-list contains an attribute with an 3. The cookie-attribute-list contains an attribute with an
attribute-name of "Path", and the cookie's path is "/". attribute-name of "Path", and the cookie's path is "/".
19. If the cookie store contains a cookie with the same name, 20. If the cookie store contains a cookie with the same name,
domain, host-only-flag, and path as the newly-created cookie: domain, host-only-flag, and path as the newly-created cookie:
1. Let old-cookie be the existing cookie with the same name, 1. Let old-cookie be the existing cookie with the same name,
domain, host-only-flag, and path as the newly-created domain, host-only-flag, and path as the newly-created
cookie. (Notice that this algorithm maintains the invariant cookie. (Notice that this algorithm maintains the invariant
that there is at most one such cookie.) that there is at most one such cookie.)
2. If the newly-created cookie was received from a "non-HTTP" 2. If the newly-created cookie was received from a "non-HTTP"
API and the old-cookie's http-only-flag is true, abort these API and the old-cookie's http-only-flag is true, abort these
steps and ignore the newly created cookie entirely. steps and ignore the newly created cookie entirely.
3. Update the creation-time of the newly-created cookie to 3. Update the creation-time of the newly-created cookie to
match the creation-time of the old-cookie. match the creation-time of the old-cookie.
4. Remove the old-cookie from the cookie store. 4. Remove the old-cookie from the cookie store.
20. Insert the newly-created cookie into the cookie store. 21. Insert the newly-created cookie into the cookie store.
A cookie is "expired" if the cookie has an expiry date in the past. A cookie is "expired" if the cookie has an expiry date in the past.
The user agent MUST evict all expired cookies from the cookie store The user agent MUST evict all expired cookies from the cookie store
if, at any time, an expired cookie exists in the cookie store. if, at any time, an expired cookie exists in the cookie store.
At any time, the user agent MAY "remove excess cookies" from the At any time, the user agent MAY "remove excess cookies" from the
cookie store if the number of cookies sharing a domain field exceeds cookie store if the number of cookies sharing a domain field exceeds
some implementation-defined upper bound (such as 50 cookies). some implementation-defined upper bound (such as 50 cookies).
skipping to change at page 33, line 49 skipping to change at page 35, line 14
4. All cookies. 4. All cookies.
If two cookies have the same removal priority, the user agent MUST If two cookies have the same removal priority, the user agent MUST
evict the cookie with the earliest last-access-time first. evict the cookie with the earliest last-access-time first.
When "the current session is over" (as defined by the user agent), When "the current session is over" (as defined by the user agent),
the user agent MUST remove from the cookie store all cookies with the the user agent MUST remove from the cookie store all cookies with the
persistent-flag set to false. persistent-flag set to false.
5.5. The Cookie Header 5.6. Retrieval Model
This section defines how cookies are retrieved from a cookie store in
the form of a cookie-string. A "retrieval" is any event which
requires generating a cookie-string. For example, a retrieval may
occur in order to build a Cookie header field for an HTTP request, or
may be required in order to return a cookie-string from a call to a
"non-HTTP" API that provides access to cookies. A retrieval has an
associated URI, same-site status, and type, which are defined below
depending on the type of retrieval.
5.6.1. The Cookie Header Field
The user agent includes stored cookies in the Cookie HTTP request The user agent includes stored cookies in the Cookie HTTP request
header. header field.
When the user agent generates an HTTP request, the user agent MUST When the user agent generates an HTTP request, the user agent MUST
NOT attach more than one Cookie header field. NOT attach more than one Cookie header field.
A user agent MAY omit the Cookie header in its entirety. For A user agent MAY omit the Cookie header field in its entirety. For
example, the user agent might wish to block sending cookies during example, the user agent might wish to block sending cookies during
"third-party" requests from setting cookies (see Section 7.1). "third-party" requests from setting cookies (see Section 7.1).
If the user agent does attach a Cookie header field to an HTTP If the user agent does attach a Cookie header field to an HTTP
request, the user agent MUST send the cookie-string (defined below) request, the user agent MUST compute the cookie-string following the
as the value of the header field. algorithm defined in Section 5.6.3, where the retrieval's URI is the
request-uri, the retrieval's same-site status is computed for the
HTTP request as defined in Section 5.2, and the retrieval's type is
"HTTP".
The user agent MUST use an algorithm equivalent to the following 5.6.2. Non-HTTP APIs
algorithm to compute the cookie-string from a cookie store and a
request-uri: The user agent MAY implement "non-HTTP" APIs that can be used to
access stored cookies.
A user agent MAY return an empty cookie-string in certain contexts,
such as when a retrieval occurs within a third-party context (see
Section 7.1).
If a user agent does return cookies for a given call to a "non-HTTP"
API with an associated Document, then the user agent MUST compute the
cookie-string following the algorithm defined in Section 5.6.3, where
the retrieval's URI is defined by the caller (see
[DOM-DOCUMENT-COOKIE]), the retrieval's same-site status is "same-
site" if the Document's "site for cookies" is same-site with the top-
level origin as defined in Section 5.2.1 (otherwise it is "cross-
site"), and the retrieval's type is "non-HTTP".
5.6.3. Retrieval Algorithm
Given a cookie store and a retrieval, the following algorithm returns
a cookie-string from a given cookie store.
1. Let cookie-list be the set of cookies from the cookie store that 1. Let cookie-list be the set of cookies from the cookie store that
meets all of the following requirements: meets all of the following requirements:
* Either: * Either:
- The cookie's host-only-flag is true and the canonicalized - The cookie's host-only-flag is true and the canonicalized
request-host is identical to the cookie's domain. host of the retrieval's URI is identical to the cookie's
domain.
