draft-ietf-httpbis-rfc6265bis-09.txt | draft-ietf-httpbis-rfc6265bis-10.txt | |||
---|---|---|---|---|
HTTP L. Chen, Ed. | HTTP L. Chen, Ed. | |||
Internet-Draft Google LLC | Internet-Draft Google LLC | |||
Obsoletes: 6265 (if approved) S. Englehardt, Ed. | Obsoletes: 6265 (if approved) S. Englehardt, Ed. | |||
Intended status: Standards Track Mozilla | Intended status: Standards Track Mozilla | |||
Expires: 22 April 2022 M. West, Ed. | Expires: 26 October 2022 M. West, Ed. | |||
Google LLC | Google LLC | |||
J. Wilander, Ed. | J. Wilander, Ed. | |||
Apple, Inc | Apple, Inc | |||
19 October 2021 | 24 April 2022 | |||
Cookies: HTTP State Management Mechanism | Cookies: HTTP State Management Mechanism | |||
draft-ietf-httpbis-rfc6265bis-09 | draft-ietf-httpbis-rfc6265bis-10 | |||
Abstract | Abstract | |||
This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
These header fields can be used by HTTP servers to store state | These header fields can be used by HTTP servers to store state | |||
(called cookies) at HTTP user agents, letting the servers maintain a | (called cookies) at HTTP user agents, letting the servers maintain a | |||
stateful session over the mostly stateless HTTP protocol. Although | stateful session over the mostly stateless HTTP protocol. Although | |||
cookies have many historical infelicities that degrade their security | cookies have many historical infelicities that degrade their security | |||
and privacy, the Cookie and Set-Cookie header fields are widely used | and privacy, the Cookie and Set-Cookie header fields are widely used | |||
on the Internet. This document obsoletes RFC 6265. | on the Internet. This document obsoletes RFC 6265. | |||
Note to Readers | About This Document | |||
Discussion of this draft takes place on the HTTP working group | This note is to be removed before publishing as an RFC. | |||
mailing list (ietf-http-wg@w3.org), which is archived at | ||||
https://lists.w3.org/Archives/Public/ietf-http-wg/ | ||||
(https://lists.w3.org/Archives/Public/ietf-http-wg/). | ||||
Working Group information can be found at http://httpwg.github.io/ | Status information for this document may be found at | |||
(http://httpwg.github.io/); source code and issues list for this | https://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc6265bis/. | |||
draft can be found at https://github.com/httpwg/http-extensions/ | ||||
labels/6265bis (https://github.com/httpwg/http-extensions/ | Discussion of this document takes place on the HTTP Working Group | |||
labels/6265bis). | mailing list (mailto:ietf-http-wg@w3.org), which is archived at | |||
https://lists.w3.org/Archives/Public/ietf-http-wg/. Working Group | ||||
information can be found at https://httpwg.org/. | ||||
Source for this draft and an issue tracker can be found at | ||||
https://github.com/httpwg/http-extensions/labels/6265bis. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 22 April 2022. | This Internet-Draft will expire on 26 October 2022. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
extracted from this document must include Simplified BSD License text | extracted from this document must include Revised BSD License text as | |||
as described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Revised BSD License. | |||
This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
material may not have granted the IETF Trust the right to allow | material may not have granted the IETF Trust the right to allow | |||
modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
it for publication as an RFC or to translate it into languages other | it for publication as an RFC or to translate it into languages other | |||
than English. | than English. | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 | |||
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 | 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 6 | |||
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 9 | |||
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 | 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 11 | |||
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 14 | 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 15 | |||
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 16 | |||
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 16 | 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 17 | |||
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 17 | |||
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 | 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 18 | 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 19 | |||
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 19 | 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 20 | |||
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 19 | 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 20 | |||
5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 20 | 5.2. "Same-site" and "cross-site" Requests . . . . . . . . . . 21 | |||
5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | 5.2.1. Document-based requests . . . . . . . . . . . . . . . 21 | |||
5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | 5.2.2. Worker-based requests . . . . . . . . . . . . . . . . 22 | |||
5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | 5.3. Ignoring Set-Cookie Header Fields . . . . . . . . . . . . 23 | |||
5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 23 | 5.4. The Set-Cookie Header Field . . . . . . . . . . . . . . . 24 | |||
5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | 5.4.1. The Expires Attribute . . . . . . . . . . . . . . . . 26 | |||
5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 26 | 5.4.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 27 | |||
5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 26 | 5.4.3. The Domain Attribute . . . . . . . . . . . . . . . . 27 | |||
5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 27 | 5.4.4. The Path Attribute . . . . . . . . . . . . . . . . . 28 | |||
5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 27 | 5.4.5. The Secure Attribute . . . . . . . . . . . . . . . . 28 | |||
5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 27 | 5.4.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 28 | |||
5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 27 | 5.4.7. The SameSite Attribute . . . . . . . . . . . . . . . 28 | |||
5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 29 | 5.5. Storage Model . . . . . . . . . . . . . . . . . . . . . . 30 | |||
5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 35 | 5.6. Retrieval Model . . . . . . . . . . . . . . . . . . . . . 36 | |||
5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 35 | 5.6.1. The Cookie Header Field . . . . . . . . . . . . . . . 36 | |||
5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 | 5.6.2. Non-HTTP APIs . . . . . . . . . . . . . . . . . . . . 36 | |||
5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 36 | 5.6.3. Retrieval Algorithm . . . . . . . . . . . . . . . . . 37 | |||
6. Implementation Considerations . . . . . . . . . . . . . . . . 38 | 6. Implementation Considerations . . . . . . . . . . . . . . . . 39 | |||
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 38 | 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 39 | |||