Or: Or:
- The cookie's host-only-flag is false and the canonicalized - The cookie's host-only-flag is false and the canonicalized
request-host domain-matches the cookie's domain. host of the retrieval's URI domain-matches the cookie's
domain.
* The request-uri's path path-matches the cookie's path. * The retrieval's URI's path path-matches the cookie's path.
* If the cookie's secure-only-flag is true, then the request- * If the cookie's secure-only-flag is true, then the retrieval's
uri's scheme must denote a "secure" protocol (as defined by URI's scheme must denote a "secure" protocol (as defined by
the user agent). the user agent).
NOTE: The notion of a "secure" protocol is not defined by this NOTE: The notion of a "secure" protocol is not defined by this
document. Typically, user agents consider a protocol secure document. Typically, user agents consider a protocol secure
if the protocol makes use of transport-layer security, such as if the protocol makes use of transport-layer security, such as
SSL or TLS. For example, most user agents consider "https" to SSL or TLS. For example, most user agents consider "https" to
be a scheme that denotes a secure protocol. be a scheme that denotes a secure protocol.
* If the cookie's http-only-flag is true, then exclude the * If the cookie's http-only-flag is true, then exclude the
cookie if the cookie-string is being generated for a "non- cookie if the retrieval's type is "non-HTTP".
HTTP" API (as defined by the user agent).
* If the cookie's same-site-flag is not "None", and the HTTP * If the cookie's same-site-flag is not "None" and the
request is cross-site (as defined in Section 5.2) then exclude retrieval's same-site status is "cross-site", then exclude the
the cookie unless all of the following statements hold: cookie unless all of the following conditions are met:
1. The same-site-flag is "Lax" or "Default". - The retrieval's type is "HTTP".
2. The HTTP request's method is "safe". - The same-site-flag is "Lax" or "Default".
3. The HTTP request's target browsing context is a top-level - The HTTP request associated with the retrieval uses a
browsing context. "safe" method.
- The target browsing context of the HTTP request associated
with the retrieval is a top-level browsing context.
2. The user agent SHOULD sort the cookie-list in the following 2. The user agent SHOULD sort the cookie-list in the following
order: order:
* Cookies with longer paths are listed before cookies with * Cookies with longer paths are listed before cookies with
shorter paths. shorter paths.
* Among cookies that have equal-length path fields, cookies with * Among cookies that have equal-length path fields, cookies with
earlier creation-times are listed before cookies with later earlier creation-times are listed before cookies with later
creation-times. creation-times.
skipping to change at page 36, line 22 skipping to change at page 38, line 22
* At least 4096 bytes per cookie (as measured by the sum of the * At least 4096 bytes per cookie (as measured by the sum of the
length of the cookie's name, value, and attributes). length of the cookie's name, value, and attributes).
* At least 50 cookies per domain. * At least 50 cookies per domain.
* At least 3000 cookies total. * At least 3000 cookies total.
Servers SHOULD use as few and as small cookies as possible to avoid Servers SHOULD use as few and as small cookies as possible to avoid
reaching these implementation limits and to minimize network reaching these implementation limits and to minimize network
bandwidth due to the Cookie header being included in every request. bandwidth due to the Cookie header field being included in every
request.
Servers SHOULD gracefully degrade if the user agent fails to return Servers SHOULD gracefully degrade if the user agent fails to return
one or more cookies in the Cookie header because the user agent might one or more cookies in the Cookie header field because the user agent
evict any cookie at any time on orders from the user. might evict any cookie at any time on orders from the user.
6.2. Application Programming Interfaces 6.2. Application Programming Interfaces
One reason the Cookie and Set-Cookie headers use such esoteric syntax One reason the Cookie and Set-Cookie header fields use such esoteric
is that many platforms (both in servers and user agents) provide a syntax is that many platforms (both in servers and user agents)
string-based application programming interface (API) to cookies, provide a string-based application programming interface (API) to
requiring application-layer programmers to generate and parse the cookies, requiring application-layer programmers to generate and
syntax used by the Cookie and Set-Cookie headers, which many parse the syntax used by the Cookie and Set-Cookie header fields,
programmers have done incorrectly, resulting in interoperability which many programmers have done incorrectly, resulting in
problems. interoperability problems.
Instead of providing string-based APIs to cookies, platforms would be Instead of providing string-based APIs to cookies, platforms would be
well-served by providing more semantic APIs. It is beyond the scope well-served by providing more semantic APIs. It is beyond the scope
of this document to recommend specific API designs, but there are of this document to recommend specific API designs, but there are
clear benefits to accepting an abstract "Date" object instead of a clear benefits to accepting an abstract "Date" object instead of a
serialized date string. serialized date string.
6.3. IDNA Dependency and Migration 6.3. IDNA Dependency and Migration
IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490]. However, there are IDNA2008 [RFC5890] supersedes IDNA2003 [RFC3490]. However, there are
skipping to change at page 37, line 32 skipping to change at page 39, line 33
from other servers (such as advertising networks). These third-party from other servers (such as advertising networks). These third-party
servers can use cookies to track the user even if the user never servers can use cookies to track the user even if the user never
visits the server directly. For example, if a user visits a site visits the server directly. For example, if a user visits a site
that contains content from a third party and then later visits that contains content from a third party and then later visits
another site that contains content from the same third party, the another site that contains content from the same third party, the
third party can track the user between the two sites. third party can track the user between the two sites.
Given this risk to user privacy, some user agents restrict how third- Given this risk to user privacy, some user agents restrict how third-
party cookies behave, and those restrictions vary widly. For party cookies behave, and those restrictions vary widly. For
instance, user agents might block third-party cookies entirely by instance, user agents might block third-party cookies entirely by
refusing to send Cookie headers or process Set-Cookie headers during refusing to send Cookie header fields or process Set-Cookie header
third-party requests. They might take a less draconian approach by fields during third-party requests. They might take a less draconian
partitioning cookies based on the first-party context, sending one approach by partitioning cookies based on the first-party context,
set of cookies to a given third party in one first-party context, and sending one set of cookies to a given third party in one first-party
another to the same third party in another. context, and another to the same third party in another.
This document grants user agents wide latitude to experiment with This document grants user agents wide latitude to experiment with
third-party cookie policies that balance the privacy and third-party cookie policies that balance the privacy and
compatibility needs of their users. However, this document does not compatibility needs of their users. However, this document does not
endorse any particular third-party cookie policy. endorse any particular third-party cookie policy.
Third-party cookie blocking policies are often ineffective at Third-party cookie blocking policies are often ineffective at
achieving their privacy goals if servers attempt to work around their achieving their privacy goals if servers attempt to work around their
restrictions to track users. In particular, two collaborating restrictions to track users. In particular, two collaborating
servers can often track users without using cookies at all by servers can often track users without using cookies at all by
injecting identifying information into dynamic URLs. injecting identifying information into dynamic URLs.
7.2. User Controls 7.2. Cookie policy
User agents MAY enforce a cookie policy consisting of restrictions on
how cookies may be used or ignored (see Section 5.3).
A cookie policy may govern which domains or parties, as in first and
third parties (see Section 7.1), for which the user agent will allow
cookie access. The policy can also define limits on cookie size,
cookie expiry, and the number of cookies per domain or in total.
The goal of a restrictive cookie policy is often to improve security
or privacy. User agents often allow users to change the cookie
policy (see Section 7.3).
7.3. User Controls
User agents SHOULD provide users with a mechanism for managing the User agents SHOULD provide users with a mechanism for managing the
cookies stored in the cookie store. For example, a user agent might cookies stored in the cookie store. For example, a user agent might
let users delete all cookies received during a specified time period let users delete all cookies received during a specified time period
or all the cookies related to a particular domain. In addition, many or all the cookies related to a particular domain. In addition, many
user agents include a user interface element that lets users examine user agents include a user interface element that lets users examine
the cookies stored in their cookie store. the cookies stored in their cookie store.
User agents SHOULD provide users with a mechanism for disabling User agents SHOULD provide users with a mechanism for disabling
cookies. When cookies are disabled, the user agent MUST NOT include cookies. When cookies are disabled, the user agent MUST NOT include
a Cookie header in outbound HTTP requests and the user agent MUST NOT a Cookie header field in outbound HTTP requests and the user agent
process Set-Cookie headers in inbound HTTP responses. MUST NOT process Set-Cookie header fields in inbound HTTP responses.
Some user agents provide users the option of preventing persistent User agents MAY offer a way to change the cookie policy (see
Section 7.2).
User agents MAY provide users the option of preventing persistent
storage of cookies across sessions. When configured thusly, user storage of cookies across sessions. When configured thusly, user
agents MUST treat all received cookies as if the persistent-flag were agents MUST treat all received cookies as if the persistent-flag were
set to false. Some popular user agents expose this functionality via set to false. Some popular user agents expose this functionality via
"private browsing" mode [Aggarwal2010]. "private browsing" mode [Aggarwal2010].
Some user agents provide users with the ability to approve individual 7.4. Expiration Dates
writes to the cookie store. In many common usage scenarios, these
controls generate a large number of prompts. However, some privacy-
conscious users find these controls useful nonetheless.
7.3. Expiration Dates
Although servers can set the expiration date for cookies to the Although servers can set the expiration date for cookies to the
distant future, most user agents do not actually retain cookies for distant future, most user agents do not actually retain cookies for
multiple decades. Rather than choosing gratuitously long expiration multiple decades. Rather than choosing gratuitously long expiration
periods, servers SHOULD promote user privacy by selecting reasonable periods, servers SHOULD promote user privacy by selecting reasonable
cookie expiration periods based on the purpose of the cookie. For cookie expiration periods based on the purpose of the cookie. For
example, a typical session identifier might reasonably be set to example, a typical session identifier might reasonably be set to
expire in two weeks. expire in two weeks.
8. Security Considerations 8. Security Considerations
skipping to change at page 39, line 44 skipping to change at page 42, line 8
wish to consider entangling designation and authorization by treating wish to consider entangling designation and authorization by treating
URLs as capabilities. Instead of storing secrets in cookies, this URLs as capabilities. Instead of storing secrets in cookies, this
approach stores secrets in URLs, requiring the remote entity to approach stores secrets in URLs, requiring the remote entity to
supply the secret itself. Although this approach is not a panacea, supply the secret itself. Although this approach is not a panacea,
judicious application of these principles can lead to more robust judicious application of these principles can lead to more robust
security. security.
8.3. Clear Text 8.3. Clear Text
Unless sent over a secure channel (such as TLS), the information in Unless sent over a secure channel (such as TLS), the information in
the Cookie and Set-Cookie headers is transmitted in the clear. the Cookie and Set-Cookie header fields is transmitted in the clear.
1. All sensitive information conveyed in these headers is exposed to 1. All sensitive information conveyed in these header fields is
an eavesdropper. exposed to an eavesdropper.
2. A malicious intermediary could alter the headers as they travel 2. A malicious intermediary could alter the header fields as they
in either direction, with unpredictable results. travel in either direction, with unpredictable results.
3. A malicious client could alter the Cookie header before 3. A malicious client could alter the Cookie header fields before
transmission, with unpredictable results. transmission, with unpredictable results.