6.2. Application Programming Interfaces . . . . . . . . . . . 39 | 6.2. Application Programming Interfaces . . . . . . . . . . . 39 | |||
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 39 | 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 40 | |||
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 40 | |||
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 40 | 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 41 | |||
7.2. Cookie policy . . . . . . . . . . . . . . . . . . . . . . 40 | 7.2. Cookie Policy . . . . . . . . . . . . . . . . . . . . . . 41 | |||
7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 41 | 7.3. User Controls . . . . . . . . . . . . . . . . . . . . . . 42 | |||
7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 41 | 7.4. Expiration Dates . . . . . . . . . . . . . . . . . . . . 42 | |||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 | |||
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 41 | 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 43 | |||
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 42 | 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 43 | |||
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 42 | 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 43 | 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 44 | |||
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 44 | 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 45 | |||
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 44 | 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 46 | |||
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 45 | 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 47 | |||
8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 45 | 8.8. SameSite Cookies . . . . . . . . . . . . . . . . . . . . 47 | |||
8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 46 | 8.8.1. Defense in depth . . . . . . . . . . . . . . . . . . 47 | |||
8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 46 | 8.8.2. Top-level Navigations . . . . . . . . . . . . . . . . 47 | |||
8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 47 | 8.8.3. Mashups and Widgets . . . . . . . . . . . . . . . . . 48 | |||
8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 47 | 8.8.4. Server-controlled . . . . . . . . . . . . . . . . . . 48 | |||
8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 47 | 8.8.5. Reload navigations . . . . . . . . . . . . . . . . . 48 | |||
8.8.6. Top-level requests with "unsafe" methods . . . . . . 48 | 8.8.6. Top-level requests with "unsafe" methods . . . . . . 49 | |||
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 | |||
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 49 | 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 49 | 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 50 | |||
9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 49 | 9.3. Cookie Attribute Registry . . . . . . . . . . . . . . . . 50 | |||
9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 49 | 9.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 51 | |||
9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 50 | 9.3.2. Registration . . . . . . . . . . . . . . . . . . . . 51 | |||
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||
10.1. Normative References . . . . . . . . . . . . . . . . . . 50 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 51 | |||
10.2. Informative References . . . . . . . . . . . . . . . . . 52 | 10.2. Informative References . . . . . . . . . . . . . . . . . 53 | |||
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 54 | Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 55 | |||
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 54 | A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 55 | |||
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 54 | A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 55 | |||
A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 55 | A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 56 | |||
A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 55 | A.4. draft-ietf-httpbis-rfc6265bis-03 . . . . . . . . . . . . 56 | |||
A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 56 | A.5. draft-ietf-httpbis-rfc6265bis-04 . . . . . . . . . . . . 57 | |||
A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 56 | A.6. draft-ietf-httpbis-rfc6265bis-05 . . . . . . . . . . . . 57 | |||
A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 56 | A.7. draft-ietf-httpbis-rfc6265bis-06 . . . . . . . . . . . . 57 | |||
A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 57 | A.8. draft-ietf-httpbis-rfc6265bis-07 . . . . . . . . . . . . 58 | |||
A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 57 | A.9. draft-ietf-httpbis-rfc6265bis-08 . . . . . . . . . . . . 58 | |||
A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 58 | A.10. draft-ietf-httpbis-rfc6265bis-09 . . . . . . . . . . . . 59 | |||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58 | A.11. draft-ietf-httpbis-rfc6265bis-10 . . . . . . . . . . . . 59 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 60 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
1. Introduction | 1. Introduction | |||
This document defines the HTTP Cookie and Set-Cookie header fields. | This document defines the HTTP Cookie and Set-Cookie header fields. | |||
Using the Set-Cookie header field, an HTTP server can pass name/value | Using the Set-Cookie header field, an HTTP server can pass name/value | |||
pairs and associated metadata (called cookies) to a user agent. When | pairs and associated metadata (called cookies) to a user agent. When | |||
the user agent makes subsequent requests to the server, the user | the user agent makes subsequent requests to the server, the user | |||
agent uses the metadata and other information to determine whether to | agent uses the metadata and other information to determine whether to | |||
return the name/value pairs in the Cookie header field. | return the name/value pairs in the Cookie header field. | |||
skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 30 ¶ | |||
; whitespace DQUOTE, comma, semicolon, | ; whitespace DQUOTE, comma, semicolon, | |||
; and backslash | ; and backslash | |||
cookie-av = expires-av / max-age-av / domain-av / | cookie-av = expires-av / max-age-av / domain-av / | |||
path-av / secure-av / httponly-av / | path-av / secure-av / httponly-av / | |||
samesite-av / extension-av | samesite-av / extension-av | |||
expires-av = "Expires" BWS "=" BWS sane-cookie-date | expires-av = "Expires" BWS "=" BWS sane-cookie-date | |||
sane-cookie-date = | sane-cookie-date = | |||
<IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | <IMF-fixdate, defined in [HTTPSEM], Section 5.6.7> | |||
max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | max-age-av = "Max-Age" BWS "=" BWS non-zero-digit *DIGIT | |||
; In practice, both expires-av and max-age-av | ||||
; are limited to dates representable by the | ||||
; user agent. | ||||
non-zero-digit = %x31-39 | non-zero-digit = %x31-39 | |||
; digits 1 through 9 | ; digits 1 through 9 | |||