Servers SHOULD encrypt and sign the contents of cookies (using Servers SHOULD encrypt and sign the contents of cookies (using
whatever format the server desires) when transmitting them to the whatever format the server desires) when transmitting them to the
user agent (even when sending the cookies over a secure channel). user agent (even when sending the cookies over a secure channel).
However, encrypting and signing cookie contents does not prevent an However, encrypting and signing cookie contents does not prevent an
attacker from transplanting a cookie from one user agent to another attacker from transplanting a cookie from one user agent to another
or from replaying the cookie at a later time. or from replaying the cookie at a later time.
In addition to encrypting and signing the contents of every cookie, In addition to encrypting and signing the contents of every cookie,
servers that require a higher level of security SHOULD use the Cookie servers that require a higher level of security SHOULD use the Cookie
and Set-Cookie headers only over a secure channel. When using and Set-Cookie header fields only over a secure channel. When using
cookies over a secure channel, servers SHOULD set the Secure cookies over a secure channel, servers SHOULD set the Secure
attribute (see Section 4.1.2.5) for every cookie. If a server does attribute (see Section 4.1.2.5) for every cookie. If a server does
not set the Secure attribute, the protection provided by the secure not set the Secure attribute, the protection provided by the secure
channel will be largely moot. channel will be largely moot.
For example, consider a webmail server that stores a session For example, consider a webmail server that stores a session
identifier in a cookie and is typically accessed over HTTPS. If the identifier in a cookie and is typically accessed over HTTPS. If the
server does not set the Secure attribute on its cookies, an active server does not set the Secure attribute on its cookies, an active
network attacker can intercept any outbound HTTP request from the network attacker can intercept any outbound HTTP request from the
user agent and redirect that request to the webmail server over HTTP. user agent and redirect that request to the webmail server over HTTP.
skipping to change at page 42, line 8 skipping to change at page 44, line 18
their subdomains). For example, consider foo.site.example and their subdomains). For example, consider foo.site.example and
bar.site.example. The foo.site.example server can set a cookie with bar.site.example. The foo.site.example server can set a cookie with
a Domain attribute of "site.example" (possibly overwriting an a Domain attribute of "site.example" (possibly overwriting an
existing "site.example" cookie set by bar.site.example), and the user existing "site.example" cookie set by bar.site.example), and the user
agent will include that cookie in HTTP requests to bar.site.example. agent will include that cookie in HTTP requests to bar.site.example.
In the worst case, bar.site.example will be unable to distinguish In the worst case, bar.site.example will be unable to distinguish
this cookie from a cookie it set itself. The foo.site.example server this cookie from a cookie it set itself. The foo.site.example server
might be able to leverage this ability to mount an attack against might be able to leverage this ability to mount an attack against
bar.site.example. bar.site.example.
Even though the Set-Cookie header supports the Path attribute, the Even though the Set-Cookie header field supports the Path attribute,
Path attribute does not provide any integrity protection because the the Path attribute does not provide any integrity protection because
user agent will accept an arbitrary Path attribute in a Set-Cookie the user agent will accept an arbitrary Path attribute in a Set-
header. For example, an HTTP response to a request for Cookie header field. For example, an HTTP response to a request for
http://site.example/foo/bar can set a cookie with a Path attribute of http://site.example/foo/bar can set a cookie with a Path attribute of
"/qux". Consequently, servers SHOULD NOT both run mutually "/qux". Consequently, servers SHOULD NOT both run mutually
distrusting services on different paths of the same host and use distrusting services on different paths of the same host and use
cookies to store security-sensitive information. cookies to store security-sensitive information.
An active network attacker can also inject cookies into the Cookie An active network attacker can also inject cookies into the Cookie
header sent to https://site.example/ by impersonating a response from header field sent to https://site.example/ by impersonating a
http://site.example/ and injecting a Set-Cookie header. The HTTPS response from http://site.example/ and injecting a Set-Cookie header
server at site.example will be unable to distinguish these cookies field. The HTTPS server at site.example will be unable to
from cookies that it set itself in an HTTPS response. An active distinguish these cookies from cookies that it set itself in an HTTPS
network attacker might be able to leverage this ability to mount an response. An active network attacker might be able to leverage this
attack against site.example even if site.example uses HTTPS ability to mount an attack against site.example even if site.example
exclusively. uses HTTPS exclusively.
Servers can partially mitigate these attacks by encrypting and Servers can partially mitigate these attacks by encrypting and
signing the contents of their cookies. However, using cryptography signing the contents of their cookies. However, using cryptography
does not mitigate the issue completely because an attacker can replay does not mitigate the issue completely because an attacker can replay
a cookie he or she received from the authentic site.example server in a cookie he or she received from the authentic site.example server in
the user's session, with unpredictable results. the user's session, with unpredictable results.
Finally, an attacker might be able to force the user agent to delete Finally, an attacker might be able to force the user agent to delete
cookies by storing a large number of cookies. Once the user agent cookies by storing a large number of cookies. Once the user agent
reaches its storage limit, the user agent will be forced to evict reaches its storage limit, the user agent will be forced to evict
skipping to change at page 43, line 33 skipping to change at page 45, line 36
Setting the "SameSite" attribute in "strict" mode provides robust Setting the "SameSite" attribute in "strict" mode provides robust
defense in depth against CSRF attacks, but has the potential to defense in depth against CSRF attacks, but has the potential to
confuse users unless sites' developers carefully ensure that their confuse users unless sites' developers carefully ensure that their
cookie-based session management systems deal reasonably well with cookie-based session management systems deal reasonably well with
top-level navigations. top-level navigations.
Consider the scenario in which a user reads their email at MegaCorp Consider the scenario in which a user reads their email at MegaCorp
Inc's webmail provider "https://site.example/". They might expect Inc's webmail provider "https://site.example/". They might expect
that clicking on an emailed link to "https://projects.example/secret/ that clicking on an emailed link to "https://projects.example/secret/
project" would show them the secret project that they're authorized project" would show them the secret project that they're authorized
to see, but if "projects.example" has marked their session cookies as to see, but if "https://projects.example" has marked their session
"SameSite", then this cross-site navigation won't send them along cookies as "SameSite=Strict", then this cross-site navigation won't
with the request. "projects.example" will render a 404 error to avoid send them along with the request. "https://projects.example" will
leaking secret information, and the user will be quite confused. render a 404 error to avoid leaking secret information, and the user
will be quite confused.
Developers can avoid this confusion by adopting a session management Developers can avoid this confusion by adopting a session management
system that relies on not one, but two cookies: one conceptually system that relies on not one, but two cookies: one conceptually
granting "read" access, another granting "write" access. The latter granting "read" access, another granting "write" access. The latter
could be marked as "SameSite", and its absence would prompt a could be marked as "SameSite=Strict", and its absence would prompt a
reauthentication step before executing any non-idempotent action. reauthentication step before executing any non-idempotent action.
The former could drop the "SameSite" attribute entirely, or choose The former could be marked as "SameSite=Lax", in order to allow users
the "Lax" version of enforcement, in order to allow users access to access to data via top-level navigation, or "SameSite=None", to
data via top-level navigation. permit access in all contexts (including cross-site embedded
contexts).
8.8.3. Mashups and Widgets 8.8.3. Mashups and Widgets
The "SameSite" attribute is inappropriate for some important use- The "Lax" and "Strict" values for the "SameSite" attribute are
cases. In particular, note that content intended for embedding in a inappropriate for some important use-cases. In particular, note that
cross-site contexts (social networking widgets or commenting content intended for embedding in cross-site contexts (social
services, for instance) will not have access to same-site cookies. networking widgets or commenting services, for instance) will not
Cookies may be required for requests triggered in these cross-site have access to same-site cookies. Cookies which are required in
contexts in order to provide seamless functionality that relies on a these situations should be marked with "SameSite=None" to allow
user's state. access in cross-site contexts.
Likewise, some forms of Single-Sign-On might require cookie-based Likewise, some forms of Single-Sign-On might require cookie-based
authentication in a cross-site context; these mechanisms will not authentication in a cross-site context; these mechanisms will not
function as intended with same-site cookies. function as intended with same-site cookies and will also require
"SameSite=None".
8.8.4. Server-controlled 8.8.4. Server-controlled
SameSite cookies in and of themselves don't do anything to address SameSite cookies in and of themselves don't do anything to address
the general privacy concerns outlined in Section 7.1 of [RFC6265]. the general privacy concerns outlined in Section 7.1 of [RFC6265].
The "SameSite" attribute is set by the server, and serves to mitigate The "SameSite" attribute is set by the server, and serves to mitigate
the risk of certain kinds of attacks that the server is worried the risk of certain kinds of attacks that the server is worried
about. The user is not involved in this decision. Moreover, a about. The user is not involved in this decision. Moreover, a
number of side-channels exist which could allow a server to link number of side-channels exist which could allow a server to link
distinct requests even in the absence of cookies (for example, distinct requests even in the absence of cookies (for example,
connection and/or socket pooling between same-site and cross-site connection and/or socket pooling between same-site and cross-site
requests). requests).
9. IANA Considerations 8.8.5. Reload navigations
Requests issued for reloads triggered through user interface elements
(such as a refresh button on a toolbar) are same-site only if the
reloaded document was originally navigated to via a same-site
request. This differs from the handling of other reload navigations,
which are always same-site if top-level, since the source browsing
context's active document is precisely the document being reloaded.
This special handling of reloads triggered through a user interface
element avoids sending "SameSite" cookies on user-initiated reloads
if they were withheld on the original navigation (i.e., if the
initial navigation were cross-site). If the reload navigation were
instead considered same-site, and sent all the initially withheld
"SameSite" cookies, the security benefits of withholding the cookies
in the first place would be nullified. This is especially important
given that the absence of "SameSite" cookies withheld on a cross-site
navigation request may lead to visible site breakage, prompting the
user to trigger a reload.
For example, suppose the user clicks on a link from
"https://attacker.example/" to "https://victim.example/". This is a
cross-site request, so "SameSite=Strict" cookies are withheld.
Suppose this causes "https://victim.example/" to appear broken,
because the site only displays its sensitive content if a particular
"SameSite" cookie is present in the request. The user, frustrated by
the unexpectedly broken site, presses refresh on their browser's
toolbar. To now consider the reload request same-site and send the
initially withheld "SameSite" cookie would defeat the purpose of
withholding it in the first place, as the reload navigation triggered
through the user interface may replay the original (potentially
malicious) request. Thus, the reload request should be considered
cross-site, like the request that initially navigated to the page.
8.8.6. Top-level requests with "unsafe" methods
The "Lax" enforcement mode described in Section 5.4.7.1 allows a
cookie to be sent with a cross-site HTTP request if and only if it is
a top-level navigation with a "safe" HTTP method. Implementation
experience shows that this is difficult to apply as the default
behavior, as some sites may rely on cookies not explicitly specifying
a "SameSite" attribute being included on top-level cross-site
requests with "unsafe" HTTP methods (as was the case prior to the
introduction of the "SameSite" attribute).
For example, a login flow may involve a cross-site top-level "POST"
request to an endpoint which expects a cookie with login information.
For such a cookie, "Lax" enforcement is not appropriate, as it would
cause the cookie to be excluded due to the unsafe HTTP request
method. On the other hand, "None" enforcement would allow the cookie
to be sent with all cross-site requests, which may not be desirable
due to the cookie's sensitive contents.