domain-av = "Domain" BWS "=" BWS domain-value | domain-av = "Domain" BWS "=" BWS domain-value | |||
domain-value = <subdomain> | domain-value = <subdomain> | |||
; defined in [RFC1034], Section 3.5, as | ; see details below | |||
; enhanced by [RFC1123], Section 2.1 | ||||
path-av = "Path" BWS "=" BWS path-value | path-av = "Path" BWS "=" BWS path-value | |||
path-value = *av-octet | path-value = *av-octet | |||
secure-av = "Secure" | secure-av = "Secure" | |||
httponly-av = "HttpOnly" | httponly-av = "HttpOnly" | |||
samesite-av = "SameSite" BWS "=" BWS samesite-value | samesite-av = "SameSite" BWS "=" BWS samesite-value | |||
samesite-value = "Strict" / "Lax" / "None" | samesite-value = "Strict" / "Lax" / "None" | |||
extension-av = *av-octet | extension-av = *av-octet | |||
av-octet = %x20-3A / %x3C-7E | av-octet = %x20-3A / %x3C-7E | |||
; any CHAR except CTLs or ";" | ; any CHAR except CTLs or ";" | |||
Note that some of the grammatical terms above reference documents | Note that some of the grammatical terms above reference documents | |||
that use different grammatical notations than this document (which | that use different grammatical notations than this document (which | |||
uses ABNF from [RFC5234]). | uses ABNF from [RFC5234]). | |||
The semantics of the cookie-value are not defined by this document. | The semantics of the cookie-value are not defined by this document. | |||
To maximize compatibility with user agents, servers that wish to | To maximize compatibility with user agents, servers that wish to | |||
store arbitrary data in a cookie-value SHOULD encode that data, for | store arbitrary data in a cookie-value SHOULD encode that data, for | |||
example, using Base64 [RFC4648]. | example, using Base64 [RFC4648]. | |||
The domain-value is a subdomain as defined by [RFC1034], Section 3.5, | ||||
and as enhanced by [RFC1123], Section 2.1. Thus, domain-value is a | ||||
string of [USASCII] characters, such as one obtained by applying the | ||||
"ToASCII" operation defined in Section 4 of [RFC3490]. | ||||
Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | Per the grammar above, the cookie-value MAY be wrapped in DQUOTE | |||
characters. Note that in this case, the initial and trailing DQUOTE | characters. Note that in this case, the initial and trailing DQUOTE | |||
characters are not stripped. They are part of the cookie-value, and | characters are not stripped. They are part of the cookie-value, and | |||
will be included in Cookie header fields sent to the server. | will be included in Cookie header fields sent to the server. | |||
The portions of the set-cookie-string produced by the cookie-av term | The portions of the set-cookie-string produced by the cookie-av term | |||
are known as attributes. To maximize compatibility with user agents, | are known as attributes. To maximize compatibility with user agents, | |||
servers SHOULD NOT produce two attributes with the same name in the | servers SHOULD NOT produce two attributes with the same name in the | |||
same set-cookie-string. (See Section 5.5 for how user agents handle | same set-cookie-string. (See Section 5.5 for how user agents handle | |||
this case.) | this case.) | |||
skipping to change at page 12, line 19 ¶ | skipping to change at page 12, line 30 ¶ | |||
attributes (but not the entire cookie). | attributes (but not the entire cookie). | |||
4.1.2.1. The Expires Attribute | 4.1.2.1. The Expires Attribute | |||
The Expires attribute indicates the maximum lifetime of the cookie, | The Expires attribute indicates the maximum lifetime of the cookie, | |||
represented as the date and time at which the cookie expires. The | represented as the date and time at which the cookie expires. The | |||
user agent is not required to retain the cookie until the specified | user agent is not required to retain the cookie until the specified | |||
date has passed. In fact, user agents often evict cookies due to | date has passed. In fact, user agents often evict cookies due to | |||
memory pressure or privacy concerns. | memory pressure or privacy concerns. | |||
The user agent MUST limit the maximum value of the Expires attribute. | ||||
The limit SHOULD NOT be greater than 400 days (34560000 seconds) in | ||||
the future. The RECOMMENDED limit is 400 days in the future, but the | ||||
user agent MAY adjust the limit (see Section 7.2). Expires | ||||
attributes that are greater than the limit MUST be reduced to the | ||||
limit. | ||||
4.1.2.2. The Max-Age Attribute | 4.1.2.2. The Max-Age Attribute | |||
The Max-Age attribute indicates the maximum lifetime of the cookie, | The Max-Age attribute indicates the maximum lifetime of the cookie, | |||
represented as the number of seconds until the cookie expires. The | represented as the number of seconds until the cookie expires. The | |||
user agent is not required to retain the cookie for the specified | user agent is not required to retain the cookie for the specified | |||
duration. In fact, user agents often evict cookies due to memory | duration. In fact, user agents often evict cookies due to memory | |||
pressure or privacy concerns. | pressure or privacy concerns. | |||
The user agent MUST limit the maximum value of the Max-Age attribute. | ||||
The limit SHOULD NOT be greater than 400 days (34560000 seconds) in | ||||
duration. The RECOMMENDED limit is 400 days in duration, but the | ||||
user agent MAY adjust the limit (see Section 7.2). Max-Age | ||||
attributes that are greater than the limit MUST be reduced to the | ||||
limit. | ||||
NOTE: Some existing user agents do not support the Max-Age attribute. | NOTE: Some existing user agents do not support the Max-Age attribute. | |||
User agents that do not support the Max-Age attribute ignore the | User agents that do not support the Max-Age attribute ignore the | |||
attribute. | attribute. | |||
If a cookie has both the Max-Age and the Expires attribute, the Max- | If a cookie has both the Max-Age and the Expires attribute, the Max- | |||
Age attribute has precedence and controls the expiration date of the | Age attribute has precedence and controls the expiration date of the | |||
cookie. If a cookie has neither the Max-Age nor the Expires | cookie. If a cookie has neither the Max-Age nor the Expires | |||
attribute, the user agent will retain the cookie until "the current | attribute, the user agent will retain the cookie until "the current | |||
session is over" (as defined by the user agent). | session is over" (as defined by the user agent). | |||
skipping to change at page 17, line 24 ¶ | skipping to change at page 18, line 10 ¶ | |||
flags defined as a part of the algorithm (i.e., found-time, found- | flags defined as a part of the algorithm (i.e., found-time, found- | |||
day-of-month, found-month, found-year) are initially "not set". | day-of-month, found-month, found-year) are initially "not set". | |||
1. Using the grammar below, divide the cookie-date into date-tokens. | 1. Using the grammar below, divide the cookie-date into date-tokens. | |||
cookie-date = *delimiter date-token-list *delimiter | cookie-date = *delimiter date-token-list *delimiter | |||
date-token-list = date-token *( 1*delimiter date-token ) | date-token-list = date-token *( 1*delimiter date-token ) | |||