The "Lax-allowing-unsafe" enforcement mode described in
Section 5.4.7.2 retains some of the protections of "Lax" enforcement
(as compared to "None") while still allowing cookies to be sent
cross-site with unsafe top-level requests.
As a more permissive variant of "Lax" mode, "Lax-allowing-unsafe"
mode necessarily provides fewer protections against CSRF.
Ultimately, the provision of such an enforcement mode should be seen
as a temporary, transitional measure to ease adoption of "Lax"
enforcement by default.
9. IANA Considerations
9.1. Cookie 9.1. Cookie
The permanent message header field registry (see [RFC3864]) needs to The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration: be updated with the following registration:
Header field name: Cookie Header field name: Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.5) Specification document: this specification (Section 5.6.1)
9.2. Set-Cookie 9.2. Set-Cookie
The permanent message header field registry (see [RFC3864]) needs to The permanent message header field registry (see [RFC3864]) needs to
be updated with the following registration: be updated with the following registration:
Header field name: Set-Cookie Header field name: Set-Cookie
Applicable protocol: http Applicable protocol: http
Status: standard Status: standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document: this specification (Section 5.3) Specification document: this specification (Section 5.4)
9.3. Cookie Attribute Registry 9.3. Cookie Attribute Registry
The "Cookie Attribute Registry" defines the name space of attribute IANA is requested to create the "Cookie Attribute Registry", defining
used to control cookies' behavior. The registry is maintained at the name space of attribute used to control cookies' behavior. The
https://www.iana.org/assignments/cookie-attribute-names registry should be maintained at https://www.iana.org/assignments/
(https://www.iana.org/assignments/cookie-attribute-names). cookie-attribute-names (https://www.iana.org/assignments/cookie-
attribute-names).
9.3.1. Procedure 9.3.1. Procedure
Each registered attribute name is associated with a description, and Each registered attribute name is associated with a description, and
a reference detailing how the attribute is to be processed and a reference detailing how the attribute is to be processed and
stored. stored.
New registrations happen on a "RFC Required" basis (see Section 4.7 New registrations happen on a "RFC Required" basis (see Section 4.7
of [RFC8126]). The attribute to be registered MUST match the of [RFC8126]). The attribute to be registered MUST match the
"extension-av" syntax defined in Section 4.1.1. Note that attribute "extension-av" syntax defined in Section 4.1.1. Note that attribute
names are generally defined in CamelCase, but technically accepted names are generally defined in CamelCase, but technically accepted
case-insensitively. case-insensitively.
9.3.2. Registration 9.3.2. Registration
The "Cookie Attribute Registry" will be updated with the The "Cookie Attribute Registry" should be created with the
registrations below: registrations below:
+==========+==================================+ +==========+==================================+
| Name | Reference | | Name | Reference |
+==========+==================================+ +==========+==================================+
| Domain | Section 4.1.2.3 of this document | | Domain | Section 4.1.2.3 of this document |
+----------+----------------------------------+ +----------+----------------------------------+
| Expires | Section 4.1.2.1 of this document | | Expires | Section 4.1.2.1 of this document |
+----------+----------------------------------+ +----------+----------------------------------+
| HttpOnly | Section 4.1.2.6 of this document | | HttpOnly | Section 4.1.2.6 of this document |
skipping to change at page 46, line 29 skipping to change at page 49, line 40
+----------+----------------------------------+ +----------+----------------------------------+
| Secure | Section 4.1.2.5 of this document | | Secure | Section 4.1.2.5 of this document |
+----------+----------------------------------+ +----------+----------------------------------+
Table 1 Table 1
10. References 10. References
10.1. Normative References 10.1. Normative References
[DOM-DOCUMENT-COOKIE]
WHATWG, "HTML - Living Standard", 18 May 2021,
<https://html.spec.whatwg.org/#dom-document-cookie>.
[FETCH] van Kesteren, A., "Fetch", n.d., [FETCH] van Kesteren, A., "Fetch", n.d.,
<https://fetch.spec.whatwg.org/>. <https://fetch.spec.whatwg.org/>.
[HTML] Hickson, I., Pieters, S., van Kesteren, A., Jägenstedt, [HTML] Hickson, I., Pieters, S., van Kesteren, A., Jägenstedt,
P., and D. Denicola, "HTML", n.d., P., and D. Denicola, "HTML", n.d.,
<https://html.spec.whatwg.org/>. <https://html.spec.whatwg.org/>.
[HTTPSEM] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP
Semantics", Work in Progress, Internet-Draft, draft-ietf-
httpbis-semantics-16, 27 May 2021,
<https://tools.ietf.org/html/draft-ietf-httpbis-semantics-
16>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/rfc/rfc1034>.
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
DOI 10.17487/RFC1123, October 1989, DOI 10.17487/RFC1123, October 1989,
<https://www.rfc-editor.org/info/rfc1123>. <https://www.rfc-editor.org/rfc/rfc1123>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3490] Costello, A., "Internationalizing Domain Names in [RFC3490] Costello, A., "Internationalizing Domain Names in
Applications (IDNA)", RFC 3490, March 2003, Applications (IDNA)", RFC 3490, March 2003,
<https://www.rfc-editor.org/rfc/rfc3490>. See Section 6.3 <https://www.rfc-editor.org/rfc/rfc3490>. See Section 6.3
for an explanation why the normative reference to an for an explanation why the normative reference to an
obsoleted specification is needed. obsoleted specification is needed.
[RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet [RFC4790] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet
Application Protocol Collation Registry", RFC 4790, Application Protocol Collation Registry", RFC 4790,
DOI 10.17487/RFC4790, March 2007, DOI 10.17487/RFC4790, March 2007,
<https://www.rfc-editor.org/info/rfc4790>. <https://www.rfc-editor.org/rfc/rfc4790>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>. <https://www.rfc-editor.org/rfc/rfc5234>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<https://www.rfc-editor.org/info/rfc5890>. <https://www.rfc-editor.org/rfc/rfc5890>.
[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
DOI 10.17487/RFC6454, December 2011, DOI 10.17487/RFC6454, December 2011,
<https://www.rfc-editor.org/info/rfc6454>. <https://www.rfc-editor.org/rfc/rfc6454>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/rfc/rfc8126>.
[SAMESITE] WHATWG, "HTML - Living Standard", 26 January 2021,
<https://html.spec.whatwg.org/#same-site>.
[SERVICE-WORKERS] [SERVICE-WORKERS]
Russell, A., Song, J., and J. Archibald, "Service Russell, A., Song, J., and J. Archibald, "Service
Workers", n.d., <http://www.w3.org/TR/service-workers/>. Workers", n.d., <http://www.w3.org/TR/service-workers/>.
[USASCII] American National Standards Institute, "Coded Character [USASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
skipping to change at page 48, line 33 skipping to change at page 51, line 49
DOI 10.1145/1455770.1455782, ISBN 978-1-59593-810-7, DOI 10.1145/1455770.1455782, ISBN 978-1-59593-810-7,
ACM CCS '08: Proceedings of the 15th ACM conference on ACM CCS '08: Proceedings of the 15th ACM conference on
Computer and communications security (pages 75-88), Computer and communications security (pages 75-88),
October 2008, October 2008,
<http://portal.acm.org/citation.cfm?id=1455770.1455782>. <http://portal.acm.org/citation.cfm?id=1455770.1455782>.
[I-D.ietf-httpbis-cookie-alone] [I-D.ietf-httpbis-cookie-alone]
West, M., "Deprecate modification of 'secure' cookies from West, M., "Deprecate modification of 'secure' cookies from
non-secure origins", Work in Progress, Internet-Draft, non-secure origins", Work in Progress, Internet-Draft,
draft-ietf-httpbis-cookie-alone-01, 5 September 2016, draft-ietf-httpbis-cookie-alone-01, 5 September 2016,
<http://www.ietf.org/internet-drafts/draft-ietf-httpbis- <https://tools.ietf.org/html/draft-ietf-httpbis-cookie-
cookie-alone-01.txt>. alone-01>.
[I-D.ietf-httpbis-cookie-prefixes] [I-D.ietf-httpbis-cookie-prefixes]
West, M., "Cookie Prefixes", Work in Progress, Internet- West, M., "Cookie Prefixes", Work in Progress, Internet-
Draft, draft-ietf-httpbis-cookie-prefixes-00, 23 February Draft, draft-ietf-httpbis-cookie-prefixes-00, 23 February
2016, <http://www.ietf.org/internet-drafts/draft-ietf- 2016, <https://tools.ietf.org/html/draft-ietf-httpbis-
httpbis-cookie-prefixes-00.txt>. cookie-prefixes-00>.
[I-D.ietf-httpbis-cookie-same-site] [I-D.ietf-httpbis-cookie-same-site]
West, M. and M. Goodwin, "Same-Site Cookies", Work in West, M. and M. Goodwin, "Same-Site Cookies", Work in
Progress, Internet-Draft, draft-ietf-httpbis-cookie-same- Progress, Internet-Draft, draft-ietf-httpbis-cookie-same-
site-00, 20 June 2016, <http://www.ietf.org/internet- site-00, 20 June 2016, <https://tools.ietf.org/html/draft-
drafts/draft-ietf-httpbis-cookie-same-site-00.txt>. ietf-httpbis-cookie-same-site-00>.
[prerendering] [prerendering]
Bentzel, C., "Chrome Prerendering", n.d., Bentzel, C., "Chrome Prerendering", n.d.,
<https://www.chromium.org/developers/design-documents/ <https://www.chromium.org/developers/design-documents/
prerender>. prerender>.
[PSL] "Public Suffix List", n.d., [PSL] "Public Suffix List", n.d.,
<https://publicsuffix.org/list/>. <https://publicsuffix.org/list/>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/rfc/rfc2818>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <https://www.rfc-editor.org/info/rfc3629>. 2003, <https://www.rfc-editor.org/rfc/rfc3629>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
DOI 10.17487/RFC3864, September 2004, DOI 10.17487/RFC3864, September 2004,
<https://www.rfc-editor.org/info/rfc3864>. <https://www.rfc-editor.org/rfc/rfc3864>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/rfc/rfc3986>.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/rfc/rfc4648>.
[RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for [RFC5895] Resnick, P. and P. Hoffman, "Mapping Characters for
Internationalized Domain Names in Applications (IDNA) Internationalized Domain Names in Applications (IDNA)
2008", RFC 5895, DOI 10.17487/RFC5895, September 2010, 2008", RFC 5895, DOI 10.17487/RFC5895, September 2010,
<https://www.rfc-editor.org/info/rfc5895>. <https://www.rfc-editor.org/rfc/rfc5895>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011, DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>. <https://www.rfc-editor.org/rfc/rfc6265>.
[RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame- [RFC7034] Ross, D. and T. Gondrom, "HTTP Header Field X-Frame-
Options", RFC 7034, DOI 10.17487/RFC7034, October 2013, Options", RFC 7034, DOI 10.17487/RFC7034, October 2013,
<https://www.rfc-editor.org/info/rfc7034>. <https://www.rfc-editor.org/rfc/rfc7034>.
[UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility [UTS46] Davis, M. and M. Suignard, "Unicode IDNA Compatibility
Processing", UNICODE Unicode Technical Standards # 46, Processing", UNICODE Unicode Technical Standards # 46,
June 2016, <http://unicode.org/reports/tr46/>. June 2016, <http://unicode.org/reports/tr46/>.
Appendix A. Changes Appendix A. Changes
A.1. draft-ietf-httpbis-rfc6265bis-00 A.1. draft-ietf-httpbis-rfc6265bis-00
* Port [RFC6265] to Markdown. No (intentional) normative changes. * Port [RFC6265] to Markdown. No (intentional) normative changes.
skipping to change at page 53, line 4 skipping to change at page 56, line 21
* Fixed serialization for nameless/valueless cookies: * Fixed serialization for nameless/valueless cookies:
https://github.com/httpwg/http-extensions/pull/1143 https://github.com/httpwg/http-extensions/pull/1143
(https://github.com/httpwg/http-extensions/pull/1143). (https://github.com/httpwg/http-extensions/pull/1143).
* Converted a normative reference to Mozilla's Public Suffix List * Converted a normative reference to Mozilla's Public Suffix List
[PSL] into an informative reference: https://github.com/httpwg/ [PSL] into an informative reference: https://github.com/httpwg/
http-extensions/issues/1159 (https://github.com/httpwg/http- http-extensions/issues/1159 (https://github.com/httpwg/http-
extensions/issues/1159). extensions/issues/1159).
A.8. draft-ietf-httpbis-rfc6265bis-07 A.8. draft-ietf-httpbis-rfc6265bis-07
* Moved instruction to ignore cookies with empty cookie-name and * Moved instruction to ignore cookies with empty cookie-name and
cookie-value from Section 5.3 to Section 5.4 to ensure that they cookie-value from Section 5.4 to Section 5.5 to ensure that they
apply to cookies created without parsing a cookie string: apply to cookies created without parsing a cookie string:
https://github.com/httpwg/http-extensions/issues/1234 https://github.com/httpwg/http-extensions/issues/1234
(https://github.com/httpwg/http-extensions/issues/1234). (https://github.com/httpwg/http-extensions/issues/1234).
* Add a default enforcement value to the "same-site-flag", * Add a default enforcement value to the "same-site-flag",
equivalent to "SameSite=Lax": https://github.com/httpwg/http- equivalent to "SameSite=Lax": https://github.com/httpwg/http-
extensions/pull/1325 (https://github.com/httpwg/http-extensions/ extensions/pull/1325 (https://github.com/httpwg/http-extensions/
pull/1325). pull/1325).
* Require a Secure attribute for "SameSite=None": * Require a Secure attribute for "SameSite=None":
https://github.com/httpwg/http-extensions/pull/1323 https://github.com/httpwg/http-extensions/pull/1323
(https://github.com/httpwg/http-extensions/pull/1323). (https://github.com/httpwg/http-extensions/pull/1323).
* Consider scheme when running the same-site algorithm: * Consider scheme when running the same-site algorithm:
https://github.com/httpwg/http-extensions/pull/1324 https://github.com/httpwg/http-extensions/pull/1324
(https://github.com/httpwg/http-extensions/pull/1324). (https://github.com/httpwg/http-extensions/pull/1324).
A.9. draft-ietf-httpbis-rfc6265bis-08
* Define "same-site" for reload navigation requests, e.g. those
triggered via user interface elements: https://github.com/httpwg/
http-extensions/pull/1384 (https://github.com/httpwg/http-
extensions/pull/1384)
* Consider redirects when defining same-site:
https://github.com/httpwg/http-extensions/pull/1348
(https://github.com/httpwg/http-extensions/pull/1348)
* Align on using HTML terminology for origins:
https://github.com/httpwg/http-extensions/pull/1416
(https://github.com/httpwg/http-extensions/pull/1416)
* Modify cookie parsing and creation algorithms in Section 5.4 and
Section 5.5 to explicitly handle control characters:
https://github.com/httpwg/http-extensions/pull/1420
(https://github.com/httpwg/http-extensions/pull/1420)
* Refactor cookie retrieval algorithm to support non-HTTP APIs:
https://github.com/httpwg/http-extensions/pull/1428
(https://github.com/httpwg/http-extensions/pull/1428)
* Define "Lax-allowing-unsafe" SameSite enforcement mode:
https://github.com/httpwg/http-extensions/pull/1435
(https://github.com/httpwg/http-extensions/pull/1435)
* Consistently use "header field" (vs 'header"):
https://github.com/httpwg/http-extensions/pull/1527
(https://github.com/httpwg/http-extensions/pull/1527)
Acknowledgements Acknowledgements
RFC 6265 was written by Adam Barth. This document is a minor update RFC 6265 was written by Adam Barth. This document is an update of
of RFC 6265, adding small features, and aligning the specification RFC 6265, adding features and aligning the specification with the
with the reality of today's deployments. Here, we're standing upon reality of today's deployments. Here, we're standing upon the
the shoulders of a giant since the majority of the text is still shoulders of a giant since the majority of the text is still Adam's.
Adam's.
Authors' Addresses Authors' Addresses
Lily Chen (editor)
Google LLC
Email: chlily@google.com
Steven Englehardt (editor)
Mozilla
Email: senglehardt@mozilla.com
Mike West (editor) Mike West (editor)
Google, Inc Google LLC
Email: mkwst@google.com Email: mkwst@google.com
URI: https://mikewest.org/ URI: https://mikewest.org/
John Wilander (editor) John Wilander (editor)
Apple, Inc Apple, Inc
Email: wilander@apple.com Email: wilander@apple.com
 End of changes. 172 change blocks. 
395 lines changed or deleted 633 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/