date-token = 1*non-delimiter | date-token = 1*non-delimiter | |||
delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E | delimiter = %x09 / %x20-2F / %x3B-40 / %x5B-60 / %x7B-7E | |||
non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA / %x7F-FF | non-delimiter = %x00-08 / %x0A-1F / DIGIT / ":" / ALPHA | |||
/ %x7F-FF | ||||
non-digit = %x00-2F / %x3A-FF | non-digit = %x00-2F / %x3A-FF | |||
day-of-month = 1*2DIGIT [ non-digit *OCTET ] | day-of-month = 1*2DIGIT [ non-digit *OCTET ] | |||
month = ( "jan" / "feb" / "mar" / "apr" / | month = ( "jan" / "feb" / "mar" / "apr" / | |||
"may" / "jun" / "jul" / "aug" / | "may" / "jun" / "jul" / "aug" / | |||
"sep" / "oct" / "nov" / "dec" ) *OCTET | "sep" / "oct" / "nov" / "dec" ) *OCTET | |||
year = 2*4DIGIT [ non-digit *OCTET ] | year = 2*4DIGIT [ non-digit *OCTET ] | |||
time = hms-time [ non-digit *OCTET ] | time = hms-time [ non-digit *OCTET ] | |||
hms-time = time-field ":" time-field ":" time-field | hms-time = time-field ":" time-field ":" time-field | |||
time-field = 1*2DIGIT | time-field = 1*2DIGIT | |||
skipping to change at page 24, line 11 ¶ | skipping to change at page 24, line 36 ¶ | |||
characters that are not cookie-octets according to the grammar in | characters that are not cookie-octets according to the grammar in | |||
Section 4.1. User agents use this algorithm so as to interoperate | Section 4.1. User agents use this algorithm so as to interoperate | |||
with servers that do not follow the recommendations in Section 4. | with servers that do not follow the recommendations in Section 4. | |||
NOTE: As set-cookie-string may originate from a non-HTTP API, it is | NOTE: As set-cookie-string may originate from a non-HTTP API, it is | |||
not guaranteed to be free of CTL characters, so this algorithm | not guaranteed to be free of CTL characters, so this algorithm | |||
handles them explicitly. Horizontal tab (%x09) is excluded from the | handles them explicitly. Horizontal tab (%x09) is excluded from the | |||
CTL characters that lead to set-cookie-string rejection, as it is | CTL characters that lead to set-cookie-string rejection, as it is | |||
considered whitespace, which is handled separately. | considered whitespace, which is handled separately. | |||
NOTE: The set-cookie-string may contain octet sequences that appear | ||||
percent-encoded as per Section 2.1 of [RFC3986]. However, a user | ||||
agent MUST NOT decode these sequences and instead parse the | ||||
individual octets as specified in this algorithm. | ||||
A user agent MUST use an algorithm equivalent to the following | A user agent MUST use an algorithm equivalent to the following | |||
algorithm to parse a set-cookie-string: | algorithm to parse a set-cookie-string: | |||
1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F | 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F | |||
character (CTL characters excluding HTAB): Abort these steps and | character (CTL characters excluding HTAB): Abort these steps and | |||
ignore the set-cookie-string entirely. | ignore the set-cookie-string entirely. | |||
2. If the set-cookie-string contains a %x3B (";") character: | 2. If the set-cookie-string contains a %x3B (";") character: | |||
1. The name-value-pair string consists of the characters up to, | 1. The name-value-pair string consists of the characters up to, | |||
skipping to change at page 26, line 16 ¶ | skipping to change at page 26, line 49 ¶ | |||
If the attribute-name case-insensitively matches the string | If the attribute-name case-insensitively matches the string | |||
"Expires", the user agent MUST process the cookie-av as follows. | "Expires", the user agent MUST process the cookie-av as follows. | |||
1. Let the expiry-time be the result of parsing the attribute-value | 1. Let the expiry-time be the result of parsing the attribute-value | |||
as cookie-date (see Section 5.1.1). | as cookie-date (see Section 5.1.1). | |||
2. If the attribute-value failed to parse as a cookie date, ignore | 2. If the attribute-value failed to parse as a cookie date, ignore | |||
the cookie-av. | the cookie-av. | |||
3. If the expiry-time is later than the last date the user agent can | 3. Let cookie-age-limit be the maximum age of the cookie (which | |||
represent, the user agent MAY replace the expiry-time with the | SHOULD be 400 days in the future or sooner, see Section 4.1.2.1). | |||
last representable date. | ||||
4. If the expiry-time is earlier than the earliest date the user | 4. If the expiry-time is more than cookie-age-limit, the user agent | |||
MUST set the expiry time to cookie-age-limit in seconds. | ||||
5. If the expiry-time is earlier than the earliest date the user | ||||
agent can represent, the user agent MAY replace the expiry-time | agent can represent, the user agent MAY replace the expiry-time | |||
with the earliest representable date. | with the earliest representable date. | |||
5. Append an attribute to the cookie-attribute-list with an | 6. Append an attribute to the cookie-attribute-list with an | |||
attribute-name of Expires and an attribute-value of expiry-time. | attribute-name of Expires and an attribute-value of expiry-time. | |||
5.4.2. The Max-Age Attribute | 5.4.2. The Max-Age Attribute | |||
If the attribute-name case-insensitively matches the string "Max- | If the attribute-name case-insensitively matches the string "Max- | |||
Age", the user agent MUST process the cookie-av as follows. | Age", the user agent MUST process the cookie-av as follows. | |||
1. If the first character of the attribute-value is not a DIGIT or a | 1. If the first character of the attribute-value is not a DIGIT or a | |||
"-" character, ignore the cookie-av. | "-" character, ignore the cookie-av. | |||
2. If the remainder of attribute-value contains a non-DIGIT | 2. If the remainder of attribute-value contains a non-DIGIT | |||
character, ignore the cookie-av. | character, ignore the cookie-av. | |||
3. Let delta-seconds be the attribute-value converted to an integer. | 3. Let delta-seconds be the attribute-value converted to an integer. | |||
4. If delta-seconds is less than or equal to zero (0), let expiry- | 4. Let cookie-age-limit be the maximum age of the cookie (which | |||
SHOULD be 400 days or less, see Section 4.1.2.2). | ||||
5. Set delta-seconds to the smaller of its present value and cookie- | ||||
age-limit. | ||||
6. If delta-seconds is less than or equal to zero (0), let expiry- | ||||
time be the earliest representable date and time. Otherwise, let | time be the earliest representable date and time. Otherwise, let | |||
the expiry-time be the current date and time plus delta-seconds | the expiry-time be the current date and time plus delta-seconds | |||
seconds. | seconds. | |||
5. Append an attribute to the cookie-attribute-list with an | 7. Append an attribute to the cookie-attribute-list with an | |||
attribute-name of Max-Age and an attribute-value of expiry-time. | attribute-name of Max-Age and an attribute-value of expiry-time. | |||
5.4.3. The Domain Attribute | 5.4.3. The Domain Attribute | |||
If the attribute-name case-insensitively matches the string "Domain", | If the attribute-name case-insensitively matches the string "Domain", | |||
the user agent MUST process the cookie-av as follows. | the user agent MUST process the cookie-av as follows. | |||
1. Let cookie-domain be the attribute-value. | 1. Let cookie-domain be the attribute-value. | |||
2. If cookie-domain starts with %x2E ("."), let cookie-domain be | 2. If cookie-domain starts with %x2E ("."), let cookie-domain be | |||
skipping to change at page 29, line 35 ¶ | skipping to change at page 30, line 23 ¶ | |||
recently. Deployment experience has shown a cookie age of 2 minutes | recently. Deployment experience has shown a cookie age of 2 minutes | |||
or less to be a reasonable limit. | or less to be a reasonable limit. | |||
If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST | If the user agent uses "Lax-allowing-unsafe" enforcement, it MUST | |||
apply the following modification to the retrieval algorithm defined | apply the following modification to the retrieval algorithm defined | |||
in Section 5.6.3: | in Section 5.6.3: | |||
Replace the condition in the penultimate bullet point of step 1 of | Replace the condition in the penultimate bullet point of step 1 of | |||
the retrieval algorithm reading | the retrieval algorithm reading | |||
* The HTTP request associated with the retrieval uses a "safe" method. | * The HTTP request associated with the retrieval uses a "safe" | |||
method. | ||||
with | with | |||
* At least one of the following is true: | * At least one of the following is true: | |||
1. The HTTP request associated with the retrieval uses a "safe" method. | 1. The HTTP request associated with the retrieval uses a "safe" | |||
method. | ||||
2. The cookie's same-site-flag is "Default" and the amount of time | 2. The cookie's same-site-flag is "Default" and the amount of | |||
elapsed since the cookie's creation-time is at most a duration of the | time elapsed since the cookie's creation-time is at most a | |||
user agent's choosing. | duration of the user agent's choosing. | |||
5.5. Storage Model | 5.5. Storage Model | |||
The user agent stores the following fields about each cookie: name, | The user agent stores the following fields about each cookie: name, | |||
value, expiry-time, domain, path, creation-time, last-access-time, | value, expiry-time, domain, path, creation-time, last-access-time, | |||
persistent-flag, host-only-flag, secure-only-flag, http-only-flag, | persistent-flag, host-only-flag, secure-only-flag, http-only-flag, | |||
and same-site-flag. | and same-site-flag. | |||
When the user agent "receives a cookie" from a request-uri with name | When the user agent "receives a cookie" from a request-uri with name | |||
cookie-name, value cookie-value, and attributes cookie-attribute- | cookie-name, value cookie-value, and attributes cookie-attribute- | |||
skipping to change at page 31, line 20 ¶ | skipping to change at page 32, line 12 ¶ | |||
attribute-name of "Domain" and an attribute-value whose | attribute-name of "Domain" and an attribute-value whose | |||
length is no more than 1024 octets. (Note that a leading | length is no more than 1024 octets. (Note that a leading | |||
%x2E ("."), if present, is ignored even though that | %x2E ("."), if present, is ignored even though that | |||
character is not permitted, but a trailing %x2E ("."), if | character is not permitted, but a trailing %x2E ("."), if | |||
present, will cause the user agent to ignore the attribute.) | present, will cause the user agent to ignore the attribute.) | |||
Otherwise: | Otherwise: | |||
1. Let the domain-attribute be the empty string. | 1. Let the domain-attribute be the empty string. | |||
8. If the user agent is configured to reject "public suffixes" and | 8. If the domain-attribute contains a character that is not in the | |||
range of [USASCII] characters, abort these steps and ignore the | ||||
cookie entirely. | ||||
9. If the user agent is configured to reject "public suffixes" and | ||||
the domain-attribute is a public suffix: | the domain-attribute is a public suffix: | |||
1. If the domain-attribute is identical to the canonicalized | 1. If the domain-attribute is identical to the canonicalized | |||
request-host: | request-host: | |||
1. Let the domain-attribute be the empty string. | 1. Let the domain-attribute be the empty string. | |||
Otherwise: | Otherwise: | |||
1. Ignore the cookie entirely and abort these steps. | 1. Abort these steps and ignore the cookie entirely. | |||
NOTE: This step prevents attacker.example from disrupting the | NOTE: This step prevents attacker.example from disrupting the | |||
integrity of site.example by setting a cookie with a Domain | integrity of site.example by setting a cookie with a Domain | |||
attribute of "example". | attribute of "example". | |||
9. If the domain-attribute is non-empty: | 10. If the domain-attribute is non-empty: | |||
1. If the canonicalized request-host does not domain-match the | 1. If the canonicalized request-host does not domain-match the | |||
domain-attribute: | domain-attribute: | |||
1. Ignore the cookie entirely and abort these steps. | 1. Abort these steps and ignore the cookie entirely. | |||
Otherwise: | Otherwise: | |||
1. Set the cookie's host-only-flag to false. | 1. Set the cookie's host-only-flag to false. | |||
2. Set the cookie's domain to the domain-attribute. | 2. Set the cookie's domain to the domain-attribute. | |||
Otherwise: | Otherwise: | |||
1. Set the cookie's host-only-flag to true. | 1. Set the cookie's host-only-flag to true. | |||
2. Set the cookie's domain to the canonicalized request-host. | 2. Set the cookie's domain to the canonicalized request-host. | |||
10. If the cookie-attribute-list contains an attribute with an | 11. If the cookie-attribute-list contains an attribute with an | |||
attribute-name of "Path", set the cookie's path to attribute- | attribute-name of "Path", set the cookie's path to attribute- | |||
value of the last attribute in the cookie-attribute-list with | value of the last attribute in the cookie-attribute-list with | |||
both an attribute-name of "Path" and an attribute-value whose | both an attribute-name of "Path" and an attribute-value whose | |||
length is no more than 1024 octets. Otherwise, set the cookie's | length is no more than 1024 octets. Otherwise, set the cookie's | |||
path to the default-path of the request-uri. | path to the default-path of the request-uri. | |||
11. If the cookie-attribute-list contains an attribute with an | 12. If the cookie-attribute-list contains an attribute with an | |||
attribute-name of "Secure", set the cookie's secure-only-flag to | attribute-name of "Secure", set the cookie's secure-only-flag to | |||
true. Otherwise, set the cookie's secure-only-flag to false. | true. Otherwise, set the cookie's secure-only-flag to false. | |||
12. If the scheme component of the request-uri does not denote a | 13. If the scheme component of the request-uri does not denote a | |||
"secure" protocol (as defined by the user agent), and the | "secure" protocol (as defined by the user agent), and the | |||
cookie's secure-only-flag is true, then abort these steps and | cookie's secure-only-flag is true, then abort these steps and | |||
ignore the cookie entirely. | ignore the cookie entirely. | |||
13. If the cookie-attribute-list contains an attribute with an | 14. If the cookie-attribute-list contains an attribute with an | |||
attribute-name of "HttpOnly", set the cookie's http-only-flag to | attribute-name of "HttpOnly", set the cookie's http-only-flag to | |||
true. Otherwise, set the cookie's http-only-flag to false. | true. Otherwise, set the cookie's http-only-flag to false. | |||
14. If the cookie was received from a "non-HTTP" API and the | 15. If the cookie was received from a "non-HTTP" API and the | |||
cookie's http-only-flag is true, abort these steps and ignore | cookie's http-only-flag is true, abort these steps and ignore | |||
the cookie entirely. | the cookie entirely. | |||
15. If the cookie's secure-only-flag is false, and the scheme | 16. If the cookie's secure-only-flag is false, and the scheme | |||
component of request-uri does not denote a "secure" protocol, | component of request-uri does not denote a "secure" protocol, | |||
then abort these steps and ignore the cookie entirely if the | then abort these steps and ignore the cookie entirely if the | |||
cookie store contains one or more cookies that meet all of the | cookie store contains one or more cookies that meet all of the | |||
following criteria: | following criteria: | |||
1. Their name matches the name of the newly-created cookie. | 1. Their name matches the name of the newly-created cookie. | |||
2. Their secure-only-flag is true. | 2. Their secure-only-flag is true. | |||
3. Their domain domain-matches the domain of the newly-created | 3. Their domain domain-matches the domain of the newly-created | |||
skipping to change at page 33, line 13 ¶ | skipping to change at page 34, line 5 ¶ | |||
of the existing cookie. | of the existing cookie. | |||
Note: The path comparison is not symmetric, ensuring only that a | Note: The path comparison is not symmetric, ensuring only that a | |||
newly-created, non-secure cookie does not overlay an existing | newly-created, non-secure cookie does not overlay an existing | |||
secure cookie, providing some mitigation against cookie-fixing | secure cookie, providing some mitigation against cookie-fixing | |||
attacks. That is, given an existing secure cookie named 'a' | attacks. That is, given an existing secure cookie named 'a' | |||
with a path of '/login', a non-secure cookie named 'a' could be | with a path of '/login', a non-secure cookie named 'a' could be | |||
set for a path of '/' or '/foo', but not for a path of '/login' | set for a path of '/' or '/foo', but not for a path of '/login' | |||
or '/login/en'. | or '/login/en'. | |||
16. If the cookie-attribute-list contains an attribute with an | 17. If the cookie-attribute-list contains an attribute with an | |||
attribute-name of "SameSite", and an attribute-value of | attribute-name of "SameSite", and an attribute-value of | |||
"Strict", "Lax", or "None", set the cookie's same-site-flag to | "Strict", "Lax", or "None", set the cookie's same-site-flag to | |||
the attribute-value of the last attribute in the cookie- | the attribute-value of the last attribute in the cookie- | |||
attribute-list with an attribute-name of "SameSite". Otherwise, | attribute-list with an attribute-name of "SameSite". Otherwise, | |||
set the cookie's same-site-flag to "Default". | set the cookie's same-site-flag to "Default". | |||
17. If the cookie's same-site-flag is not "None": | 18. If the cookie's same-site-flag is not "None": | |||
1. If the cookie was received from a "non-HTTP" API, and the | 1. If the cookie was received from a "non-HTTP" API, and the | |||
API was called from a browsing context's active document | API was called from a browsing context's active document | |||
whose "site for cookies" is not same-site with the top-level | whose "site for cookies" is not same-site with the top-level | |||
origin, then abort these steps and ignore the newly created | origin, then abort these steps and ignore the newly created | |||
cookie entirely. | cookie entirely. | |||
2. If the cookie was received from a "same-site" request (as | 2. If the cookie was received from a "same-site" request (as | |||
defined in Section 5.2), skip the remaining substeps and | defined in Section 5.2), skip the remaining substeps and | |||
continue processing the cookie. | continue processing the cookie. | |||
skipping to change at page 33, line 47 ¶ | skipping to change at page 34, line 39 ¶ | |||
processing the cookie. | processing the cookie. | |||
Note: Top-level navigations can create a cookie with any | Note: Top-level navigations can create a cookie with any | |||
SameSite value, even if the new cookie wouldn't have been | SameSite value, even if the new cookie wouldn't have been | |||
sent along with the request had it already existed prior to | sent along with the request had it already existed prior to | |||
the navigation. | the navigation. | |||
4. Abort these steps and ignore the newly created cookie | 4. Abort these steps and ignore the newly created cookie | |||
entirely. | entirely. | |||
18. If the cookie's "same-site-flag" is "None", abort these steps | 19. If the cookie's "same-site-flag" is "None", abort these steps | |||
and ignore the cookie entirely unless the cookie's secure-only- | and ignore the cookie entirely unless the cookie's secure-only- | |||
flag is true. | flag is true. | |||
19. If the cookie-name begins with a case-sensitive match for the | 20. If the cookie-name begins with a case-sensitive match for the | |||
string "__Secure-", abort these steps and ignore the cookie | string "__Secure-", abort these steps and ignore the cookie | |||
entirely unless the cookie's secure-only-flag is true. | entirely unless the cookie's secure-only-flag is true. | |||
20. If the cookie-name begins with a case-sensitive match for the | 21. If the cookie-name begins with a case-sensitive match for the | |||
string "__Host-", abort these steps and ignore the cookie | string "__Host-", abort these steps and ignore the cookie | |||
entirely unless the cookie meets all the following criteria: | entirely unless the cookie meets all the following criteria: | |||
1. The cookie's secure-only-flag is true. | 1. The cookie's secure-only-flag is true. | |||
2. The cookie's host-only-flag is true. | 2. The cookie's host-only-flag is true. | |||
3. The cookie-attribute-list contains an attribute with an | 3. The cookie-attribute-list contains an attribute with an | |||
attribute-name of "Path", and the cookie's path is /. | attribute-name of "Path", and the cookie's path is /. | |||
21. If the cookie store contains a cookie with the same name, | 22. If the cookie store contains a cookie with the same name, | |||
domain, host-only-flag, and path as the newly-created cookie: | domain, host-only-flag, and path as the newly-created cookie: | |||
1. Let old-cookie be the existing cookie with the same name, | 1. Let old-cookie be the existing cookie with the same name, | |||
domain, host-only-flag, and path as the newly-created | domain, host-only-flag, and path as the newly-created | |||
cookie. (Notice that this algorithm maintains the invariant | cookie. (Notice that this algorithm maintains the invariant | |||
that there is at most one such cookie.) | that there is at most one such cookie.) | |||
2. If the newly-created cookie was received from a "non-HTTP" | 2. If the newly-created cookie was received from a "non-HTTP" | |||
API and the old-cookie's http-only-flag is true, abort these | API and the old-cookie's http-only-flag is true, abort these | |||
steps and ignore the newly created cookie entirely. | steps and ignore the newly created cookie entirely. | |||
3. Update the creation-time of the newly-created cookie to | 3. Update the creation-time of the newly-created cookie to | |||
match the creation-time of the old-cookie. | match the creation-time of the old-cookie. | |||
4. Remove the old-cookie from the cookie store. | 4. Remove the old-cookie from the cookie store. | |||
22. Insert the newly-created cookie into the cookie store. | 23. Insert the newly-created cookie into the cookie store. | |||
A cookie is "expired" if the cookie has an expiry date in the past. | A cookie is "expired" if the cookie has an expiry date in the past. | |||
The user agent MUST evict all expired cookies from the cookie store | The user agent MUST evict all expired cookies from the cookie store | |||
if, at any time, an expired cookie exists in the cookie store. | if, at any time, an expired cookie exists in the cookie store. | |||
At any time, the user agent MAY "remove excess cookies" from the | At any time, the user agent MAY "remove excess cookies" from the | |||
cookie store if the number of cookies sharing a domain field exceeds | cookie store if the number of cookies sharing a domain field exceeds | |||
some implementation-defined upper bound (such as 50 cookies). | some implementation-defined upper bound (such as 50 cookies). | |||
skipping to change at page 39, line 36 ¶ | skipping to change at page 40, line 20 ¶ | |||
have been registered under one from those registered under the other. | have been registered under one from those registered under the other. | |||
There will be a transition period of some time during which | There will be a transition period of some time during which | |||
IDNA2003-based domain name labels will exist in the wild. User | IDNA2003-based domain name labels will exist in the wild. User | |||
agents SHOULD implement IDNA2008 [RFC5890] and MAY implement [UTS46] | agents SHOULD implement IDNA2008 [RFC5890] and MAY implement [UTS46] | |||
or [RFC5895] in order to facilitate their IDNA transition. If a user | or [RFC5895] in order to facilitate their IDNA transition. If a user | |||
agent does not implement IDNA2008, the user agent MUST implement | agent does not implement IDNA2008, the user agent MUST implement | |||
IDNA2003 [RFC3490]. | IDNA2003 [RFC3490]. | |||
7. Privacy Considerations | 7. Privacy Considerations | |||
Cookies are often criticized for letting servers track users. For | Cookies' primary privacy risk is their ability to correlate user | |||
example, a number of "web analytics" companies use cookies to | activity. This can happen on a single site, but is most problematic | |||
recognize when a user returns to a web site or visits another web | when activity is tracked across different, seemingly unconnected Web | |||
site. Although cookies are not the only mechanism servers can use to | sites to build a user profile. | |||
track users across HTTP requests, cookies facilitate tracking because | ||||
they are persistent across user agent sessions and can be shared | ||||
between hosts. | ||||
7.1. Third-Party Cookies | Over time, this capability (warned against explicitly in [RFC2109] | |||
and all of its successors) has become widely used for varied reasons | ||||
including: | ||||
Particularly worrisome are so-called "third-party" cookies. In | * authenticating users across sites, | |||
rendering an HTML document, a user agent often requests resources | ||||
from other servers (such as advertising networks). These third-party | ||||
servers can use cookies to track the user even if the user never | ||||
visits the server directly. For example, if a user visits a site | ||||
that contains content from a third party and then later visits | ||||
another site that contains content from the same third party, the | ||||
third party can track the user between the two sites. | ||||
Given this risk to user privacy, some user agents restrict how third- | * assembling information on users, | |||
party cookies behave, and those restrictions vary widly. For | ||||
instance, user agents might block third-party cookies entirely by | ||||
refusing to send Cookie header fields or process Set-Cookie header | ||||
fields during third-party requests. They might take a less draconian | ||||
approach by partitioning cookies based on the first-party context, | ||||
sending one set of cookies to a given third party in one first-party | ||||
context, and another to the same third party in another. Or they | ||||
might even allow some third-party cookies but block others depending | ||||
on user-agent cookie policy or user controls. | ||||
This document grants user agents wide latitude to experiment with | * protecting against fraud and other forms of undesirable traffic, | |||
third-party cookie policies that balance the privacy and | ||||
compatibility needs of their users. However, this document does not | ||||
endorse any particular third-party cookie policy. | ||||
Third-party cookie blocking policies are often ineffective at | * targeting advertisements at specific users or at users with | |||
achieving their privacy goals if servers attempt to work around their | specified attributes, | |||
restrictions to track users. In particular, two collaborating | ||||
servers can often track users without using cookies at all by | ||||
injecting identifying information into dynamic URLs. | ||||
7.2. Cookie policy | * measuring how often ads are shown to users, and | |||
* recognizing when an ad resulted in a change in user behavior. | ||||
While not every use of cookies is necessarily problematic for | ||||
privacy, their potential for abuse has become a widespread concern in | ||||
the Internet community and broader society. In response to these | ||||
concerns, user agents have actively constrained cookie functionality | ||||
in various ways (as allowed and encouraged by previous | ||||
specifications), while avoiding disruption to features they judge | ||||
desirable for the health of the Web. | ||||
It is too early to declare consensus on which specific mechanism(s) | ||||
should be used to mitigate cookies' privacy impact; user agents' | ||||
ongoing changes to how they are handled are best characterised as | ||||
experiments that can provide input into that eventual consensus. | ||||
Instead, this document describes limited, general mitigations against | ||||
the privacy risks associated with cookies that enjoy wide deployment | ||||
at the time of writing. It is expected that implementations will | ||||
continue to experiment and impose stricter, more well-defined | ||||
limitations on cookies over time. Future versions of this document | ||||
might codify those mechanisms based upon deployment experience. If | ||||
functions that currently rely on cookies can be supported by | ||||
separate, targeted mechanisms, they might be documented in separate | ||||
specifications and stricter limitations on cookies might become | ||||
feasible. | ||||
Note that cookies are not the only mechanism that can be used to | ||||
track users across sites, so while these mitigations are necessary to | ||||
improve Web privacy, they are not sufficient on their own. | ||||
7.1. Third-Party Cookies | ||||
A "third-party" or cross-site cookie is one that is associated with | ||||
embedded content (such as scripts, images, stylesheets, frames) that | ||||
is obtained from a different server than the one that hosts the | ||||
primary resource (usually, the Web page that the user is viewing). | ||||
Third-party cookies are often used to correlate users' activity on | ||||
different sites. | ||||
Because of their inherent privacy issues, most user agents now limit | ||||
third-party cookies in a variety of ways. Some completely block | ||||
third-party cookies by refusing to process third-party Set-Cookie | ||||
header fields and refusing to send third-party Cookie header fields. | ||||
Some partition cookies based upon the first-party context, so that | ||||
different cookies are sent depending on the site being browsed. Some | ||||
block cookies based upon user agent cookie policy and/or user | ||||
controls. | ||||
While this document does not endorse or require a specific approach, | ||||
it is RECOMMENDED that user agents adopt a policy for third-party | ||||
cookies that is as restrictive as compatibility constraints permit. | ||||
Consequently, resources cannot rely upon third-party cookies being | ||||
treated consistently by user agents for the foreseeable future. | ||||
7.2. Cookie Policy | ||||
User agents MAY enforce a cookie policy consisting of restrictions on | User agents MAY enforce a cookie policy consisting of restrictions on | |||
how cookies may be used or ignored (see Section 5.3). | how cookies may be used or ignored (see Section 5.3). | |||
A cookie policy may govern which domains or parties, as in first and | A cookie policy may govern which domains or parties, as in first and | |||
third parties (see Section 7.1), for which the user agent will allow | third parties (see Section 7.1), for which the user agent will allow | |||
cookie access. The policy can also define limits on cookie size, | cookie access. The policy can also define limits on cookie size, | |||
cookie expiry, and the number of cookies per domain or in total. | cookie expiry (see Section 4.1.2.1 and Section 4.1.2.2), and the | |||
number of cookies per domain or in total. | ||||
The recomended cookie expiry upper limit is 400 days. User agents | ||||
may set a lower limit to enforce shorter data retention timelines, or | ||||
set the limit higher to support longer retention when appropriate | ||||
(e.g., server-to-server communication over HTTPS). | ||||
The goal of a restrictive cookie policy is often to improve security | The goal of a restrictive cookie policy is often to improve security | |||
or privacy. User agents often allow users to change the cookie | or privacy. User agents often allow users to change the cookie | |||
policy (see Section 7.3). | policy (see Section 7.3). | |||
7.3. User Controls | 7.3. User Controls | |||
User agents SHOULD provide users with a mechanism for managing the | User agents SHOULD provide users with a mechanism for managing the | |||
cookies stored in the cookie store. For example, a user agent might | cookies stored in the cookie store. For example, a user agent might | |||
let users delete all cookies received during a specified time period | let users delete all cookies received during a specified time period | |||
skipping to change at page 53, line 26 ¶ | skipping to change at page 54, line 26 ¶ | |||
cookie-same-site-00>. | cookie-same-site-00>. | |||
[prerendering] | [prerendering] | |||
Bentzel, C., "Chrome Prerendering", n.d., | Bentzel, C., "Chrome Prerendering", n.d., | |||
<https://www.chromium.org/developers/design-documents/ | <https://www.chromium.org/developers/design-documents/ | |||
prerender>. | prerender>. | |||
[PSL] "Public Suffix List", n.d., | [PSL] "Public Suffix List", n.d., | |||
<https://publicsuffix.org/list/>. | <https://publicsuffix.org/list/>. | |||
[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management | ||||
Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, | ||||
<https://www.rfc-editor.org/rfc/rfc2109>. | ||||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
DOI 10.17487/RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
<https://www.rfc-editor.org/rfc/rfc2818>. | <https://www.rfc-editor.org/rfc/rfc2818>. | |||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO | |||
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November | |||
2003, <https://www.rfc-editor.org/rfc/rfc3629>. | 2003, <https://www.rfc-editor.org/rfc/rfc3629>. | |||
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
skipping to change at page 58, line 44 ¶ | skipping to change at page 59, line 48 ¶ | |||
extensions/pull/1576) | extensions/pull/1576) | |||
* No longer treat horizontal tab as a control character: | * No longer treat horizontal tab as a control character: | |||
https://github.com/httpwg/http-extensions/pull/1589 | https://github.com/httpwg/http-extensions/pull/1589 | |||
(https://github.com/httpwg/http-extensions/pull/1589) | (https://github.com/httpwg/http-extensions/pull/1589) | |||
* Specify empty domain attribute handling: | * Specify empty domain attribute handling: | |||
https://github.com/httpwg/http-extensions/pull/1709 | https://github.com/httpwg/http-extensions/pull/1709 | |||
(https://github.com/httpwg/http-extensions/pull/1709) | (https://github.com/httpwg/http-extensions/pull/1709) | |||
A.11. draft-ietf-httpbis-rfc6265bis-10 | ||||
* Standardize Max-Age/Expires upper bound: | ||||
https://github.com/httpwg/http-extensions/pull/1732 | ||||
(https://github.com/httpwg/http-extensions/pull/1732) | ||||
Acknowledgements | Acknowledgements | |||
RFC 6265 was written by Adam Barth. This document is an update of | RFC 6265 was written by Adam Barth. This document is an update of | |||
RFC 6265, adding features and aligning the specification with the | RFC 6265, adding features and aligning the specification with the | |||
reality of today's deployments. Here, we're standing upon the | reality of today's deployments. Here, we're standing upon the | |||
shoulders of a giant since the majority of the text is still Adam's. | shoulders of a giant since the majority of the text is still Adam's. | |||
Authors' Addresses | Authors' Addresses | |||
Lily Chen (editor) | Lily Chen (editor) | |||
Google LLC | Google LLC | |||
Email: chlily@google.com | Email: chlily@google.com | |||
Steven Englehardt (editor) | Steven Englehardt (editor) | |||
Mozilla | Mozilla | |||
Email: senglehardt@mozilla.com | Email: senglehardt@mozilla.com | |||
Mike West (editor) | Mike West (editor) | |||
Google LLC | Google LLC | |||
Email: mkwst@google.com | Email: mkwst@google.com | |||
URI: https://mikewest.org/ | URI: https://mikewest.org/ | |||
John Wilander (editor) | John Wilander (editor) | |||
Apple, Inc | Apple, Inc | |||
Email: wilander@apple.com | Email: wilander@apple.com | |||
End of changes. 66 change blocks. | ||||
160 lines changed or deleted | 244 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |